Posted on 3 Comments

Webshell attack with msfvenom

Hello aspiring hackers. In our previous howtos, we saw about different shells like the infamous c99 shell, web shells in Kali Linux and Weevely. In this howto, we will see how to perform webshell attack with Metasploit. We will be getting a meterpreter shell on the website.

One of the wonderful features of Metasploit is creating payloads as per requirement. Using msfvenom, we can create binaries for Windows, MAC and Linux. We can also create shell payloads for websites in different formats like php, asp , javascript and asp. In future howto’s we will definitely learn more about msfvenom but for this howto, we will create a php payload.

As you can see below, I have created a php payload named “shell.php” with the metasploit payload option “php/meterpreter_reverse_tcp”. This gives us a reverse php meterpreter shell. The “lhost” option is our attacker system’s IP address and “lport” the port on which we want php meterpreter shell back.

Image explaining webshell attack with metasploit

After the shell is successfully created, let’s start a listener with Metasploit as shown below. Remember to set the same payload we set while creating the payload.

Msfvenomphp2

Set the lhost and lport as shown below. They should match with the values in the shell we created. Type command “run” to start the listener.

Msfvenomphp3

Now you need to find a site vulnerable to file upload. For this howto, I’m using my own vulnerable webapp “Vulnerawa”. To know more about Vulnerawa go here. Vulnerawa has a file upload vulnerability in its careers page.

Msfvenomphp4

Go to its file upload page and upload the shell. That shouldn’t be a big problem.

Msfvenomphp5

Now go to the shell we just uploaded through the website. Normally its located in the uploads directory ( In real websites, you need to locate it ). The shell will look like below.

Msfvenomphp6

In the listener we started an the attacker system, we should have already got the meterpreter shell. Happy hacking.

Msfvenomphp7

That is how we perform webshell attack with Metasploit.

Posted on

WAPT with HPWebinspect : Part 2

Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.

Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.

The analysis part is very important part of the WAPT. Let us see how to perform this analysis . We will take our previous scan report.

Hpwapt1 1024x723 1

Before we do the analysis, let us have a look at the interface of HPWebinspect. To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

Image explaining about hpwebinspect

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

Hpwapt3

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

Hpwapt4

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

Hpwapt5

It also shows us the emails we found during scan.

Hpwapt6

Also the forms.

Hpwapt7

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyze each vulnerability for this exact reason.

Hpwapt8

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyze this vulnerability.

Hpwapt9

Click on the vulnerability. The dashboard of HPWebinspect will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

Hpwapt10

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

Hpwapt10a 1024x625 1

Now right click on the vulnerability we are analyzing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

Hpwapt11

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

Hpwapt12

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

Hpwapt13

Another window will open as shown below. It will automatically show you the browser view.

Hpwapt14

We can click on “Request tab”to see the request sent by our tool.

Hpwapt15

Similarly the response tab shows us the response given by the target.

Hpwapt16

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

Hpwapt17

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

Hpwapt18

For instance, the vulnerability detected is not that critical, we can change its severity suitably to high or medium or low.

Hpwapt19

Now what if the vulnerability detected is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

Hpwapt20

We can also access this option from the “review vulnerability” window as already shown above.

Hpwapt20a

When we click on that option, we get two sub-options to mark it either as false positive as shown below

Hpwapt21

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

Hpwapt22

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

Hpwapt23

Select whatever you want to include in your report as shown below and click on Finish.

Hpwapt24

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

Hpwapt25

That’s how we do WAPT with HPwebinspect. Want to learn Ethical Hacking with Real World Scenarios.? Subscribe to our digital magazine.

Posted on 1 Comment

Hp WebInspect: Beginners guide

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking, you learnt about various vulnerabilities a web app or website may contain. It would be good if these vulnerabilities are detected and patched before they are exploited by hackers in real-world. The vulnerabilities can be detected either manually or by using automated scanners. HP WebInspect is one such automated tool.

Hp WebInspect is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically an automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services. It can be downloaded from here.

Let’s see how to perform website vulnerability assessment with HP WebInspect. Open the program and click on basic scan. We will see other scan options in the following parts of this tutorial. As its name implies, this option performs a basic security scan on a website.

Webinspectbasicscan1 1024x721 1

As we select the basic scan option, the “scan wizard” opens as shown below. As I am using a trial version of HPWebinspect I am only allowed to scan the website deliberately provided by HP for this purpose. This website simulates a bank ( named zero bank ) and this will be our target from now on.

I allot the given name. Below the scan name option, we have features with radio buttons. Let’s see these options.

crawl:-This process makes a list of all the pages on the entire website and builds its structure.

auditing:-Auditing is the process in which HPwebinspect will attack the website to find out the vulnerabilities.

I have selected the “crawling and auditing” option. HP Webinspect provides four types of scans.

Standard scan:- Normal scan.
List Driven scan:-You can specify the list of urls for the tool to scan. It will only scan those urls.
Workflow Driven scan:- Similar to list driven scan. You can scan a port of your website by specifying a macro.
Manual scan:-You can specify each link you want to scan. step by step.

Next specify the website you want to scan and click on “Next”.

wapt

In the next window, you will be prompted for authentication. If your website or network requires authentication, provide them . Choose if you want network proxy or not and click on “Next“.

Webinspectbasicscan3

The profiler automatically samples the website and recommends best configuration for the scan. You can select the option. We will see more about profiler later. There are some other settings. Leave them to their default settings and click on “Next”.

Webinspectbasicscan4

You will get a congrats message telling about the successful configuration of scan settings. It’s time to start the scan. Click on “scan”.

Webinspectbasicscan5

The scan will start as shown below. It will take some time dependent on the size of the website you are scanning.

Webinspectbasicscan6 1024x714 1

After the scan is finished, it will show the results as shown below. This tool classifies vulnerabilities into critical, high, medium, low and info. That was about basic scanning of website with HPWebinspect.

Webinspectbasicscan7 1024x544 1

That’s all in WAPT with HP WebInspect. Now, we will see analyzing these vulnerabilities. Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation. The analysis part is very important part of the WAPT. Let us see how to perform this analysis . We will take our previous scan report.

Hpwapt1 1024x723 1

Before we do the analysis, let us have a look at the interface of HPWebinspect. To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

Hpwapt2

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

Hpwapt3

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

Hpwapt4

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

Hpwapt5

It also shows us the emails we found during scan.

Hpwapt6 1024x456

Also the forms.

Hpwapt7

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyze each vulnerability for this exact reason.

Hpwapt8

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyze this vulnerability.

Hpwapt9

Click on the vulnerability. The dashboard of HPWebinspect will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

Hpwapt10

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

Hpwapt10a 1024x625 1

Now right click on the vulnerability we are analyzing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

Hpwapt11

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

Hpwapt12

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

Hpwapt13

Another window will open as shown below. It will automatically show you the browser view.

Hpwapt14

We can click on “Request tab”to see the request sent by our tool.

Hpwapt15

Similarly the response tab shows us the response given by the target.

Hpwapt16

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

Hpwapt17

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

Hpwapt18

For instance, the vulnerability detected is not that critical, we can change its severity suitably to high or medium or low.

Hpwapt19

Now what if the vulnerability detected is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

Hpwapt20

We can also access this option from the “review vulnerability” window as already shown above.

Hpwapt20a

When we click on that option, we get two sub-options to mark it either as false positive as shown below

Hpwapt21

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

Hpwapt22

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

Hpwapt23

Select whatever you want to include in your report as shown below and click on Finish.

Hpwapt24

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

Hpwapt25

That’s how we can find vulnerabilities in website with HP WebInspect.

Posted on 3 Comments

Weevely web shell: Complete guide

Hello aspiring hackers. It would be completely unfair to discuss about web shells without discussing about Weevely.

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote administration and penetration testing or bad things. It provides a ssh-like terminal just dropping a PHP script on the target server, even in restricted environments. The best thing about Weevely is its stealth functionality. So today we will see how Weevely functions.

It is inbuilt installed in Kali Linux although here I have downloaded from Github. So let us first generate a shell as shown below. “tadada” is the famous ( or rather infamous ) password we have assigned for our shell and the name assigned to our shell is backdoor. Now let us upload this shell to our target. In this howto, I have uploaded it into both Wamp server and Linux web server. Go here to see how to upload the shell.

Weevely1

After uploading the shell, we can connect to our shell using the command shown below. Well we made a connection.

Weevely

Now let us type command “:help” to see all the commands weevely provides. We will see usage of each command.

Weevely3

:audit_filesystem

This command, as the name implies is used to audit the file system of the remote web server. The below screenshot shows the result of this command on a Linux web server.

Weevely4

:audit_etcpasswd

This command needs no explanation. It is used to view the passwd file of our target and obviously will work only on Linux.

Weevely6

:audit_phpconf

This command lets us have a look at the php configuration on the remote web server as shown below. We can get lot of information which can be useful in further hacks.

Weevely7

:system_info

This command is used to know the whole system information. Below we can see lot of info about our target system.

Weevely8

:system_extensions

This command shows us the system extensions enabled on the web server. Here are the apache_modules

Weevely9

and the php_extensions enabled on the web server.

Weevely10

:backdoor_tcp

If you have gone through the above link, you already know what is a backdoor. We can create a backdoor on the web server as shown below. Here we have created a shell backdoor using netcat on port 80.

Weevely11

Now open another terminal and type the command shown below. The IP address is our target’s address. It directly provides us a connection to port 80 of the target. You can also use other ports to connect to but the port should be open on our target.

Weevely12

:backdoor_reversetcp

We also saw the reverse backdoors in our previous howtos. Here, we are creating a backdoor to our attacker machine on port 1122. The IP address should be our attacker machine’s.

Weevely13

Once we create a reverse backdoor, we just need to listen on the port we specified above using netcat as shown below.

Weevely14

:file_ls

This is akin to “ls” command in Linux. It is used to see the contents of the directory.

Weevely15

:file_rm

It is used to delete any file from the directory. For example, I deleted the file c99.php.c999jpg as shown below. If our command has worked successfully, the terminal will return a true as shown below.

Weevely16

:file_upload

This is used to upload files. I have uploaded the c99 shell below. Go here to know more about the c99 shell and how it is used to hack the websites.

Weevely17

:file_read

Used to read files.

Weevely18

:file_webdownload

What if file upload doesn’t work? We can download any files from the internet. Suppose imagine we want to download a virus into our target and file upload doesn’t function ( in rare case ). We can host the virus on any free uploading site and download it using command shown below.

Weevely19

:file_touch

Now this one is important. This command is used to change time stamps. Let us change time stamps for files we have just uploaded. This is useful in raising less suspicions on the other side.

Weevely20

As we can see, time stamps of our files have been successfully changed.

Weevely21

:file_check

This command is used to see if a file exists as shown below.

Weevely22

:file_enum

To enumerate the permissions of the files.

Weevely24

:file_cp

To make a copy of a file.

Weevely25

:file_edit

To edit a file not only in this directory but also other directories. For example, let us edit a file in the home directory with the name virus.

Weevely26

This are the contents of the file. Oh bad english.

Weevely27

Let’s correct it. Actually this is used to edit files and change their script.

Weevely28

For example, we can edit the index page to deface the website.

Weevely29

:file_cd

To change directories.

Weevely30

:file_find

To search for files with specific properties. For example, we have searched for all writable files in the directory. Similarly we can also search for executable files.

Weevely31

:file_zip

Weevely provides us many functions to compress and decompress files. These include tar,bzip, gzip and zip. Here I am showing you an example of compressing two files into a zip archive.

Weevely32

:sql_console

Used to connect to the sql console.

Weevely33

:bruteforce_sql

We are not always lucky to have an unprotected sql connection. In that case, this command can be used to bruteforce the credentials.

Weevely33a

:sql_dump

After we get the credentials, we can dump the database we want using this command.

Weevely33b

:net_scan

In this howto itself, we saw how to create a backdoor and we also discussed that an open port is required for creating this backdoor. We can scan for open ports using this command. We can see just port 80 is open.

Weevely34

:net_ifconfig

Used to check all the network interfaces of the system.

Weevely35

:shell_sh

This command is used to execute any shell command on the system.

:shell_php

Shell_php command is used to execute php commands on the target server. Here I have executed phpinfo() command.

Weevely36

Once we get a shell, we can also execute all the standard commands of the shell like whoami, uname and hostname etc..etc.

Weevely37

Well that was weevely for you. Hope that was helpful.

Posted on 1 Comment

Webshells in Kali Linux

Hello Aspiring Hackers. In this howto, we will learn about Webshells provided by default in Kali Linux. In a previous article , we saw how one of the most popular shells can be used to hack a website. However popularity has its own disadvantages, at the least in the field of cyber security. The C99 php shell is very well known among the antivirus. Any common antivirus will easily detect it as malware. Although it is unlikely that web servers will be installed with antivirus, still it is good to stay one step ahead. So today we will see some of the least popular but still effective web shells.

As you all know, Kali Linux is one of the best pen testing distros available. It would be very disappointing if it didn’t have web shells in its arsenal. Open a terminal and navigate to the directory “/usr/share/webshells” as shown below. As you can see, web shells are classified according to the language of the website we are trying to hack. Today we will see about PHP shells. So go into that directory and do an “ls”. You can see the shells below.

webshells

Now let us see their features by uploading each one them into web server we want to hack. See how to upload the shells.

  1. simple-backdoor.php

As the name clearly tells, the functioning of this shell is very simple. It is used to execute some commands on the target web server. Let us go to the shell’s link after uploading and execute the “net user” command as shown below. As already used in Part 1, this command gives us all the users present on the Window’s system.

Webshells2

Similarly let us execute another powerful command “systeminfo” to get the web server’s whole information as shown below. Sorry about the censor.

Webshells3

php-backdoor.php

The php-backdoor, as the name implies is file upload shell just used to add more backdoors. It helps us in the case where we can’t easily upload any additional files we want.

Webshells4

I works akin to file upload function in our Part 1. As you can see below, it has upload form and a function to execute commands. We can also connect to the database.

Webshells5

php-reverse-shell.php

Every shell doesn’t require us to visit the web server. In fact we can make the webserver visit us. Enter the php-reverse-shell. As its name says, it makes a reverse connection to our attacker system. In order for this shell to make a reverse connection, it needs an IP address. So before uploading this shell we need to change the IP address in the script to our IP address ( Kali Linux ) as shown below. Save it and close it.

Webshells6

Next, let us start a netcat listener in one of the terminal. If you are new to netcat the command “nc -v -n -l -p 1234” tells netcat to listen verbosely on port 1234. Remember the port number should be same as we specified above.

Webshells7

Now when we upload the shell, On kali linux we will get a terminal as shown below. Hit “ls” to see the contents of the directory.

Webshells8

qsd-php-backdoor.php

The qsd-php-backdoor is compatible with both Linux and Windows web servers. As we upload it, it will detect whether the web server is Windows or Linux and then acts accordingly. The screenshot is shown below. As you can see we can move to the root directory of web server and come back, execute shell commands and SQL queries.

Webshells9

You already know what happens when we execute “systeminfo” command as shown below.

Webshells10

That’s about webshells in Kali Linux. Hope it was helpful.