Posted on

Remote File Inclusion (RFI) for beginners

Hello aspiring ethical hackers. In our previous article, you learnt what is web application hacking and the various web application hacking techniques. In this blogpost, you will learn about Remote File inclusion (RFI) or File upload vulnerability.

What is Remote File Inclusion (RFI) vulnerability?

In LFI, we can just view files locally present on the web server. In Remote File Inclusion (RFI) vulnerability, we can upload remote files to the web server.

So if the website is vulnerable to RFI, we can upload any files we want into the web server. But before we see this practically, take out ten seconds and just imagine if you had an opportunity to upload a file into a remote server what type of file would it be? It should be something which can take complete control of the web server, right.

There enters the PHP shell. It is a shell wrapped in a PHP script. As you will see later, we can use this shell to execute commands or browse the filesystem of the remote web server. Now let us see it practically. Recently, a file upload vulnerability was detected in Roxyman file manager. It is a free open source file browser for .NET and PHP. I have installed this on a remote server for testing. I am trying to upload the infamous c99 php shell into this file manager.

The c99 shell is a notorious PHP malware. More about what it can do later. Ok, now let’s see how file upload works. Go to file manager and click on Add file as shown below.

Rfilfi1

Another window opens. Now browse to the file we want to upload. In our case, the C99 shell.

Rfilfi2

But when we click on “upload”, it shows us an error as shown below. Don’t worry, that’s normal. RFI injection has been so notorious that even a noob like me wouldn’t allow a php or any other malicious upload.

Rfilfi3

Normally developers use a white list or black list to prevent specific file uploads. Black list is a list of file extensions to be blocked. White list is a list of file extensions to be allowed. Our specific application here uses a black list as shown below. As you can see files with extensions php,php3,php4,php5 and many more are blocked.

Rfilfi3a

But it doesn’t mean this type of restrictions cannot be bypassed. One way to do this is to rename our file to something like c99.php.c999jpg to fool the filters that this is a jpeg file. As I already said, this is one of the many ways to bypass the filters. You can just google for more ways to bypass this restrictions. Now the upload is successful as shown below.

remote file inclusion

Now you can view the upload file by going to the uploads directory as shown below. See we have successfully uploaded our php shell into the web server.

Rfilfi5

That was all about Remote File Inclusion. In our next howto, we will see what we can do with our uploaded php shell.

Posted on

Beginners guide to LFI vulnerability

Hello aspiring ethical hackers. In our previous article, you learnt what is web application hacking and the various web application hacking techniques. In this blogpost, you will learn about Local File inclusion (LFI) or directory traversal vulnerability.

What is Local File Inclusion (LFI) vulnerability?

According to OWASP,

“Local File Inclusion (also known as LFI) is the process of including files, that are locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.”

Simply put, it is a vulnerability in a web server or website which allows a hacker to view files on the remote system ( where the web server is setup) which ought not to be seen. LFI is also known as directory traversal as folders are generally referred to as directories in Linux.

Now let us see it practically. A wordpress plugin called “WP Mobile edition” suffers from lfi vulnerability. I have installed this vulnerable plugin on my wordpress site for testing. Now at the end of the url given below, let’s add files=../../../../wp-config.php as shown below. Boom, we get a file listed on our browser. I am trying to view the wp-config file of the website.

Wp-config file is an important WordPress file. It contains information about the database, like it’s name, host (typically localhost), username, and password. This information allows WordPress to communicate with the database to store and retrieve data (e.g. Posts, Users, Settings, etc). The file is also used to define advanced options for WordPress.

 But wait, what is that dot dot slash notation we used. The “../” we used below is similar to “cd..” we use in Windows and Linux to go one directory back and serves the same function here. We have gone four directories back to access the wp-config.php file which is located in WordPress root directory.

Lfirfi1

Similarly we can view another file: wp-settings.php as shown below. It is located in the same directory as wp-config.php.

Lfirfi2
Lfirfi2

Ok, now let’s view something out of the web server’s context. The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts. It is like a DNS in our OS. We have encountered the hosts file in our previous howto of Desktop phishing. Now let’s view that file in Windows. After going seven directories back, we have to go forward to the hosts file path as shown below.

Lfirfi3

Now let’s see this vulnerability in Linux. The juiciest file most hackers want to see in Linux is the passwd file. The /etc/passwd file is a text-based database of information about users that may log in to the system. We can see the file as shown below.

local file inclusion

Since we normally have minimal knowledge about the target OS we should use trial and error to view the file we want. That was local file inclusion for you. In our next howto, we will see another file inclusion vulnerability. Until then good bye.

Posted on

WordPress hacking guide for beginners

Hello aspiring hackers. In this howto we will learn about hacking wordpress with Revslider plugin exploit. This howto is a direct sequel to our previous howto WordPress vulnerability assessment with WPscan, so I suggest you go through that how to first and look out for the Easter eggs. This howto is based on one of the vulnerabilities we found in our previous howto.

To those newbies, who don’t know what is revolution slider, it is a popular plugin used by many wordpress websites. Well, I am sure you have heard about Panama papers leak. Yeah, I’m talking about the leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. It has been identified that Mossack Fonseca was using a vulnerable version of WordPress revslider plugin which resulted in the hack. All versions of the plugin from 2.1.7 to 3.0.95 are vulnerable to the attack.

This exploit was made public last year but still there are many wordpress websites using the vulnerable plugin( as with the case of Mossack fonseca ). Now let us see how this exploit works in Metasploit. Start Metasploit and search for our exploit as shown below.

Revslider1

Load the exploit as shown below.

Revslider2

Set the required options as shown below.

Revslider3

Set the required payload. Here for illustration I am setting the famous meterpreter payload.

Revslider4

You can also check if your target is vulnerable by using “check” command as shown below.( But we already know our target is vulnerable).

Revslider5

You can execute the exploit by typing “exploit”. If all went well, you will get the meterpreter shell on victim system.

Revslider6

That was all about hacking wordpress with Revslider plugin exploit.

Posted on 2 Comments

Beginners guide to WPScan

Hello aspiring ethical hackers. In this blogpost, you will learn about WPScan, a tool used to perform WordPress vulnerability assessment. WordPress is one of most popular Content Management system (CMS) WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. Let’s se how it works. It is installed by default in Kali Linux and we are going to use the same for this tutorial. Now open a terminal and update our tool by typing command as shown below.

wpscan

To scan a WordPress website, all you have to give is the URL as shown below. For this blogpost, I am using a local installation of WordPress as target. Assign the target as shown below. The scan will start as shown below.

Wpscan2

Here are the screenshots of result of this scan. As you can see we have 13 vulnerabilities in the present installation and the vulnerabilities are given below.

Wpscan3
Wpscan4
Wpscan5

One of the easiest ways to hack a WordPress site is to exploit the plugins installed in the target as most of the WordPress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our WordPress target. We can enumerate the plugins using the “enumerate” option as shown below.

Wpscan6

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable.

wpscan

The second plugin is the vulnerable version of Akismet.

Wpscan8
Wpscan9

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next blogpost.

Wpscan10a

Another important aspect to find vulnerabilities in the WordPress is its theme. Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

Wpscan12
Wpscan13

After that let’s enumerate the users in our remote target as shown below.

Wpscan14

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.

Wpscan15

Posted on 2 Comments

Complete guide to sqlmap

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what SQL injection is, different types of sql injection attacks etc. In this blogpost, how to perform SQL injection with a tool named sqlmap. Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. For this tutorial I am using Vulnerawa as target.

Sqlmap1

sqlmap is pre-installed in Kali Linux. Open sqlmap from the path as shown below.

Sqlmap8

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

Sqlmap9

The result will be as shown below. It will reveal the website technology and the scripting language used.

SQL injection with sqlmap

1. Grab the banner of the target:

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

Sqlmap11

You can see the banner as shown below.

Sqlmap12

2. Find the current user of the website:

To see the current user of the website, type the following command.

Sqlmap13

The current user can be seen as below.

Sqlmap14

3. List the current database:

Now let us see the current database used by the website. Type the following command.

Sqlmap15

We can see that the current database is “Vulneraw”.

Sqlmap16

4. List all the tables in a specific database:

Now let us see all the tables present in the database “Vulneraw” by using following command.

Sqlmap17

We see that we have only one table in the current database. The table is “users”.

Sqlmap18

5. List the number of columns in a specific table:

Now lets see the number of columns in the table “users”. Type the following command.

Sqlmap19

We see there are four columns in table “users”.

Sqlmap20

6. Dump the values of specific columns in a table:

Now let’s dump the values of two columns username and password by typing the following command.

Sqlmap21

The result is as below. we got the username and passwords.

Sqlmap22

7. Dump all values of a table:

If we want to dump all the entries of the table, type the following command.

Sqlmap23

Here are the entries.

Sqlmap24

8. Grab a shell on the target:

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

Sqlmap25

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

Sqlmap26

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents of the root directory. It works as shown below.

Sqlmap27

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

Sqlmap28

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial.