1 1 00:00:01,625 --> 00:00:02,458 In this lecture, 2 2 00:00:02,458 --> 00:00:03,291 we're going to have a look 3 3 00:00:03,291 --> 00:00:05,840 on File Upload Vulnerabilities. 4 4 00:00:05,840 --> 00:00:08,260 These are the simplest type of vulnerabilities 5 5 00:00:08,260 --> 00:00:12,120 because they allow us to upload any type of file. 6 6 00:00:12,120 --> 00:00:15,750 So for example if the target computer can understand php, 7 7 00:00:15,750 --> 00:00:19,240 then we can upload any php file or a php shell 8 8 00:00:19,240 --> 00:00:22,203 and get full control over the target computer. 9 9 00:00:23,780 --> 00:00:27,059 Now, as the target computer or the target server understands 10 10 00:00:27,059 --> 00:00:29,320 Python or any other language, 11 11 00:00:29,320 --> 00:00:31,020 then you can just upload Python code, 12 12 00:00:31,020 --> 00:00:32,970 Python shell or Ruby shell. 13 13 00:00:32,970 --> 00:00:34,670 You can create these shells using 14 14 00:00:34,670 --> 00:00:36,749 Veil-Evasion or Metasploit, 15 15 00:00:36,749 --> 00:00:40,503 or you can use your own php or Python shell. 16 16 00:00:43,550 --> 00:00:44,700 What we're going to do today, 17 17 00:00:44,700 --> 00:00:46,460 we're going to have a look on a tool 18 18 00:00:46,460 --> 00:00:49,460 called weevly that generates php shells 19 19 00:00:49,460 --> 00:00:51,680 and allow us to gain access 20 20 00:00:51,680 --> 00:00:56,420 and do a number of cool things on the target computer. 21 21 00:00:56,420 --> 00:01:01,420 So, first of all, I have my DVWA here. 22 22 00:01:01,660 --> 00:01:04,130 And usually when you are trying to plan test a website, 23 23 00:01:04,130 --> 00:01:05,120 what I recommend is, 24 24 00:01:05,120 --> 00:01:07,020 before trying to use any tools or anything, 25 25 00:01:07,020 --> 00:01:08,940 after you do your information gathering, 26 26 00:01:08,940 --> 00:01:12,260 is you just go in and try to browse the website. 27 27 00:01:12,260 --> 00:01:15,681 See what you can see, just get a feel of the website. 28 28 00:01:15,681 --> 00:01:18,160 See what's installed on it and all that. 29 29 00:01:18,160 --> 00:01:21,090 And try to exploit any features you see. 30 30 00:01:21,090 --> 00:01:22,990 So for example, lets say you went on everything, 31 31 00:01:22,990 --> 00:01:24,590 and then you reached the upload. 32 32 00:01:25,530 --> 00:01:29,010 We can see that this website allow us to upload a file. 33 33 00:01:29,010 --> 00:01:32,880 Now this sometimes in your penetration testing tasks, 34 34 00:01:32,880 --> 00:01:35,710 it could be a website that's allowing you to upload 35 35 00:01:35,710 --> 00:01:39,280 a profile picture, a picture, if it's a classified website, 36 36 00:01:39,280 --> 00:01:42,780 maybe it's allowing you to upload pictures of cars 37 37 00:01:42,780 --> 00:01:45,223 or whatever you're trying to add in the website. 38 38 00:01:46,240 --> 00:01:48,750 So, as you can see here, the website expects you 39 39 00:01:48,750 --> 00:01:51,500 to choose an image and upload an image. 40 40 00:01:51,500 --> 00:01:53,920 So let's see if we can upload an image first. 41 41 00:01:53,920 --> 00:01:56,620 So I'm gonna go on my downloads 42 42 00:01:56,620 --> 00:01:58,803 and I have a picture here in the resources. 43 43 00:01:59,640 --> 00:02:01,640 Just a picture of a car. 44 44 00:02:01,640 --> 00:02:04,040 I'm gonna upload it and see if it gets uploaded. 45 45 00:02:05,370 --> 00:02:07,730 And we can see that the upload was successful 46 46 00:02:07,730 --> 00:02:11,610 and it's stored in this particular location so 47 47 00:02:11,610 --> 00:02:12,830 its .... 48 48 00:02:12,830 --> 00:02:17,830 which means two directories back and then this file name. 49 49 00:02:18,080 --> 00:02:21,050 So let's see if the picture has been actually uploaded. 50 50 00:02:21,050 --> 00:02:22,460 So I'm taking away two directories, 51 51 00:02:22,460 --> 00:02:25,180 I'm taking away the vulnerabilities and upload. 52 52 00:02:25,180 --> 00:02:26,293 I'm only using that. 53 53 00:02:27,380 --> 00:02:31,690 And then we're gonna get this location on the server, 54 54 00:02:31,690 --> 00:02:34,403 just to see if the picture was uploaded properly. 55 55 00:02:38,040 --> 00:02:40,130 And as we can see the picture has been uploaded, 56 56 00:02:40,130 --> 00:02:41,133 so that's all good. 57 57 00:02:42,420 --> 00:02:43,600 Now the next thing we wanna do, 58 58 00:02:43,600 --> 00:02:46,380 let's try and upload a php file. 59 59 00:02:46,380 --> 00:02:48,800 And to do that, we're going to use a tool called weevly 60 60 00:02:48,800 --> 00:02:49,633 as I said, 61 61 00:02:49,633 --> 00:02:53,870 to create a payload or a shell if you wanna call it. 62 62 00:02:53,870 --> 00:02:56,450 And it's obviously gonna be a php shell. 63 63 00:02:56,450 --> 00:02:58,350 You can use metasploit as I said 64 64 00:02:58,350 --> 00:03:00,190 to create a php payload 65 65 00:03:00,190 --> 00:03:02,710 but we're gonna be just having to look on a different tool 66 66 00:03:02,710 --> 00:03:06,773 that's designed for web application penetration testing. 67 67 00:03:07,760 --> 00:03:09,460 So the tool is very easy, 68 68 00:03:09,460 --> 00:03:13,110 we're gonna put the tool name, which is weevly. 69 69 00:03:13,110 --> 00:03:15,573 And then we're going to put generate, 70 70 00:03:17,240 --> 00:03:20,200 because we want to generate a payload or a shell file. 71 71 00:03:20,200 --> 00:03:22,710 Then we will put a password for that file, 72 72 00:03:22,710 --> 00:03:26,640 so that only us can access it and control the website 73 73 00:03:26,640 --> 00:03:28,570 when we upload it to the website. 74 74 00:03:28,570 --> 00:03:31,680 So my password is gonna be 1-2-3-4-5-6. 75 75 00:03:31,680 --> 00:03:33,730 And then I'm gonna say where I want to store it. 76 76 00:03:33,730 --> 00:03:35,560 And I want to store it in root 77 77 00:03:35,560 --> 00:03:37,957 and I'm gonna call it shell.php. 78 78 00:03:40,310 --> 00:03:43,100 So very simple, weevly is the name of the program. 79 79 00:03:43,100 --> 00:03:45,570 Generate is to generate a shell. 80 80 00:03:45,570 --> 00:03:47,120 The password that the shell is going 81 81 00:03:47,120 --> 00:03:48,810 to authenticate us with, 82 82 00:03:48,810 --> 00:03:52,070 and its gonna be stored in root/shell.php. 83 83 00:03:52,070 --> 00:03:54,210 Gonna hit enter and it's created now, 84 84 00:03:54,210 --> 00:03:57,823 if I'm already in my root so I just do ls I should see it. 85 85 00:03:58,990 --> 00:04:01,040 And we can see it right here. 86 86 00:04:01,040 --> 00:04:03,010 So, the next thing is we're just gonna go back 87 87 00:04:03,010 --> 00:04:05,323 to our website and try to upload that shell. 88 88 00:04:11,640 --> 00:04:14,373 And I'm gonna look for shell and here it is. 89 89 00:04:15,604 --> 00:04:16,604 And I hit on upload. 90 90 00:04:18,950 --> 00:04:20,440 And as you can see now it's telling me 91 91 00:04:20,440 --> 00:04:22,840 the file has been uploaded successfully 92 92 00:04:22,840 --> 00:04:25,280 and it's in the same place that the picture was. 93 93 00:04:25,280 --> 00:04:30,090 So all we need to do now is we're going to use the same link 94 94 00:04:30,090 --> 00:04:32,600 and we're gonna use weevly again to interact 95 95 00:04:32,600 --> 00:04:34,460 with that shell that we uploaded. 96 96 00:04:34,460 --> 00:04:36,663 Now let's first of all see if the shell exists 97 97 00:04:36,663 --> 00:04:38,490 and its been uploaded properly. 98 98 00:04:38,490 --> 00:04:40,883 So I'm just gonna browse it through my browser. 99 99 00:04:43,050 --> 00:04:46,520 Shell.php and you can see that you get a blank page 100 100 00:04:46,520 --> 00:04:48,583 so we're not getting 404 file not found 101 101 00:04:48,583 --> 00:04:52,670 which means that the file has been uploaded and it's there. 102 102 00:04:52,670 --> 00:04:55,670 So we're gonna try to interact with it from weevly. 103 103 00:04:55,670 --> 00:04:57,920 To connect to it, we're gonna type in weevly, 104 104 00:04:59,000 --> 00:05:01,960 and then we're gonna put the URL where the shell is. 105 105 00:05:01,960 --> 00:05:04,610 So this is where our shell has been uploaded. 106 106 00:05:04,610 --> 00:05:06,020 And then we're gonna put the password. 107 107 00:05:06,020 --> 00:05:09,000 So my password was 1-2-3-4-5-6. 108 108 00:05:09,000 --> 00:05:12,350 Very simple, weevly, the URL where the file is 109 109 00:05:12,350 --> 00:05:13,890 and 1-2-3-4-5-6. 110 110 00:05:13,890 --> 00:05:16,310 This is very similar to when you use 111 111 00:05:16,310 --> 00:05:18,320 your multi-handler waiting for connections 112 112 00:05:18,320 --> 00:05:20,130 or connected through your backdoor. 113 113 00:05:20,130 --> 00:05:21,750 So we're literally just going to connect 114 114 00:05:21,750 --> 00:05:24,080 to the backdoor that we uploaded. 115 115 00:05:24,080 --> 00:05:26,331 And as you can see, now we're in the file system, 116 116 00:05:26,331 --> 00:05:29,980 so from weevly, from this place, 117 117 00:05:29,980 --> 00:05:32,343 you can actually just type in any Linux command. 118 118 00:05:32,343 --> 00:05:34,890 And you'll be able, it will be executed 119 119 00:05:34,890 --> 00:05:37,490 on the target computer and you'll see the result here. 120 120 00:05:37,490 --> 00:05:39,942 So if I do a pwd, 121 121 00:05:39,942 --> 00:05:44,942 you'll see that I'm in var/www/hackable/uploads 122 122 00:05:45,090 --> 00:05:47,053 and if I do an id, 123 123 00:05:48,240 --> 00:05:52,240 I'll see my user at the moment which is www.data. 124 124 00:05:52,240 --> 00:05:56,000 And if you do a uname -a 125 125 00:05:56,000 --> 00:05:59,130 just to confirm that this is the metasploitable machine 126 126 00:05:59,130 --> 00:06:02,070 you'll see that this is the Linux metasploitable machine. 127 127 00:06:02,070 --> 00:06:03,300 Now we can do anything we want. 128 128 00:06:03,300 --> 00:06:05,351 line:15% We can list the files, we can navigate. 129 129 00:06:05,351 --> 00:06:08,210 line:15% You can do any Linux command that you wanna do. 130 130 00:06:08,210 --> 00:06:10,903 line:15% Now we have changed, our place has been changed. 131 131 00:06:11,751 --> 00:06:16,370 line:15% Weevly also offers much more features than just this. 132 132 00:06:16,370 --> 00:06:19,660 line:15% So it actually allows you to do a number of cool things. 133 133 00:06:19,660 --> 00:06:22,900 line:15% If you type in help you'll see all the cool stuff 134 134 00:06:22,900 --> 00:06:24,620 that you can do with weevly. 135 135 00:06:24,620 --> 00:06:26,983 So you can try to escalate your privileges. 136 136 00:06:28,510 --> 00:06:33,510 Execute SQL queries and a lot of cool stuff that is just 137 137 00:06:33,560 --> 00:06:36,660 designed for web application penetration testing. 138 138 00:06:36,660 --> 00:06:38,890 For now I'm gonna leave it at this. 139 139 00:06:38,890 --> 00:06:41,048 And this just shows you how to use 140 140 00:06:41,048 --> 00:06:44,113 File Upload Vulnerabilites.