In our previous articles we have looked at exploiting the vsFTPd service both manually and automatically. Now let’s look at weaknesses on the web server being hosted by our target machine.
Scan port 40 and 443
Enter the command: nmap -sV -p 80,443 <<target IP address>>
We scan port 80 and 443 specifically because they are ports for HTTP and HTTPS.
Results show that there is an active Apache server running on port 80 (HTTP). We can browse our target machine through the web browser.
Looking for information on the web server
There are lots of ways to gather info about and from web servers. We will get to that in our later articles. For this article you need to know one important thing – installed PHP usually have a “phpinfo.php” page for use by the developers. However often it is forgotten to be deleted before going live.
Open your web browser and go to: <<target IP address>>/phpinfo.php
As you can see from that page, there is a lot of information. Take a look at the PHP version. After googling that version for any vulnerabilities, we can find that it is vulnerable to a PHP CGI Argument Injection.
Using the PHP CGI Argument Injection Exploit Module
Enter the command: msfconsole
Now let’s search for that exploit: Enter the command: Search php_cgi
Use the exploit and show options:
RHOST is empty, set the RHOST by using command: set RHOST <<target IP address>>
You’re good to go. Exploit.
You got a session.
What can you do with this? I leave that up to you to do some quick research on commands you can use on the meterpreter shell.
-Jayesh Kerai (@secjay)