In our previous articles we have looked at exploiting the
vsFTPd service both manually and automatically. Now let’s look at weaknesses on
the web server being hosted by our target machine.
Scan port 40 and 443
Enter the command: nmap -sV -p 80,443 <<target IP
address>>
We scan port 80 and 443 specifically because they are ports
for HTTP and HTTPS.
Results show that there is an active Apache server running
on port 80 (HTTP). We can browse our target machine through the web browser.
Looking for information on the web server
There are lots of ways to gather info about and from web
servers. We will get to that in our later articles. For this article you need to know
one important thing – installed PHP usually have a “phpinfo.php” page for use
by the developers. However often it is forgotten to be deleted before going
live.
Open your web browser and go to: <<target IP
address>>/phpinfo.php
As you can see from that page, there is a lot of
information. Take a look at the PHP version. After googling that version for any vulnerabilities, we can
find that it is vulnerable to a PHP CGI Argument Injection.
Using the PHP CGI Argument Injection Exploit Module
Enter the command: msfconsole
Now let’s search for that exploit: Enter the command: Search
php_cgi
Use the exploit and show options:
RHOST is empty, set the RHOST by using command: set RHOST <<target IP address>>
You’re good to go. Exploit.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.