Friday, September 30, 2016

Pwning Metasloitable 2: Exploiting PHP v5.2.4 Vulnerability using PHP CGI Argument Injection

In our previous articles we have looked at exploiting the vsFTPd service both manually and automatically. Now let’s look at weaknesses on the web server being hosted by our target machine.

Scan port 40 and 443

Enter the command: nmap -sV -p 80,443 <<target IP address>>

We scan port 80 and 443 specifically because they are ports for HTTP and HTTPS.

Results show that there is an active Apache server running on port 80 (HTTP). We can browse our target machine through the web browser.

Looking for information on the web server

There are lots of ways to gather info about and from web servers. We will get to that in our later articles. For this article you need to know one important thing – installed PHP usually have a “phpinfo.php” page for use by the developers. However often it is forgotten to be deleted before going live.

Open your web browser and go to: <<target IP address>>/phpinfo.php

As you can see from that page, there is a lot of information. Take a look at the PHP version. After googling that version for any vulnerabilities, we can find that it is vulnerable to a PHP CGI Argument Injection.

Using the PHP CGI Argument Injection Exploit Module

Enter the command: msfconsole

Now let’s search for that exploit: Enter the command: Search php_cgi

Use the exploit and show options:

RHOST is empty, set the RHOST by using command:  set RHOST <<target IP address>>
You’re good to go. Exploit.

You got a session. 

What can you do with this? I leave that up to you to do some quick research on commands you can use on the meterpreter shell

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.