PHP not executing on Rogue AP webpage

apache
mysql
php

(Joshep) #8
mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 10.1.35-MariaDB-1 Debian unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create user fakeap@localhost identified by 'fakeap';
ERROR 1396 (HY000): Operation CREATE USER failed for 'fakeap'@'localhost'
MariaDB [(none)]> create database rogue_AP;
ERROR 1007 (HY000): Can't create database 'rogue_AP'; database exists
MariaDB [(none)]> use rogue_AP;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [rogue_AP]> create table wpa_keys(password1 varchar(32), password2 varchar(32));
ERROR 1050 (42S01): Table 'wpa_keys' already exists
MariaDB [rogue_AP]> grant all privileges on rogue_AP.* to 'fakeap'@'localhost';
Query OK, 0 rows affected (0.00 sec)

MariaDB [rogue_AP]> MariaDB -u fakeap -p
    -> use rogue_AP;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'MariaDB -u fakeap -p
use rogue_AP' at line 1
MariaDB [rogue_AP]> insert into wpa_keys(password1, password2) values ("testpass", "testpass");
Query OK, 1 row affected (0.13 sec)

MariaDB [rogue_AP]> select * from wpa_keys;
+-----------+-----------+
| password1 | password2 |
+-----------+-----------+
| testpass  | testpass  |
| testpass  | testpass  |
| testpass  | testpass  |
+-----------+-----------+
3 rows in set (0.00 sec)

MariaDB [rogue_AP]>

This is what i get
Would you mind figuring out some error?


(Hardeep Singh) #9

You ran the following command once but the table shows 3 values. Which means either you inserted the values earlier or it is being written by the fake AP webpage.

Command: insert into wpa_keys(password1, password2) values ("testpass", "testpass");


Enable PHP module:

Enable PHP module in apache and restart the service

sudo a2enmod php7  
sudo service apache restart

(Joshep) #10

sudo a2enmod php7
ERROR: Module php7 does not exist!

Yes i entered three times but how do i delete it?
does it matter if three columns are entered?


(Hardeep Singh) #11

Install PHP module for apache: sudo apt-get install libapache2-mod-php7.0

Make sure PHP is version 7 and not 5. Check PHP version: php -v


(Joshep) #12
PHP 7.2.9-1 (cli) (built: Aug 19 2018 06:56:13) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.9-1, Copyright (c) 1999-2018, by Zend Technologies

So what will be the command replace for
sudo a2enmod php7


(Hardeep Singh) #13

No replacement. You just need to have the PHP module enabled.

This is PHP installed, but not the support module in apache. So install that with the following command

sudo apt-get install libapache2-mod-php7.0

and then enable the module with

sudo a2enmod php7 && sudo service apache restart

(Joshep) #14
sudo apt-get install libapache2-mod-php7.0
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libapache2-mod-php7.0 is already the newest version (7.0.31-1).
The following packages were automatically installed and are no longer required:
  gconf-service gconf2-common gedit-plugin-dashboard gir1.2-rb-3.0
  gir1.2-zeitgeist-2.0 icoutils libbind9-160 libcomerr2:i386 libdns1102
  libgconf-2-4 libgpod-common libgpod4 libgsoap-2.8.60 libieee1284-3:i386
  libirs160 libisc169 libisccc160 libisccfg160 liblwres160 libmbedcrypto1
  libplacebo5 libprotobuf-lite10 libprotobuf10 libradare2-2.9
  librhythmbox-core10 libsane:i386 libsane-extras:i386 libsgutils2-2
  libunbound2 libvncserver1 libx264-152 libx264-152:i386 libx265-160
  libx265-160:i386 linux-headers-4.17.0-kali3-amd64
  linux-headers-4.17.0-kali3-common linux-image-4.17.0-kali3-amd64
  linux-kbuild-4.17 python-backports-abc python-concurrent.futures
  python-pbkdf2 python-pyric python-roguehostapd python-singledispatch
  python-tornado python3-mako python3-markupsafe rhythmbox-data
  ruby-terminal-table ruby-unicode-display-width virtualbox-dkms
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 59 not upgraded.

I got this
and for

sudo a2enmod php7
i got this

ERROR: Module php7 does not exist!

(Hardeep Singh) #15

I guess it was sudo a2enmod php7.0

version specific. try this… does it work?


(Joshep) #16

This is the output

a2enmod php7.0
Considering dependency mpm_prefork for php7.0:
Considering conflict mpm_event for mpm_prefork:
ERROR: Module mpm_event is enabled - cannot proceed due to conflicts. It needs to be disabled first!
Considering conflict mpm_worker for mpm_prefork:
ERROR: Could not enable dependency mpm_prefork for php7.0, aborting

also for the other versions 7.2 also same is the output.

When i disable mpm_event
i can’t be able to restart apche2 , it says No MPM loaded.
and when i enable mpm_event, it works


(Joshep) #17

As i saw on apache2 folder, i saw some of the folder inside naming available,enabled,
The thing is same files are on the both folder but enabled folder has a bit less files than available folder.
What will happen if the remaining files of available folder is copied to enabled folder?


(Hardeep Singh) #18

Try disabling mpm_prefork only. It usually does the job

sudo a2dismod mpm_prefork

Both contains site configuration or modules for apache. All the files lie under *-available and the enabled ones are then moved to *-enabled. So their names.

Folder structure for:

Site/app Modules Configuration files
sites-available modules-available conf-available
sites-enabled modules-enabled conf-enabled

(Joshep) #19

This is what happened

root@hidden:~# a2dismod mpm_prefork
ERROR: The following modules depend on mpm_prefork and need to be disabled first: php7.0
root@hidden:~# a2dismod php7.0
Module php7.0 disabled.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@hidden:~# systemctl restart apache2
root@hidden:~# a2dismod mpm_prefork
Module mpm_prefork disabled.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@hidden:~# systemctl restart apache2
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.
root@hidden:~# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset:
   Active: failed (Result: exit-code) since Thu 2018-11-01 12:58:45 +0545; 13s a
  Process: 5037 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE
  Process: 5042 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILU
 Main PID: 5021 (code=exited, status=0/SUCCESS)

Nov 01 12:58:45 hidden systemd[1]: Starting The Apache HTTP Server...
Nov 01 12:58:45 hidden apachectl[5042]: AH00534: apache2: Configuration error: N
Nov 01 12:58:45 hidden apachectl[5042]: Action 'start' failed.
Nov 01 12:58:45 hidden apachectl[5042]: The Apache error log may have more infor
Nov 01 12:58:45 hidden systemd[1]: apache2.service: Control process exited, code
Nov 01 12:58:45 hidden systemd[1]: apache2.service: Failed with result 'exit-cod
Nov 01 12:58:45 hidden systemd[1]: Failed to start The Apache HTTP Server.
lines 1-14/14 (END)...skipping...
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2018-11-01 12:58:45 +0545; 13s ago
  Process: 5037 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)
  Process: 5042 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
 Main PID: 5021 (code=exited, status=0/SUCCESS)

Nov 01 12:58:45 hidden systemd[1]: Starting The Apache HTTP Server...
Nov 01 12:58:45 hidden apachectl[5042]: AH00534: apache2: Configuration error: No MPM loaded.
Nov 01 12:58:45 hidden apachectl[5042]: Action 'start' failed.
Nov 01 12:58:45 hidden apachectl[5042]: The Apache error log may have more information.
Nov 01 12:58:45 hidden systemd[1]: apache2.service: Control process exited, code=exited status=1
Nov 01 12:58:45 hidden systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 01 12:58:45 hidden systemd[1]: Failed to start The Apache HTTP Server.
~

(Hardeep Singh) #20

What kind of sorcery is this :confused:

For now we know one thing, mpm_event need to be enabled all the time. So keep it that way.

and let’s use PHP FastCGI Process Manager a.k.a php-fpm for PHP processing.

sudo apt install php-fpm

keep mpm_prefork disabled. install the php-fpm package and restart apache

sudo systemctl restart php7.0-fpm apache2

It should work now! :angry:


(Joshep) #21

Yea it worked but what are w e gonna do?


(Hardeep Singh) #22

Test on you fake AP webpage. It should not show the source code but execute PHP and save the credentials in MySQL DB.


(Joshep) #23

oh… i see and how bout redirecting me to the fake ap webpage?
i have to go manually and dnspoof command also didn’t redirected me to the fake AP webpage?


(Hardeep Singh) #24

dnsspoof is indeed working as your data suggests.

It would never work on sites with HSTS enabled. Can’t do anything with that at the stage/level you are at.

I would suggest you to test this with http websites and get familiar with the attack first. then we can go deeper and understand how to bypass this.

Stuck to the current attack. understand. then move deeper.
else you’ll stay confused and end up wasting a lot of time.
you gotta keep it under you own control (not limit, but control your self).


(Joshep) #25

:slight_smile:
Well i had learned a lot of things about evil twin attack from you and your guide.
I knew nothing about that some days ago. Thanks a lot for that.
Well, will captive portal guide gonna help me out from your wireless pentesting and security pdf?


(Hardeep Singh) #26

For sure!

Go ahead. Just keep learning!
and thanks for your kind words :slight_smile:


(Hardeep Singh) split this topic #27

A post was split to a new topic: Captive Portal Issue on Android Lollipop