search

🟑jarvis

SQL INJECTION | LFI in "phpmyadmin" | PYTHON CODE REVIEW | COMMAND INJECTION | "systemctl" BINARY EXPLOITATION by CREATING MALACIOUS SERVICE

hashtag
nmap

port open :- 22 , 80 , 64999

hashtag
gobuster

directories found :-

server-status/ , phpmyadmin/ , room.php

hashtag
website (80)

Their is a website running on , which has some functionality of check room (price , description , room name , rating....etc) ans it seems exploitable through sql injection lets try.... , but before that

hashtag
/phpmyadmin/

Their is a phpmyadmin login page is running on the website. although i already tried the default credentials but didnt get anything , wen need credentials for that

hashtag
website (64999)

Nothing over here , just some text "you have been blocked for xxx seconds , don't be bad"

chevron-rightSQl injection (manuall exploitation)hashtag

hashtag
Explanation

Before exploitation lets understand how sql works 

http://xyz.com/order?id=1

in this url basically the data is getting fetched by the use of SQL QUERY 

id=1

to just fetch the details of a product / name / ...whatever their is a parameter called id and the value is 1. their is a sql query running behind :-

SELECT * FROM <table_name> WHERE ID = 1

Here "*" is fetching the all details from the given table with a condition "where" with parameter "id" now we are clear that what is running behind lets move forward

hashtag
Exploitation

To check whether a parameter is vulnerable and exploitable to sql injection their are 2 techniques

  • CREATING ERROR

If we are able to create an error in sql database then its exploitable. we can create error in 5 ways

  1. Logical error : enter the non-existing value in parameter

  2. error payloads

  3. blind payloads

  4. boolean payloads

  5. union payloads

  • FETCHING DATA

  1. union select payloads

  2. boolean payloads

Note :- if you dont know database name their is always use "information_schema"

hashtag
Checklist

hashtag
Steps to reproduce

  1. we need to create an error in database for that i used error & blind sql payload :- (' or sleep(5)) to check whether that payload worked or not notice the changes in web page or you can look at the bottom right cornor of "burp repeater" (file size | time taken to load file)

  2. make notes of (file size | page load time) before and after injecting the payload i.e., before :- (6532 bytes | 497 millis) after :- (6234 bytes | 5,578 millis)

  3. make the page normal again (non-error page) for that we first count total number of columns we use order by 1,2,3,4... payloads it will not give error on correct column number it will give error non existing column number entered now we have to balance the query i.e., after knowing total no. of colums we have to send the to send exact same no. of columns query in union query union select 1,2,3,4,5,6.,7......payloads now we can see the no of column visible on web i.e., 5, 2, 3, 4

  4. Their are lots of things we can do with sql injection. we do all this :- LFI SHELL UPLOAD OUTPUT FILE FETCH USERNAME AND PASSWORD OF DATABASE

hashtag
LFI

cod=9999999 UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4,5,6,7#

hashtag
credentials of database

Here is the payload, 

cod=99999 UNION SELECT 1,(SELECT host, user, password FROM mysql.user),3,4,5,6,7#
or
cod=99999 UNION SELECT 1,group_concat(host, user, password)FROM mysql.user,3,4,5,6,7#
localhost
DBadmin
*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

hash crack credentials 

DBadmin
imissyou

hashtag
shell as www-data

hashtag
way 1 - shell upload via phpmyadmin

we are logged in. After looking the application i get to know the application version which is :- "phpmyadmin 4.8.0" lets look for any public exploit availble for this :- " searchsploit phpmyadmin | grep '4.8' " & we got 2 exploits for that According to the payload we are able to do LFI and also LFI to RCE for that we have to first run sql query and the we have to visit the url including the session id 1st lets copy session id => "phpmyadmin" cookie 2nd run sql query

3rd visit the link including the session id and command in "cmd" parameter

4th inject reverse shell in "cmd" parameter

hashtag
way 2 - Direct shell upload

As we know we can write a file using sql injection & the webpage directory is /var/www/html , lets try uploading reverse shell. payload :-

lets visit the page try the command injection http://10.10.10.143/rev.php?cmd=whoami, it works lets add reverse shell command

hashtag
privesc www-data => pepper

hashtag
sudo -l

i got a file "/var/www/Admin-utilities/simpler.py" which i can run with sudo (pepper) privileges , first lets read the "simpler.py" basically the script is used to -h help -l list attackers ip address -s chack attack status -p ping an ip address here in "-p" the exec() function is been called , which executes the ping command , we can use command injection in this but their list of forbidden charecters :- ` , - , | , || , ~ , & , && , ; Note :- we can still run $(command) to do a command injection in script

i got the shell as pepper , but its not fully functional as the commads are running , but result is getting on screen To fix this , i first create a shell script (shell.sh) in /tmp directory and put a reverse shell in that and then do the command injection in "simpler.py" in order to execute my reverse shell script

And BOOM we got the shell as pepper

hashtag
privesc pepper => root

hashtag
run linenum.sh

after running the script , we get a binary which both pepper and root can run => "/bin/systemctl" systemctl is is a systemd utility which is responsible for Controlling the systemd system and service manager. That is, it creates and manages services Lets create a malicious service and run it using sysemctl and BOOM.......we got the shell as root.

PreviousnetworkedNextNode

Last updated