Friday, 3 April 2015

SQL Injection to Shell


SQLi to Shell


First thing first, I downloaded the VM and as this was a grey-box test, I minimized the VM I would be attacking so I knew nothing about it, then I scanned a range of IP's on my network. As shown in fig 1.

Fig 1
I saw two open ports (SSH & HTTP). It would be pointless going after SSH, so I looked at what was running on port 80. It turns out there was a 'Photoblog' which was hosting a couple of images. A quick click through the hyperlinks showed that these images were being stored in a database, as I could replace the ID and see a different picture (Fig 2).


Fig 2
The ID number represented a different picture in the database. This meant that there *could* be some juicy information in the database.

Fig 3


I knew there was a SQLi to be had on this machine, as the title on VulnHub said so, so I began working on it, finding out what version was running (Fig 4):
Fig 4




And what user was currently active on the webserver (Fig 5):

Fig 5

I could have spent a short while manually doing a SQLi attack, but to save time, I used a tool to fetch the column names/rows for further recon (Fig 6):

Fig 7
I thought this was going to be fruitless, as I wasn't presented with any passwords at first, that was, until I scrolled down and saw a hash which was already cracked for me. I now had a login of 'admin' and a password 'P4ssw0rd' (Fig 8).

Fig 8
Next, I logged into the webserver and browsed to the upload page. I tried uploading a shell (Fig 9):

Fig 9
But a nice little curveball: PHP uploads were not allowed! This took me longer than it should have to figure out how to bypass it. I was wondering whether a .htaccess file was sitting on the server blocking PHP uploads (Fig 10):

Fig 10

I renamed my shell to shell.php5, thinking that this would bypass the filter, which it did! (Fig 11):
Fig 11
I now looked at the source and navigated to where the shell was located (Fig 12):
Fig 12
Unfortunately, php5 just wanted to download the file, so I went back and changed it to php3 in the end. (Fig 13):

Fig 13
Finally, I had a LFI which allowed me to execute code on the server (Fig 14).

Fig 14
I set up my listener and got the reverse shell (Fig 15). The shell was limited and I couldn't seem to escalate it, so I left it at that. In a real-world test, the SQLi vector would need to be patched along with having a stronger, more complex password that wouldn't be so easily crackable would have stopped me getting the shell.
Fig 15

Thanks for reading! Many more to come!

No comments:

Post a Comment