Injection/LFI

Command and Database 😍

Command Injection

Some functions on a site may actually be running an OS command under the hood. Blind vs visible shows if there's a specific error or problem. We will want to read a world-readable file to determine if the injection was successful.

/etc/passwd                 # Linux world-readable
C:\Windows\win.ini          # Windows world-readable
ping -c 4 m4lwhere.org      # Ping a server I own, determine if blind injection worked
" & ping m4lwhere.org & rem # REM can be used as inline comments to comment out the rest of a Windows based injection

Character

Meaning

;

Execute more commands inline

|

Pipe output from prev command to next command

||

Will execute next command ONLY if previous was UNSUCCESSFUL

&

Send command to a background process

&&

Will execute next command ONLY if previous was SUCCESSFUL

>

Output to file and overwrite

>>

Output to file and append

<

Input from a file

#

Comment out the rest of the command, very useful if there's a lot of command left after the injection point

?

Single wildcard, can be used contiguously

[1-9]

Character set, finds anything in that array

{echo,hello,there}

Bash parameter expansion, will execute echo hello there

`id`

Command substitution, will execute before rest of command

$(id)

Command substitution

${IFS}

Internal Field Separator, used to add spaces w/o spaces

Tools

Programs such as commix make command injection very easy, just keep in mind that it may overwhelm the server.

SQLi

Super fun, get in the database and dump it. To test SQLi, we will put special characters into the input fields and observe errors returned by the application. Blind SQLi revolves around mostly types of sleep timing, concatenation, or some binary truths/falsehoods to be found.

Injection Points

Just like anything else, we want to FUZZ EVERYTHING. Generally, these injection points are located at the places below:

  • GET parameters

  • POST data parameters

  • HTTP cookies (Think ones that show an access level)

  • HTTP User Agent

Blind SQLi

Generally occurs when an application has a custom error when db errors occur, which makes identifying and exploiting SQLi more difficult. Concatenating strings for known good values can determine if the SQL database is directing interpreting the values we're providing.

Boolean testing can help determine blind SQLi vulnerabilities as well, place a known good value but put a πŸ’― falsity with it, compare with a known good value and a πŸ’― truity with it :)

Verbs

Verbs

Meaning

SELECT

Retrieve content from a table

INSERT

Add content to a table

UPDATE

Modify data on a table

DELETE

Remove data from a table

DROP

Drop the WHOLE table

UNION

Combine data from one or more tables

Query Modifiers

Modifier

Meaning

WHERE

Needs to meet a certain conditional first

AND

Must meet both conditions

OR

Must meet at least one condition

LIMIT #1,#10

Limit rows returned to #10, starting from row #1

ORDER BY user

Sort by column user when presenting data

SQL Characters

Character

Meaning

', "

String delimiter

;

End of a SQL statement

--, #, /*

Comment characters

||, +, " "

String concatenation, add two strings together!

+, <, >, =

General arithmetic

()

Used to call subqueries or functions

%00

Null byte

Union Attacks

Used to identify and gather information from other tables or DBs to steal information. Must have the same number of columns in the original vulnerable SQL statement! We can ask politely to identify how many columns are returned, then work from there. https://portswigger.net/web-security/sql-injection/union-attacks

Exploitation and Exfil

Use stacked queries to create new tables with data to be exfiled.

Tools

There's a ton of useful tools, sqlmap is the most useful for exploitation imo. The mysql program is available on most hosts and is easy to connect to and manage.

LFI/RFI

LFI Files to Read

If we find we have LFI, we can try to find interesting files. Keep in mind some of these attacks will require the file to be encoded before they are served by PHP. Additionally, we can ask the site to load PHP we provide directly as well.

Gathering PHP Session Information

To find the PHP session file name, PHP, by default uses the following naming scheme, sess_<SESSION_ID> where we can find the SESSION_ID using the browser and verifying cookies sent from the server.

To find the session ID in the browser, you can open the developer tools (SHIFT+CTRL+I), then the Application tab. From the left menu, select Cookies and select the target website. There is a PHPSESSID and the value. In my case, the value is vc4567al6pq7usm2cufmilkm45. Therefore, the file will be as sess_vc4567al6pq7usm2cufmilkm45. Finally, we know it is stored in /tmp. Now we can use the LFI to call the session file.

https://github.com/mthbernardes/LFI-Enum

Serving RFI

A server/firewall might be blocking outbound HTTP for RFI, but could potentially allow outbound SMB to serve up the malicious page!

Deserialization Attacks

Injection attacks where data stored as bytes is later interpreted as instructions. issue with any object-oriented programming language. Serialized objects may be stored on the client side before they are transferred to the server to be added to the web app.

RCE from deserialization most often occurs from a JVM with a readObject() call, where an attacker supplies an object to be used.

Programs such as ysoserial.jar can be used to generate our code, creating by hand is a huge list of chained serialized objects.

References

LogoWSTG - Stable | OWASP Foundationowasp.org
LogoExamining the database in SQL injection attacks | Web Security AcademyWebSecAcademy

PreviousEnumerationNextSession Management

Last updated

Was this helpful?