قالب وردپرس درنا توس
Home / Tips and Tricks / Web Server Compromise and Uploading Privilege Escalation Verification Files, Part 1 «Null Byte :: WonderHowTo

Web Server Compromise and Uploading Privilege Escalation Verification Files, Part 1 «Null Byte :: WonderHowTo



Gathering information is one of the most important steps in pentesting or hacking. It can often be more rewarding to do things on the target itself than to run scripts remotely. With a SQL injection, a hacker can compromise a server and locally upload and run the "Unix-Privesc-Check" script to further identify possible attack vectors.

SQL Injection Primer

SQL (Structured Query Language) is a language that queries databases to retrieve and manipulate data. Database systems are often at the back of Web applications that typically store inventory or credentials. For example, if you are searching for an item to be purchased on a web site, the underlying query is sent to the database and the corresponding information is returned.

The SQL injection occurs when an input field is improperly purged, allowing the attacker to enter malicious code in the query. The result is the ability to manipulate data, destroy data, or even issue operating system commands to the server. SQL injection is a whole area of ​​information security, and it can take years to cover everything. Fortunately, there is a lot of good information to get started.

One of the simplest tests that we can use to test whether a parameter (in this case, an input field) is vulnerable to SQL injection is to give it a single quote. This terminates the string in an SQL statement. If the input is not filtered correctly, an error is often returned. If so, you can be pretty sure that the parameter for SQL injection is vulnerable.

When we enter a single quotation mark in the text box, it becomes apparent that it is actually returning an error:

This tells us that the database system MySQL used is that this is most likely a susceptible injection point. But to make sure, because you can never be too sure, we can check this with the Sqlmap tool.

Step 1: Setting Up a Vulnerable Web Application

To show you how this works, I've used DVWA, a deliberately vulnerable web application included in Metasploitable 2, as the target. If you want, you can use a different test destination. In this case, you can skip this step. My attack machine is Kali Linux, which you suppose you probably run.

Before we begin, there are a few things that need to be done first to prepare for DVWA. First log in to DVWA with the default credentials "admin" and "password".

Next, navigate to "DVWA Security" and set the security level to "low" in the drop-down menu This will ensure that our attack works as intended.

Now go to the "Setup" page create the database if it does not already exist, if it does, it will reset anyway, click on the "Create / Reset Database" button to do so.

Next, navigate to the SQL Injection page, which has a function that queries the database when it calls the ben user ID number, and it returns some information.

Now we should do it Ready for the first stages of our attack.

Step 2: Recon with Sqlmap

Sqlmap is a tool that automates the process of SQL injection. It's open source and has a lot of features. To display the basic help menu in the terminal, use the -h flag.

  sqlmap -h 
.
___
__H__
___ ___ ["] _____ ___ ___ {1.3.2 # stable}
| _ - | , [.] | , & # 39; | , |
| ___ | _ [.] _ | _ | _ | __, | _ |
| _ | V ... | _ | http://sqlmap.org

Usage: Python sqlmap [options]

options:
-h, --help Displays the basic help message and ends the process
-hh View and exit the advanced help message
--version Displays the version number of the program and exits the program
-V VERBOSE Verbosity Level: 0-6 (default 1)

Aim:
At least one of these options must be specified to define this
Aims)

-u URL, --url = URL destination URL (for example, "http://www.site.com/vuln.php?id=1")
-gUGOBLEDORK Processes Google Dork results as destination URLs

Request:
These options can be used to specify how to connect to the destination URL

--data = DATA Data string to be sent by POST (eg "id = 1").
--cookie = COOKIE HTTP cookie header value (for example, "PHPSESSID = a8d127e ..")
--random-agent Uses a randomly selected HTTP user-agent header value
--proxy = PROXY Use a proxy to connect to the destination URL
--tor Use the anonymization network Tor
--check-tor Check if Tor is being used properly

Injection:
These options allow you to specify which parameters should be tested.
provide custom injection payloads and optional manipulation scripts

-p TEST PARAMETERS Testable parameters
--dbms = DBMS Forces the backend DBMS to specify the specified value

Recognition:
These options can be used to customize the detection phase

--level = LEVEL Level of tests to be performed (1-5, default 1)
--risk = RISK Risk of tests to be performed (1-3, standard 1)

Techniques:
These options can be used to optimize the testing of specific SQL injection
techniques

--technique = TECH SQL injection techniques to use (defaults to "BEUSTQ")

Enumeration:
These options can be used to list the back-end database
Information, structure and data of the management system
Tables. You can also execute your own SQL statements

-a, --all retrieve everything
-b, --banner Get DBMS banner
--current-user Gets the current DBMS user
--current-db Get the current DBMS database
--passwords Enumerate DBMS user password hashes
--tables List DBMS database tables
--columns List DBMS database table columns
--schema List the DBMS schema
--dump Dump DBMS database table entries
--dump-all Print all DBMS database table entries
-D DB DBMS database to enumerate
-T TBL DBMS database table (s) to enumerate
-C COL DBMS database table columns to enumerate

Operating System Access:
These options can be used to access back-end database management
Operating system under the operating system

--os-shell Request an interactive operating system shell
--os-pwn Prompt for an OOB shell, a meterpreter, or a VNC

General:
With these options some general working parameters can be set

--batch Never ask for user input, use the default behavior
--flush-session Deletes the session files for the current destination

Various:
--sqlmap-shell prompt for an interactive SQL map shell
--wizard Simple wizard interface for beginners

[!] to see the full list of options associated with & # 39; -hh & # 39; be executed. 

To do this, we need some information. First, the URL that can be found by sending valid inputs to the application. The following is returned by an ID value of 1:

We may find that this works properly, and Now we have the destination URL:

  http://172.16.1.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit 

Next, we need some cookie information. Go to the Developer Tools in the browser you are using. In Firefox and Chrome, you can right-click anywhere on the page and select Inspect Element or Inspect.

In Firefox, navigate to the Network tab and reload the page. Click the GET request with the status code 200, and then scroll to the right under "Headers" to display the cookie information.

Stay tuned for the next part

So far, we've been studying the basics of SQL injection and how vulnerable points of injection can be identified. We then used sqlmap to check and collect some more information about the database. Finally, we could use this tool to set up a file stager on the target so we can upload files.

In the next part of this tutorial, we'll use this exciting feature to upload and run a script on the server

Up Next: How to compromise a web server and upload privilege escalation verification files, Part 1 (Coming Soon) [19659084] Cover photo of panumas nikhomkhai / Pexels; Screenshots of drd_ / zero byte


Source link