In this series, we will be showing step-by-step examples of common attacks. We will start off with a basic SQL Injection attack directed at a web application và leading khổng lồ privilege escalation to lớn OS root.
Bạn đang xem: Sql injection
SQL Injection is one of the most dangerous vulnerabilities a website application can be prone to. If a user’s đầu vào is being passed unvalidated và unsanitized as part of an SQL query, the user can manipulate the query itself và force it to return different data than what it was supposed to return. In this article, we see how & why SQLi attacks have such a big impact on application security.
Example of Vulnerable Code
Before having a practical look at this injection technique, let’s first quickly see what is SQL Injection. Let’s suppose that we have a website application that takes the parameter article via a $_GET request & queries the SQL database to lớn get article content.
http://darkedeneurope.com.php.example/show.php?article=1The underlying PHP source code is the following:
// The article parameter is assigned to lớn $article variable without any sanitization or validation$articleid = $_GET<‘article’>;// The $articleid parameter is passed as part of the query$query = "SELECT * FROM articles WHERE articleid = $articleid";A typical page in this website application would look as follows:
If a user sets the value of the article parameter to 1 và 1=1, the query becomes:
$query = "SELECT * FROM articles WHERE articleid = 1 and 1=1";In this case, the nội dung of the page does not change because the two conditions in the SQL statement are both true. There is an article with an id of 1, và 1 equals to 1 which is true.
If a user changes the parameter to 1 & 1=2, it returns nothing because 1 is not equal to lớn 2.
That means that the user is controlling the query string & can adjust it accordingly to with SQL code to lớn manipulate the results.
Let’s see step-by-step how dangerous the exploitation of an SQL Injection can be. Just for reference, the following scenario is executed on a Linux machine running Ubuntu 16.04.1 LTS, PHP 7.0, MySQL 5.7, & WordPress 4.9.
For the purposes of this demonstration, we have performed a security audit on a sample website application. During our penetration test, we have identified a plugin endpoint that accepts the user ID via a $_GET request và displays their user name.
The endpoint is directly accessible, which could indicate weak security. The first thing someone would bởi is lớn manipulate the entry point (user input: $_GET parameter) và observe the response. What we are looking for is khổng lồ see if our đầu vào causes the đầu ra of the application khổng lồ change in any way. Ideally, we want lớn see an SQL error which could indicate that our input is parsed as part of a query.
There are many ways khổng lồ identify whether an application is vulnerable khổng lồ SQL injection. One of the most common and simple ones is the use of a single quote which under certain circumstances breaks the database query:
http://darkedeneurope.com.php.example/wordpress/wp-content/plugins/demo_vul/endpoint.php?user=1’The MySQL error that we get confirms that the application is indeed vulnerable:
At this point, it is almost certain that soon we will be able lớn exfiltrate data from the backend database of the web application. If our đầu vào is being parsed as part of the query, we can control it using SQL commands. If we can control the query, we can control the results.
We have identified the SQL injection vulnerability, now let’s proceed with the attack. We want khổng lồ get access to lớn the administration area of the website. Let’s assume that we don’t know the structure of the database or that the administrator used non-default naming/prefixes when installing WordPress. We need khổng lồ find table names lớn be able to lớn grab the administrator’s password later.
First, we need lớn find out how many columns the current table has. We will use column ordering to achieve that. ORDER BY is used lớn set the order of the results. You can order either by column name or by the number of the column. In this case, we need to use the number of the column. If the number that we pass in the parameter is less than the total number of columns in the current table, the output đầu ra of the application should not change because the SQL query is valid. However, if the number is larger than the total number of columns, we will get an error because there is no such column. In our case, we have identified 10 columns:
If we use a higher number, we don’t get any results:
Depending on the setup, we might get an error:
Now that we know how many columns the current table has, we will use UNION khổng lồ see which column is vulnerable. UNION SELECT is used to lớn combine results from multiple SELECT statements into a single result. The vulnerable column is the one whose data is being displayed on the page.
http://darkedeneurope.com.php.example/wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,10As we can see, the number “10” is being displayed on the page which means this is the vulnerable column:
We can confirm this by replacing it with version() which will show the MySQL version:
Next, we need to find the table names which we will then use to exfiltrate data:
http://darkedeneurope.com.php.example/wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+group_concat(table_name)+from+information_schema.tables+where+table_schema=database())The group_concat() function concatenates results into a string. The Information_schema is a database that stores information about other databases. The database() function returns the name of the current database.
Now that we have the table structure, we can query the database lớn get the admin’s credentials from the table wp_users.
The query returns the admin’s password hash. Khổng lồ find the password for this hash, we will use a well-known password recovery software named hashcat. This software offers various methods of cracking a password. We will try a dictionary attack with a relatively small danh sách containing 96 million passwords.
After downloading hashcat as well as the password list, we run the following command:
hashcat64 -m 400 -a 0 hash.txt wordlist.txt-m = the type of the hash we want lớn crack. 400 is the hash type for WordPress (MD5)-a = the attack mode. 0 is the Dictionary (or Straight) Attackhash.txt = a tệp tin containing the hash we want lớn crackwordlist.txt = a file containing a list of passwords in plaintextWe’ve been lucky & were able to lớn recover the password within a few minutes. The recovered password is 10987654321:
It is important to note that at the current stage we have full admin access khổng lồ the website’s backend user database which means we can impersonate any user login, access any page/post including those with sensitive data, export all the data including users, insert into tables, drop tables, và pretty much vì chưng anything we want. Let’s see how far we can get.
There are third-party WordPress plugins that could allow us to lớn execute shell commands or upload new files. However, we will avoid those. Instead, to further escalate this attack we will use Weavely, a popular lightweight PHP backdoor.
After downloading và unpacking the software, we will first create an agent that will be injected into the WordPress site, which will give us the ability to lớn execute system commands under the low-privileged website server tài khoản (www-data).
The following command will create a file which must be uploaded on the target system.