POC – Multiple Uses of SQLMAP

POC, tools

What is SQLMAP?

SQLMAP is an open source tool that automates the process of detecting and exploiting SQL injection failures and accessing database servers. Its architecture is well designed and comes with a powerful detection engine as well as many features that allow you to go beyond collecting data from a database, accessing the underlying file system and executing commands in the operating system. In this short article we will see how to take advantage of vulnerabilities that allow us to upload a shell to the server and even change the password of the administrator user through execution of commands with SQLi.

How can I upload a shell?

Before entering in matter we can see in Security by Default a Cheatsheet of this tool. This template is really useful for not going crazy with SQLMAP functions that are many and very varied. For the case at hand, once discovered an injection we will use two parameters. One to indicate the local file that we want to upload to the server and another to indicate where we are going to copy it remotely.

The problem that arises in these cases is that it is necessary that certain premises are fulfilled first that we are going to comment next.

  • Know the path where the web content is installed on the server.

It can be a tedious task but it is possible to find the path where the web application is installed and deployed either through programming failures or because the debug mode is activated, among other cases.

This type of vulnerability, although marked as low risk can provide very useful information to an attacker as it collects more information, is known as information disclosure. This term means that the server reveals interesting information or even internal information about itself.

This will help us a lot during an audit process to know the internal routes of the server, to detect which exact version of operating system is being used or even to reveal the version of the application server deployed. SQLMAP can perform brute-force attacks, but if we are able to find this information, we can be more direct and cause fewer alarms in intrusion detection systems if deployed.

  • Have write permissions on that path.

The purpose of locating the route is to be able to then invoke the shell from a browser. Having write permissions on it is just as important.

If the folders were created with the root user and the administrator has worried that they do not have write permissions we will have the complicated thing, although we should never forget the symbolic links, which are sometimes borne by the devil and allow us to invoke Files from other locations. Other options that we can try is to locate and exploit faults “LFI”.

We must not forget to check if the user who is running the database is the DBA user, in this case we will have many less restrictions and the impact of exploiting a SQLi and trying to upload a shell may have more chances of success.

An example of the command is shown below.

Change the administrator password with a SQLi attack

In this proof of concept we created an asp “Active Server Pages” page vulnerable to SQLi on a Windows 2003 server that contains any of this database version: Windows SQL 2000, 2005, 2008 with xp-cmd enabled. In versions 2000 and 2005 is enabled by default, however, in the later versions not, so we must do them ourselves.

If the user is not a DBA or has insufficient permissions it will not be possible to perform this attack, we have configured the environment to be able to carry out this proof of concept.

Tools

For proof of concept we have a login form with the fields txtlogin and txtpassword. The first thing we try is to enter a single quote to see if the structure of the SQL statement is poorly implemented and hopefully with some luck it shows some error.

The usual thing with a web application is that it returns an error that shows an SQL message or else it simply shows an application error with code 500 or even that it shows a defined error page. The important thing is to analyze the content that you return.

Login form

We can manually verify that the web application is vulnerable either by entering a single quote or by entering in the password field an SQL statement that allows us to bypass the login form and access its content through the ‘ Or + ‘1’ = ‘1).

It means that after seeing that it is possible to inject SQL parameters we can do other actions, in this case we will change the password to the administrator user of the server through the SQLMAP tool.

The first thing I will do is to see how to create the POST query string and for this I will use the Burp Suite proxy to capture the request that I will then use in the SQLMAP command. SQLMAP after performing several checks will tell us that the parameter is injectable and therefore vulnerable to SQLi.

The next step we want to check is if the user is the DBA user, for this we create the following query:

If we receive this message it means the user is the DBA user.

User is DBA

Our goal now is to be able to execute commands on the server and for that, we can use multiple options.

We could use the option -0s-pwn with -msf-path to combine the attack with Metasploit and thus inject a meterpreter and extract the tables with the hashes of the users and not have the need to change the password of any user. As we will do in this case, it is even easier to change the password to the administrator.

We must keep in mind that in an audit this is not usually possible since changing the password to the administrator is not something that should be done, it should only be reported. It is possible that there are multiple services that are running with that account and therefore we can affect the production or the services that are running in the client, I can cause serious damages.

Running from SQLMAP is -os-shell command we can upload a shell in which we can execute different commands, including changing the password by for example “net user administrator 12345”, we can also create users and add the user to the administrators group.

Os-shell execution

After entering the command we will ask if we want to see the output and we can say that yes or no, it is recommendable to show the output to ensure that the command was executed successfully. I recommend the following links of reference:

Menu