Toying with SQLmap

First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*

The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”

The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore []. The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.

us@vamanos:~$

Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.

sqlmapbegin

Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.

The image is of the command line on Kali Linux. The sqlmap output indicates that 'customeridget' is 'Generic UNION query (NULL) - 1 to 20 columns' is injectable. SQLMAP prompts the user to see if the others should be tested. Yes is selected. More information is displayed regarding the GET parameter 'customeridget' and the queries. SQLMAP indicates the back end database management system is MySQL. The web sever operating system is Windows 7. The web applicaiton technologies include Apache 2.2.22, and PHP 7.1.7. The version of MySQL is greater than or equal to 5.0.12. The data is fetched and logged to text files under /root/.sqlmap/output/www.sql.net

Finally, we can also see the server OS, the version of Apache and type of database.

So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.

Looking through the advanced help there are a few parameters that seem interesting.

 

sqlmap_advanced_help
It’s critical to get comfortable using a tools native help functions whether that’s ‘man pages’ in Linux, Get-Help in powershell or any command line tool/interface period.

 

I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload  the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.

win7_peeking_at_directory

win7_textfile_php

 

I was able to navigate to the web shell like so:

z_webshell_in_use
1: You can see how easy it is to upload a file from here and place it into the web server’s directory. It’s no harder to find the ISS webroot inetpub (This was serving a copy of the same website at the time, but I was more personally interested in Apache.)
z_webshell_in_use2
2: Executing only minimal parameters in the shell gave me a list of the C drive contents, and other information.
z_webshell_in_use3
3: You can use sqlmap to identify the web root, though I skipped that step to be honest. I knew the webroot was here for the ‘sql.com’ version of Bad Store I was hosting.
z_webshell_in_use4
4: ‘del main.php’ executed in the directory deleted the file, breaking the site. When I ran it a second time I got the ‘Could Not Find’ error you see there.

Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!

All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.

me@notes:~$

–os-shell (from the file access help in sqlmap)

I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.

sqlmap_brute_force_common_dir

sqlmap_brute_force_common_dir_detail

It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.

privescos-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.

–read-file=Index

sqlmap_readfileindex

If you open Index with Nano there is nothing there…

sqlmap_fileaccess2.png

Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.

 

*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured.  It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”

Cryptography Basics : Notes

**I’ve been reading The Manga Guide to Cryptography and POC||GTFO to learn more about crypto. I’m just trying out digitizing some of my notes here, though I’m thinking a wiki like docuwiki would be better. OneNote isn’t really floating my boat lately. Anyway, this shouldn’t be taken as original writing, or a finished article, and I will cite direct quotes when necessary**

1.Classic Encryption

A. Shannon’s Encryption Model

Plaintext(m); Ciphertext(C); Encryption Key (EK); Decryption Key (DK)

m-> Encryption (With Key EK)-> C

C->Decryption (With Key DK)-> m

B. Substitution Cipher

In a substitution cipher, characters in m are converted by EK to a specific other letter.

Example: Ceaser’s Cipher

Conversion Rule (sigma): shift each letter n times ; n=3*

Ceaser Cipher Key Space: 23;  (Total letters)-1= Key Space size

C. Polyalphabetic Cipher

Scrambling the alphabet would increase the key space based on how many permutations are possible.

26P26=26! *=* 4.0329*10^26

Read as: From a set of 26 things, all unique arrangements of 26 items = is equal to factorial (26) = 4.0329*10^26

It is computationally infeasible to test all of these possible keys based on a 26 letter alphabet, so frequency analysis is used to gain clues to the cipher.

D. Relevant Mathematics

  • Permutation: Way to determine the uniquely ordered combinations of r things from the total set n.

nPr= n*(n-1)*…(n-r+1)= n!/(n-r)!

26P3= 26!/23! = 26*25*23 = 15,600

  • Combination: Way to determine the unique combinations of r things from the total set n when order does not matter

nCr= (nPr/r!)= (n!)/((n-r)!*r!)

Example:

26!/23!*3! = 26*25*24 / 1*2*3 = 15,600 / 6 = 2,600 combinations

  • Take Away: There are far more permutations of n than there are combinations

E. Attacks

Frequency Analysis based on the features of the ciphertext, or known statistics about it, guesses can be made about the plaintext or encryption key. It’s highly effective against simple substitution ciphers.

Example: The most common letter in the english alphabet is E and the most common word is THE so repeats or common characters in the ciphertext can hint at the key, or plaintext.