Title: Remember a university SQL injection into getshell

0x01 Introduction

The goal is a university. During a hole digging process, it encountered a SQL injection and tried to further utilize the expanded hazard. The vulnerability has been reported to the platform for repair.

0x02 sql injection getshell failed

Add two single quotes at the id and report an error. After detection, it was found that it was a numeric injection and the spaces were filtered. Here you can use /**/instead of

So I went to SQLmap directly

python sqlmap.py -u url --batch --tamper=space2comment.py -dbs

It was found that it was dba permission:

python sqlmap.py -u url --batch --tamper=space2comment.py --is-dba

I tried many ways to find web paths

Finally noticed that the operating system is FreeBSD

I accidentally saw this

char(47) is '/', and I immediately thought of traversing the directory and finding the path through this

By traversing layer by layer from the root directory, we finally find the website root directory

Writing the shell failed, converting it to hexadecimal to avoid single quotes or not

However, this injection can read any sensitive files on the server (including non-web directories), which is extremely harmful

0x03 Continue to try from other points

Read the code at the SQL injection and found that there is no code-level filtering. The exploit() function breaks the string into an array, and separates it with spaces. Take the first one of the array, filters the spaces in disguise, and replaces the spaces with inline comments to inject

According to the leaked database account and password, the attempt to connect to port 3306 failed, and it is estimated that the local IP is bound.

Continue to traverse the directory and discover the login interface of mysql

After logging in, there is a blank interface. When you read the code that processes the login logic, you will find that the login is successful and you will set the session directly but do not jump. After logging in, you can just visit the homepage directly.

Check secure_file_priv and found that it is a null value, and there is no limit

Try to write to the webshell using logs, and find that there is no permission to set the log path

Found the website backend

The account and password hash value found in the database

Online website decryption hash is worth the plain text

Login failed, read the source code

I found that salt was added, so I added salt and decrypted it to get the correct password

After successfully logging in, I found a place to upload photos in the new staff data management add-on

But you can only upload image files

After the upload was successful, I suddenly thought about whether the failure to write a shell in SQL was due to directory permissions. The website restricted that other directories except uploaded directories cannot be written?

So I tried to write to shell

Success is indeed a directory writing permission problem

I found that the ant sword could not be connected, and it was estimated that waf intercepted the traffic. I looked at the traffic encryption of Ant Sword. Ant Sword has an important feature of Ant Sword traffic, which is that User-Agent is antSword/version. In addition, if an encoder is used, the decoding function must be sent, so the decoding function is also a feature, and a custom encoder and decoder are required.

After modifying the User-Agent of the two files antSword-master/modules/request.js and antSword-master/modules/update.js, it successfully connected. Waf only intercepted the obvious feature of UA

The rebound shell failed, and nc is based on the tcp/udp protocol, so possible reasons are: the rebound command does not exist, outbound IP is prohibited, and outbound ports are prohibited.

Confirm sh exists

The outbound port is to access the external network. If you query the network connection, you will find that port 54454 can exit.

So after listening to port 54454, the shell successfully rebounded

The escalation of power failed. The server kernel version is too high, and it is impossible to use kernel vulnerabilities to increase rights. If you try to plan tasks, environment variables, and suid to increase rights, you will find that there is no place to use it. Sudo to increase rights, and in third-party services, the plug-in directory is found that the permissions of several files are also configured normally, and no other sensitive information is leaked.

0x04 Summary

1. Add single quotes to the target system to report an error, but filter spaces, you can use /**/instead of bypass 2. Use the space2comment.py script in sqlmap to inject python sqlmap.py -u http://ip/newform.php?id=123 --batch --tamper=space2comment.py --dbs //Read the database name python sqlmap.py -u http://ip/newform.php?id=123 --batch --tamper=space2comment.py --is-dba //Check whether it is dba. The system has dba permissions. 3. Through NAMP scanning, the target system is freedb (sunos can also be). You can isomorphize the load_file() function and directly traverse the directory 3. Gradually read the target system directory http://ip/newform.php?id=123/**/union/**/select/**/1 ,LOAD_FILE('/'),3,4,5,6,7,83. Read to the website root directory http://ip/newform.php?id=123/**/union/**/select/**/1,LOAD_FILE('/home/db/www/'),3,4,5,6,7,84. Write to the webshell failed, trying to read the database configuration file. The user name and password of the website's database are displayed. The user name and password of the website are displayed. The user name and password of the website are displayed. The user name and password are used to log in to the pmbp database administrator page. However, the blank space cannot be displayed to the background management page and access the database management page directly. 6. Query SQL statements query permissions, display empty, and no restrictions on writes show VARIABLES LIKE 'secure_file_priv'7. However, writing to the shell through mysql's log is unsuccessful, and there may be restrictions on the directory permissions written. 8. Through directory scanning, find the background management of the directory system. The background username and password here can be read directly through SQLmap to have the username and password hash, and the password hahs are successfully decrypted through md5. It cannot successfully log in to the system, and the password may be incorrect. 9. Read the background management page through the load_file() function and find that the password is salted. Add salt here and decrypt it to get the correct password, and successfully log in to the target background 10. In the background data management photo, you can directly upload the picture and display the absolute path address of the picture. 11. Parameters Write the ant sword in one sentence to the absolute path address of the picture through mysql. 12 can be successfully written. A sentence can be written through the angri Sword, but the connection is not successful and may be intercepted by WAF. Here you need to modify the User-Agent of the angri Sword, and use the encoding of the encoder baa64 to bypass the WAF interception and successfully link.

After modifying the User-Agent of the two files antSword-master/modules/request.js and antSword-master/modules/update.js, it was successful, and the code encoding bas6413 was used to rebound through nc. It was found that the rebound failed. It was found that the target system prohibited outbound IP and banned the TCP protocol outbound port, and it was found that the outbound port was accessing the external network. When querying the network connection, it was found that port 54454 could be outbound. nc -lvvp 544454 Original link: https://xz.aliyun.com/t/10527