SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database. Show Look at the following example which creates a ExampletxtUserId = getRequestString("UserId"); The rest of this chapter describes the potential dangers of using user input in SQL statements. SQL Injection Based on 1=1 is Always TrueLook at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id. If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this: UserId: Then, the SQL statement will look like this: SELECT * FROM Users WHERE UserId = 105 OR 1=1; The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE. Does the example above look dangerous? What if the "Users" table contains names and passwords? The SQL statement above is much the same as this: SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1; A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field. Learn to Filter Data in SQL Like a Data AnalystTry a hands-on training sessions with step-by-step guidance from an expert. Try the guided project made in collaboration with Coursera now! SQL Injection Based on ""="" is Always TrueHere is an example of a user login on a web site: Username: Password: ExampleuName = getRequestString("username"); sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"' ResultSELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass" A hacker might get access to user names and passwords in a database by simply inserting " OR ""=" into the user name or password text box: User Name: Password: The code at the server will create a valid SQL statement like this: ResultSELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE. SQL Injection Based on Batched SQL StatementsMost databases support batched SQL statement. A batch of SQL statements is a group of two or more SQL statements, separated by semicolons. The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table. ExampleSELECT * FROM Users; DROP TABLE Suppliers Look at the following example: ExampletxtUserId = getRequestString("UserId"); And the following input: User id: The valid SQL statement would look like this: ResultSELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers; Use SQL Parameters for ProtectionTo protect a web site from SQL injection, you can use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner. ASP.NET Razor ExampletxtUserId = getRequestString("UserId"); Note that parameters are represented in the SQL statement by a @ marker. The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed. The ability to execute system commands via a vulnerable web application makes command injection a fruitful attack vector for any hacker. But while this type of vulnerability is highly prized, it can often take quite a bit of time to probe through an entire application to find these flaws. Luckily, there is a useful tool called Commix that can automate this process for us. What Is Commix?Commix, which is a portmanteau of command injection exploiter, is an open-source tool used to test web apps for command injection-based vulnerabilities and bugs. It is automated, making it very easy to identify vulnerable parameters in a fraction of the time it would take to do so manually. Commix is written in Python, meaning that it can run on Linux, Mac, and Windows. In addition, it is also conveniently included in the official repositories of Kali Linux, BlackArch, and Parrot Security OS. Everything works right out of the box, and there is even support for custom module development in order to expand the core functionality of this tool. There are a ton of options available for use, including the ability to specify parameters used to connect to the host, target enumeration, file access and modification, and even an offline mode. All of this functionality makes Commix an extremely useful asset when trying to exploit command injection. In this tutorial, we will be using Commix, and later, msfvenom and Metasploit, to exploit command injection flaws in DVWA. Method 1: Basic UsageTo get started, open DVWA and log in using the default credentials. Next, navigate to the "DVWA Security" tab, and set the security level to "low." This will ensure everything works smoothly when exploiting this web application. Now, go to the "Command Execution" tab, which is our point of interest for Commix. You need the cookie that contains the session ID and security level in order for this tool to run successfully. Use the "Inspect Element" tool in your browser to view the request, click on "Network," and finally "Raw headers" to view the information. In the terminal now, we can type commix -h to display the help with all the different options this tool has to offer.
We will be using the following options.
The tool will start and display a banner with some version information, followed by some on-screen messages displaying the current status. We can see it finds a parameter that is vulnerable to command injection and asks us if we want a Pseudo-Terminal shell.
If we press Y, it drops us into an interactive command shell. We can now issue commands like whoami and uname -a to view information about the server.
This is indeed useful, but we're somewhat limited in what we can do. Luckily, there is a way to combine the functionality of Commix with the powerful msfvenom to ultimately get a Meterpreter session on the target. Method 2: Upload Reverse ShellCommix has a function that allows us to write files on the target system. We will be placing a reverse shell on the target that will call back to our attacking machine, but before we do that, we need to create the payload. Msfvenom is a payload generator which replaced both msfpayload and msfencode back in 2015. This single tool can be used to create payloads while operating outside of the Metasploit Framework. Use the msfvenom command with the following options.
Make sure to type > to write to the file payload.php.
We see that the payload was successfully created. Now, we just need to add the PHP tags to our file. Type nano payload.php and add <?php at the beginning of the file and ?> at the end of the file. Press Ctrl-X, Y, and Enter to save. Now, we need to open a handler on our machine in order to catch the session that will be opened on the target. In a new terminal window, fire up Metasploit by typing the msfconsole command. Once loaded, type use exploit/multi/handler to utilize the all-purpose handler. Next, set the payload, listening address, and port that we specified in our file earlier.
Once those are set, launch the handler by typing run, an alias for exploit.
Back in our other terminal, we can run Commix just like we did before, with a few extra options to get our payload onto the target.
This will allow our payload to be executed and a session to be caught by our handler if everything works properly. Commix will run for a bit and, eventually, we can see that our file was successfully created on the target.
Now, back in the other terminal, we can see that a Meterpreter session was indeed opened. We can now run commands like getuid and sysinfo to view information about the target.
These are similar results to what we achieved earlier by using Commix on its own, but now that we have a Meterpreter session there is a lot more flexibility to what we can ultimately do. ConclusionCommand injection vulnerabilities are highly sought after by hackers due to the potential power they wield over the target system. Commix is an extremely useful tool that is designed to automate finding and exploiting these vulnerabilities, making life a little easier for the hacker. In this guide, we learned some basic usage options. In addition, we saw how to combine msfvenom with Commix to upload a payload to the target and get a shell. This flexibility makes Commix an excellent addition to any hacker's arsenal.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals. |