2020-01-12

Stealing NTLMv2 hash by abusing SQL injection in File download functionality

Pranaam to All _/\_ :)

In this blog post, I am going to explain about a scenario in which an attacker can take advantage of SQL Injection vulnerability and can force Web server to leak NTLMv2 hash.

Description of Vulnerability chain
Here, we have a web application which has SQL Injection vulnerability in file download functionality. Web application process the unsanitized user input in SQL query and on the basis of the SQL query output, application call a file download function. The file download function search for the file name (returned by the SQL query) in web server file system and stream it to user for download.


Environment Setup
My demo environment had following things configured in place to perform this
  1. Windows Server 2012 box (IP - 192.168.56.2)
  2. Windows 7 AD Client box (IP - 192.168.56.3)
  3. Backbox Linux box (IP - 192.168.56.106)
Windows Server 2012 box: -
This is Active Directory Domain Controller Machine.

Windows 7 AD Client box: -
This machine has Windows 7 OS installed in it and part of Windows Active Directory Domain. Web application is hosted in this machine and web server is running with the privilege of one of the Windows Active Directory Domain user (user box).

Backbox Linux box: -
This is attacker machine in which "Responder" tool is listening on port 445 for File Server Service SMB request. 


Attack scenario outline
Web application is vulnerable to SQL Injection and return the file name in SQL query output. Here, an attacker can inject SQL Injection query which will return custom file name as SQL query output. Now, web application call file download functionality and pass the file name returned by SQL query to the function. File download function will check for file in below mentioned locations:
  1. Local file system
  2. Remote file system (SMB)
Attacker need to craft an SQL Injection query which return remote file system SMB path where Responder tool is listening. file path should be like this: 



In my case, Responder machine IP is "192.168.56.106". So path will be:



Web application pass the Responder listening machine SMB path as file to file download function.
File download function will make request to Responder listening machine to access the file "box.txt" and here comes the Responder in action. Responder will force web serve to authenticate itself to access the file and web server forward the authentication details to Responder.


Download and start Responder on attacker machine
Download the tool and run it on interface which is reachable to Web application server. In this case, web application is hosted in internal network and IP range is "192.168.56.1-255" so responder is listening on interface which has IP 192.168.56.106 (eth1)




Interface name and IP on which Responder is listening:


Vulnerable code and web server environment
Web application vulnerable code which is vulnerable to SQL Injection is:

MySQL user is just a normal user account and do not has any special privileges like "file_priv".

The vulnerable code is hosted in machine which has "Windows 7" OS installed in it and IP of the machine is "192.168.56.3". This machine is part of Windows Active directory Domain "lab.indishell.lab"


Application default behavior is, user need to specify the integer value to HTTP GET method parameter "image" and  application check if any image linked with the specified value exist or not. If there is any image exist for the specified value, application prompt with file download pop-up.



Identify number of columns in current SQL query
In our case, SQL Injection point is vulnerable to Integer based SQL Injection.

Remember, if query execute properly and return output, we will get file download pop-up. Application will not prompt with file download pop-up if SQL query do not execute properly or some SQL server error occur.

When appended "single quote", application showed error message.


Let’s find out column count by fuzzing web application. To find column count we will use "order by" clause and will keep increasing the value in order by clause until web application stop giving download pop-up.

Application response when we injected parameter with SQL Injection payload "order by 1-- -".


Web application is not prompting file download pop-up box when we increased the value of order by clause from 1 to 4 which indicates that number of column used by select statement is less than 4.


Now, inject URL with union statement with column count of 3. Payload will be like this: -




Finding column number which is returning file name to file download function 
Note: Please make sure the actual value specified in vulnerable parameter is non-existing so that SQL query return result of the injected query. In this case, I added "." with value 2 to make it non-existing.

Now we have column count and we need to figure out the column number which will allow us to define path of the file.
 To do this, we need to put file name or full path of the file (which we want to download) in column one by one till we find out the column number which pass the file name to file download function.

We can specify the any system file as well such as "/Windows/System32/drivers/etc/hosts" in column and can observe if application is prompting with file download pop-up.
SQL Injection payload will be:



And for file "hosts" from file system path "/Windows/System32/drivers/etc/", payload will be:




If application do not prompt for download pop-up, keep changing the column numbers with file path. For example, let try if column number 2 result is getting returned by SQL server for file download function, payload will be:



In my case, column number 3 is the column which is returning the file path to application.
So, the below mentioned payload will return file path of "hosts" file to file download function and we will get file download pop-up:




Exploiting the SQL Injection to leak the NTLMv2 hash
Now, once the file path returning column has been identified, we need to specify the Responder listening machine IP with random file name.
Payload will be like this:


Check your Responder terminal and see if you got NTLMv2 hashes  or not.
In my case, I got the hash.


Cracking the NTLMv2 hash using Hashcat
To get plain text password of the captured NTLMv2 Hash, we can try with Hashcat Hash cracking tool.
In this scenario, I tried Dictionary based attack to check if the plain text password of the NTLMv2 hash is present in the dictionary or not. Password was weak so I got the plain text.


This NTLMv2 hash is of a Active Directory Domain user who has username "box".
Now, we have username and password of a Domain user. Use these credentials in further exploitation.

I want to say Big "Thanks" to "Osanda Malith" for his research in area of "Stealing NTLMv2 Hashes" using various technique. His research inspired me a lot.
His blogposts are:
Places of interest in stealing netNTLM hashes
MySQL out-of-band hacking

Thanks for reading :)

Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0nAnurag Srivastava, vivek chauhan, Spirited wolf


--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,Lovey, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)

Share this post

0 comments

:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top