Day 10 - "Inject the Halls with EXEC Queries"
The learning objectives for day 10 were :
- Learn to understand and identify SQL injection vulnerabilities
- Exploit stacked queries to turn SQL injection into remote code execution
- Restore the website
In this task we were provided with a website that is vulnerable to SQL injection attack,we had to exploit this vulnerability , to answer the question and retrieve the flag.
We were briefed on SQL, PHP, how to connect PHP to SQL database using PHP data objects, how to detect and perform SQLi, calling stored procedures, and remote code execution. First we went to the website and detected the vulnerability and performed SQLi using '1=1;-- , we then enabled the xp_cmdshell to execute system level commands.Then, we generated a payload on our attack machine using msfvenom and setup a http server , using the certutil.exe we downloaded the payload we generated on the target . Later we setup a listener on our and attack machine and executed the payload on the target giving us the shell . We found a bat file to perform the restoration of the website .
SQL injection is an attack technique that exploits how web applications handle user input, particularly in SQL queries. Instead of providing legitimate input, the attacker injects malicious SQL statements into a web application's input fields or parameters. The application's database server then executes this rogue SQL query.
xp_cmdshell is a system-extended stored procedure in Microsoft SQL Server that enables the execution of operating system commands and programs from within SQL Server. It provides a mechanism for SQL Server to interact directly with the host operating system's command shell.
certutil.exe command is a native Windows command-line program installed as part of Certificate Services. It's handy in engagements because it is a binary signed by Microsoft and allows us to make HTTP/s connection.
Click here to see the walkthrough.
No comments:
Post a Comment