May 5, 2022

SQL Injection - Example 5

In this tutorial, we will see how to perform SQL injection by modifying data that is sent as JSON. Using this technique, we can list the contents of the databases, read local files on the server and gain reverse shell to the target.

This page contains a list of usernames. Clicking on "View" returns some info about that particular user.

List of users in the main page of the web application.

Clicking on the first user returns some information about the first user.

This is the request that was sent when the first user was clicked. It contains two items: "id" and "secret".

Viewing the HTTP JSON request in Burp Suite.

Let's add a single quote (') after the ID and see the response from the web server. It returns "Server Error" message.

Adding a single-quote to the ID to check for SQL injection.

Commenting out the rest of the statement with (-- -) doesn't change the output. It still returns "Server Error".

Commenting out the rest of the SQL query.

Removing the single-quote gets rid of the error message. The output is the same as before.

Removing the single-quote from the SQL injection query.

Running the UNION SQL query shows that three columns are returned back from the query but we don't see any of our input.

Running the UNION SQL injection to determine the columns returned back.

Let's enter an ID that we are sure doesn't exist in the database. We can see that 3 is displayed.

Entering an invalid ID to see the output of the SQL UNION query.

The user() function returns the current user that is running these SQL queries on the web server.

Executing the user() SQL function to determine the current user.

We can also read files from the web server using the LOAD_FILE() function. It shows the contents of the "/etc/passwd" file.

Reading the contents of the /etc/passwd file using the LOAD_FILE() MySQL function.

Our next goal is to read the contents of the databases in the web server. It returns the first database name.

In order to list all the databases in the system, we have to use the group_concat() function. It returns five database names.

Listing all the databases in the web server.

Let's list all the tables in the "uhc" database. It returns six table names.

Listing the table names in the uhc database.

The "users" table seems interesting. It lists all the columns in the "users" table.

It dumps the contents of the "name" and "password" columns. Note that they are enclosed in parenthesis and are separated by a colon.

Dumping the contents of the name and password columns of the users table.

Our next goal is to get a reverse shell on the web server. It Base64 encodes the command that we want to run on the web server.

Base64 encoding the reverse shell command.

It saves the Bash command for a reverse shell to a file called "secret.php".

Saving the Bash reverse shell command in a file on the web server.

Let's access the "secret.php" file through the browser.

Running the reverse shell script through the web browser.

And now we have received a reverse shell on the box. Note that it is important to create the netcat listener before executing the script from the browser.

We could have triggered the reverse shell script from the terminal using curl as well.

Running the reverse shell script through curl.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.