Exploitation (part 2) SQL Commands

00:04

Let's take a look at another

00:07

Web issue.

00:10

We have another always say open webinar face on our X p system.

00:16

PHP my admin.

00:18

What this gives us access to is

00:23

sequel commands

00:25

a little bit different here. We are going to have to figure out how to do this with

00:30

sequel, which, if you paid this much attention and databases classes I did in school

00:38

might be something you have to look up,

00:41

but what we want to do and this is in the slides.

00:44

And this certainly isn't the only way to do this. This is just my preference for a start. Maybe because I'm so poor a sequel. That's why I do it this way. So I want to do select and I'm gonna select some fixed. So I want quotations of around it

01:00

The best gonna make the smallest PHP shell. You can possibly make

01:03

the PHP syntax. Um,

01:07

let's stay on

01:10

question, Mark PHP.

01:14

Then I'm just gonna run the system command. But one of those commands that very bad thing to do for secure development.

01:22

A good way to have flaws in your Kurdish. I will know

01:26

what what we want to do is use it here. So basically, we're gonna run a system command, so we're just going to tell it.

01:34

Run

01:38

the command parameter.

01:40

So this is probably pretty similar. Similar to that simple back door. We could certainly take a look at it, but we're just gonna have the cmd

01:49

command parameter

01:51

in Are you Earl? Like we did with that simple page p back door.

01:56

And

01:57

it's just gonna be passed into system is going to output the results to us. A really small, easy to type

02:05

little backdoor here. And something about this looks wrong. I think

02:08

this should be

02:10

brackets again. This isn't the

02:14

our square braces or whatever you call it. This isn't the slide. So I mean, this is something that I look up.

02:21

We'll have to do it or have it in my notes.

02:25

Mel looks right.

02:30

All right. So cynical. And at the end, PHP is one of those languages that uses their semi colons.

02:37

You went through the

02:38

gripping and programming section? No, some do. Some don't.

02:44

The clothes are quotation marks on. What we want to do is select this text into out files. That's the syntax and single Basically for writing a file to the disc, and our David is actually run a system users, or we should be able to write pretty much anywhere we like. We do have the privileges

03:04

what our goal, like with our previous example, is going to be able to execute the script through the Web server.

03:10

So

03:14

do you need double backslash is to escape. Otherwise we'll end up with

03:20

file. That's right on the C drive. It's got a long name and no slices and Adam

03:24

goal again. It's gonna be to execute it from the Web server so that a fault location for this is see Zapped

03:31

HT docks on

03:35

Windows. This is the default installed location.

03:38

No, let's call it Shelled a PhD.

03:43

This is not in the webbed after Actuary. This is just going to be straight in the Web servers Main directory HT docks

03:58

on. And actually, we need quotations around that, too.

04:04

That should be

04:06

to go.

04:08

I wouldn't let this go but in here

04:11

and we didn't get error. So if it doesn't throw an error, that means it worked, so we can we can have another sequel Query. Certainly I didn't have you add any

04:20

particular databases here just did a fault. But if they did have

04:25

additional databases, that would be definitely something we want to look at.

04:30

They may have m s equal as opposed to my sh equal or even Oracle. Oracle, in my pain is no have fun to work with, but invest sequel could be nice because

04:41

it's like this may allow you have some command execution, But if all they have

04:47

there

04:48

crosses are the procedures that will allow you have command execution off to where there have to be able to turn it on or do something like this

04:58

where you make a file, I'm But in this case, we weren't able to authenticate with my sequel directly with unauthorized. We had to go into this Petri. My admin.

05:09

With your most equal, you may find that they have your clients have

05:14

into authentication on. So it'll actually If you can get passwords

05:18

for your domain, you might be able to use them against your databases as well. So some password reuse she might be able to get into your databases that way. Or worse yet, they may have

05:31

essay the privileged account in a sequel with new password In this case, it's rude and no password, but it's just not able to be accessed anywhere but local host on this default install with Samp, it really just depends. You may find lots of different stuff, but the other bases air often a good place to look for interesting information.

05:51

I didn't have you create a database. In this case.

05:54

I didn't want to make it

05:56

too hard to set up. But whatever, you get access to a database, certainly take a look at what's in their databases are often a good place to store sensitive data

06:06

there. You can also use it like we did here. Use it to get

06:11

a foothold on the system.

06:13

We'll take a look and again this is going to be

06:16

and they

06:17

default. Main directory with those warning system cannot execute a blank command. So we forgot to give it that command parameter. So command equal,

06:30

not

06:32

you. Hear.

06:35

Administrator, Georgia guest Help assistance. Secret support.

06:43

What if we did like not you, James.

06:46

Password is

06:47

Yeah,

06:49

and ob.

06:51

I just added the users of the system we have system privileges right now so we can do that

06:59

data basis almost always run. His privileged users are being able to get command. Execution through them

07:04

is an ideal way to get on the system.

07:10

So we are stuck with are kind of limited command shell here. But now that we have

07:19

our command show, we may be ableto upgrade it. We are during post exploitation, going to take a look at

07:27

different methods of transferring files. So this is certainly not the only way to do this. But we're gonna look at trivial F T P one x p. We do have a trivial FTP plant by default will have STP so we can do

07:42

basically script mode and ftp since we don't have an interactive command shell yet we can't do like

07:46

FTP it asked for the user name. We give it the user name it after the password to give it to pass where every Telefile we want can't do that from what we have here. But we do have a script mode and FC feet where you haven't read from the script

08:01

so that would work as well Some of your newer versions of windows You won't have trivial ftp by the fault, but you will have power shell who will look at power shell a little bit

08:11

in our post exploitation thymus. Well

08:16

have its own little section,

08:18

a small amount of power shell.

08:20

Um, well, there's a few other options like you do a visual basic.

08:26

Um, power shell particularly. I like it for bypassing anti virus,

08:33

but we'll look at other methods, but let's just hear trivial SCP for now. My old

08:39

session. So what I want to do is

08:41

start up

08:43

a t f d p d.

08:46

I want to start in Demon Road. Listen

08:50

and find the address

08:56

Thio,

08:58

my Kelly

09:00

p and I'll just tell it I wanna serve from the temp directory,

09:05

so you know, it's odd. And to pay, don't make sure that 69 actually opened.

09:18

Actually Looks like it. Didn't

09:35

you see?

09:43

It would be great.

09:45

Make one mistake and I start making more. Okay. It says it is

09:48

those things.

09:52

Not sure what these air does. Your TCP ports. So you make one mistake. You just start making more.

09:58

So next I and TP is gonna look for TCP boards and what is trivial? STP was known Well 69 beauty, peace when you're under it wasn't on my list.

10:09

All right. So? Well, my p s a u x will tell us that it is indeed running.

10:13

Won't make copy much Herber dot PHP that we made in the lost video with them

10:20

and then from our web browser. I'm gonna get the syntax right here.

10:26

Which, of course, you can look it up. We want to do is t f D p.

10:33

And then we need the i p address. We want to grab it from just our Callie I p

10:39

want get That is our t STP command and I sometimes with the order wrong here. So it is in the slide. Sofrito look it up. You don't have to feel bad about looking things up. Nobody remembers everything. We want to get the file mature prettier dot PHP.

10:54

And I want to put it again somewhere that I can access it.

10:58

Hi. Again. I'm system. So I have the rights through it. Wherever I like. We do want those double backs lodgers again to escape the backslash. Don't just end up with a file with a long name on the C drive.

11:13

Transfer successful. Awesome.

11:16

Now we should be able to go to my interpreter dot PHP. Remember, I turned that exit on session

11:22

false

11:24

on my listener in medicine. Will it without doing anything? Because I'm using the same payload. There should still be a listener

11:31

running in medicine, boys, so I should just be able to go to it.

11:37

What did I do wrong?

11:41

Well, not Ph feels she's t STP

11:45

hitman

11:46

does a Mr Belden interpreter.

11:50

What helps Mature.

11:54

Good.

11:56

Now it's doing that connecting again, So it looks like something's there.

12:01

Now, this is something we probably report on to just, you know, a small issue. I'm showing, you know, the major ones that give you a win. But we also would report on things like this, you know, a load a medium issue here. It's like it just tells you everything

12:16

here when they're out of date.

12:22

So I want those manners. Do not give away quite so much.

12:28

And certainly we want tell himto update things.

12:31

So if I come back to my interpreter,

12:33

I get my interpreter session. Tomo, actually still in the trip precision one, so I can background it.

12:39

Your session stash are too,

12:41

and that drops me in. So I'm still system.

12:46

So

12:48

this just gives me Amore Interactive shell. My one here.

12:52

Not quite a stance, E

12:54

But I do have another interpreter shell for another option here, and we can use databases, Command, execution. In addition, Thio

13:01

being able to

13:03

read the data that's in them what kind of database it is, and what version is going to make a difference? Older versions make it easier to command execution. There are some men disappoint models for

13:15

um

13:16

so we have think,

13:20

um, certain people

13:26

cures like if we can get correct user name and password, which it may be default or something decibel or maybe

13:33

have in chief access so you can use

13:37

passwords you cracked, which will do in the next section. You can actually

13:41

long in and have it try and run a matter split Payload

13:46

Writethru Medicine boys, We have different options with day vases, depending on what you're working with. It always

13:54

you can get into it here, like in this case, just because you can't get into it directly. If maybe there's another way. Like be aware of your

14:01

administration back ends that sometimes come with packages like this'll examples the PHP. My admin may have an open interface by the fault that no one bothered to change or really even knew anything about it,

14:16

so

14:18

there's another way you may be able to