-
Notifications
You must be signed in to change notification settings - Fork 436
Exploit
Injection can lead to system access on the server or to a lesser extent to write files, however the main security concern is the system access as it enables remote command execution.
When RCE exploit is successful a text terminal opens to enter commands like you were on the server.
Important
This content is delivered for education purpose and security concern, to use on a controlled environment.
Tip
Share also your concern, add new techniques to the list and open a pull request.
Also use wiki page Reverse shell to disambiguate from RCE exploits.
Provided that the injection is successful, each exploit creates a function or adds a file to the remote system first, then it proceeds to the exploit. Writing modes are also described below.
RCE is performed by a user defined function either packaged into a library or built by crafted methods, and it gives access to system commands via an additional SQL function that runs the command.
UDF needs several requirements to setup, but it's really easy to build as it does not require any user input, a single click is enough.
It also gives access to system commands, though it requests a page from a presumed web folder that you have to choose.
It needs basic queries and file db privilege, and also some guessing to find the correct working folder.
Warning
RCE can be difficult to craft, here are the requirements by db vendor for a successful process :
| Type | Database | Need stack query |
Web+db on same server |
GETparam |
Write access |
|
|---|---|---|---|---|---|---|
| UDF | mysql | ✔ | ✔ ℹ️ | ✔ | Variable secure_file_priv=""
|
|
postgres Program
|
✔ | |||||
postgres Extension
|
✔ | ℹ️ Extensions installed | ||||
postgres WAL
|
Variable archive_mode=on
|
|||||
| sqlite | ✔ | Extension exec loaded |
||||
| 🚫 |
✔ | ❌ Semi-colon failure in begin end;
|
||||
| Web | mysql | ✔ | Variable secure_file_priv=""
|
|||
| postgres | ✔ | |||||
| sqlite | ✔ | ✔ | ✔ | |||
| hsqldb h2 derby | ✔ | ✔ | JDBC bridge running |
Similar to Web with a presumed web folder to find. It runs directly SQL queries without any injection layer and it will test some db connection methods like new PDO(), mysqli_connect() and mysql_connect().
Depending on the database settings credentials must also be set.
Tip
To retrieve username and password you can use tab Read file and open any file containing the hard-coded credentials (eg. index.php, mydb.php).
Any target that runs a language like PHP may also gives access to direct upload via Content-Type: multipart/form-data.
You select the file on your system and the presumed web folder to start the upload.
Exploit can be created in various ways, you select the creation mode or leave it to auto.
A single query that includes the exploit's body encoded in hex creates the file, it means that when using method GET it's limited to relatively small payloads.
Warning
Use POST and mode temp table for large payload like UDF.
Exploit is split into small chunks encoded to hex then loaded into a temp table, next the table is loaded into the destination file.
With temp table the small GET size limitation is avoided by processing smaller chunks, but you need stack queries.
You can also connect directly the database to your file system for transferring the exploit, for example on a local network during a CTF.
You set your path to the network share folder where the exploit is created, like \\127.0.0.1\C$\folder\, then the database loads it with a direct connection from the remote server to your netshare.