Hi everyone! Welcome back to another vulnhub machine walkthrough. In this post, we will try to solve the the Csharp VulnJSON machine, this particular machine are focus on introducing some key concept of known web application attacks.
We will go through each of the vulnerability and we will see how we can elevate this into a working exploit.
Background:
Setting up this machine is easy, the author provide us with .ova file and all we have to do is just import the file then we good to go.
Information Gathering:
first, we need to find out what is the machine ip address, to do this I used nmap to do ping sweep on my local network.
from the result above we can see that the target machine is with 192.168.1.7. Now that we have our target IP address, let's proceed with scanning the open port on the machine.
cool! so the machine only open port 80 and this will make it much more simple. If we go to the web server, we are welcomed with two forms: first is used for create a user and the other one is for searching user.
Sensitive Data Exposure:
Okay, before we start fuzzing the form to find any indication of vulnerability, let's try to mapping the web application.
Using dirsearch for the tools to mapping the website and finding hidden directory, we found one which is "/bin/". We can achieved the same result using wfuzz like the below figure.
By going to the "/bin/" folder we found several interesting file that worth to download and look.
It looks like the .dll file is a .net assembly, we can analyze the .dll using monodis(https://www.mono-project.com/docs/tools+libraries/tools/monodis/)
you can use monodis the following way:
~# monodis <.dll file>
the Newtonsoft.Json.dll is the external library there is nothing interesting inside it, you can just proceed to ch2_vulnerable_json_endpoint.dll file
1. the web app use npgsql which is a .Net framework used to communicate with a database.
2. we got the columns of the table used for creating user.
3. we got the the credential of the database(postgresql). But please be aware that the database can only be accessed from localhost.
Union SQL injection:
we start by inserting some random data to create user form.
I create several of them and input string into the list users form to check if its successfully submitted to db. Looks like it done and we can see the search is not omitting a strict keyword.
Lets try to intercept the List user query first using burp suite and send it to the repeater, so we can edit and send it multiple times.
Notice in the figure above our input is send with JSON format, furthermore, I put a single quote after the "aa" string this to test if there is an error that we could trigger to DB and from the result we got what we are looking for. This indicate that "username" section is vulnerable to sql injection.
Let's try to determine how many columns that we can insert in our union sql injection using "order by" command.
after a couple of times try to adjust the number, it seems that we can only fit one column into the union, let's try this assumption by inserting union statement.
it looks like we are right track, the union statement work and able to show the combine string that we append. Looking back to information that we got from .dll file regarding columns and table, we don't need to query information_schema table.
we know that there are columns: username and password inside the users table so we only need to combile simple select statement along with union and the name of column and table in our payload, like the figure below.
Sweet! we just get the content of the users database and able to retrieve the username and password.
Undeleted Username:
We can create undeleted account in the database by just simply append double quote at the beginning of the name, for example:
when we try to change the method into delete, the server return success however it does not delete the account. This is due to the double quote of inside the name that messed up the DELETE statement in sql query.
INSERT SQL injection:
just like the list user form the create user form susceptible with sql injection but unlike the union sql injection that we have conducted earlier, INSERT sql injection is easier. If the application is vulnerable, an attacker can inject arbitrary values in to the database using crafted input, like this:
Next, we need to locate where the injected data is reflected back by the application. The first payload will return database that used, while the second will return the postgres version. We can get the result by submitting empty search to the list user, like below figure.
The last two result, show the current database that used now and the version of postgresql.
Leveraging sqlmap to retrieve DB and shell from database:
Lastly, we can use sqlmap to get the same result like the previous union and insert sql injection.
to do this via sqlmap, the least painful way is to saved the http post transaction from burp suite to a file.
Then passed to the sqlmap, like below figure:
Walaaa! we got the same result. To get the interactive shell to the postgresql, all you need to do is just append "--os-shell"
That's all folks, I hope you enjoy this post and see you in the next post of vulnhub.
Comments
Post a Comment