-
Notifications
You must be signed in to change notification settings - Fork 424
Exploit
Injection can lead to system access on the server or to write files to a lesser extent, however the main security concern is the system access as it enables remote command execution.
When RCE exploit is successful a text terminal opens to enter commands like you were on the server.
Important
This content is delivered for education purpose and security concern, to use on a controlled environment.
Tip
Share also your concern, add new techniques to the list and open a pull request.
Also use wiki page Reverse shell to disambiguate from RCE exploits.
Provided that the injection is successful, each exploit creates a function or adds a file to the remote system first, then it proceeds to the exploit. Various writing modes are also described below.
RCE is performed by a user defined function packaged either into a library or built by crafted methods, and it gives access to system commands via an additional SQL function that runs the command.
UDF needs several requirements to setup, but it's really easy to build as it does not require any user input, a single click is enough.
It also gives access to system commands, though it requests a page from a presumed web folder that you have to select.
It needs basic queries and file db privilege, and also some guessing to find the correct working folder.
Warning
RCE can be difficult to craft, here are the requirements by db vendor for a successful process :
| Type | Database | Need stack query |
Web+db on same server |
GETparam |
Write access |
|
|---|---|---|---|---|---|---|
| UDF | mysql | ✔ | ✔ ℹ️ | ✔ | Variable secure_file_priv=""
|
|
postgres Program
|
✔ | |||||
postgres Extension
|
✔ | ℹ️ Extensions installed | ||||
postgres Archive
|
Variable archive_mode=on
|
|||||
| sqlite | Extension exec loaded |
|||||
| 🚫 |
✔ | ❌ Semi-colon failure in begin end;
|
||||
| Web | mysql | ✔ | Variable secure_file_priv=""
|
|||
| postgres | ✔ | |||||
| sqlite | ✔ | ✔ | ✔ | |||
| hsqldb h2 derby | ✔ | ✔ | JDBC bridge running |
Similar to Web with a presumed web folder to select. It runs SQL queries directly without any injection layer and it will test some db connection methods like new PDO(), mysqli_connect() and mysql_connect().
Credentials may also be set depending on the database settings.
Tip
To retrieve username and password you can use tab Read file and locate and open any file like mydb.php, it may contain the hard-coded credentials.
Any target that runs a language like PHP may also gives access to direct upload via Content-Type: multipart/form-data.
You select the presumed web folder and the file on your system to start the upload.
Exploit can be created in various ways, you select the creation mode or leave it to auto.
A single query that includes the exploit's body encoded in hex is creating the file, so it's limited to relatively small payloads when using method GET.
Warning
Use POST or mode temp table for large payload like UDF.
Exploit is split into small chunks encoded to hex then loaded into a temp table, next the table is loaded into the destination file.
With temp table the small GET size limitation is avoided by processing smaller chunks, but you need stack queries.
You can also connect directly the database to your file system for transferring the exploit, for example on a local network during a CTF.
You set your path to the network share folder where the exploit is created, like \\127.0.0.1\C$\folder\, then the database loads it with a direct connection from the remote server to your netshare.