SQL Injection to RCE
by Efren Díaz
In the next lines I will expose a case that I experimented some days ago working in a penetration testing for one of our customers at Open Data Security, in my opinion was interest how I needed concatenate a few factors to get the RCE.
For obvious reasons, some customer data will be anonymized.
Doing a directory fuzzing, I found a folder with a php file inside:
When I tested the url I got a php Warning:
As we can see the app is trying to include an empty filename with a .php extension. Next thing that came to my mind was, maybe I could control the filename in a GET parameter, so I decided bruteforce some parameters. Before recurring to any scripts I thought I should test for common old school website modules parameters like “sec, section, mod, module, file, page,etc.” and to my surprise the “page” parameter threw a different error, a MySQL warning message:
Well, as we can see the include function continues in the same point with an empty filename, but we can see we got a MySQL error, then from here I tried guess that the aplication gets the required filename from a database and from here I tried the usually sql inyection:
https://customer.com/php/load.php?page=’ or ‘’=’
And I got the include warning message, but this time the filename was not empty, it was “analytics.php”, the first path string had a point, and the website css style was not loaded (now the links are not pink)
Well, at those time I was secure that the include() gets parts of the path from database and we need to try an union type SQL injection so that we control the path and try a Local File Inclusion.
In the first injection that I tried I got a 406 response, the website has the Mod_Security apache module enabled which unfortunately detects my injection BUT as some know, an outdated Mod_Security version can bypassed with MySQL comments in the injection string. I tried and it worked, with a 9 columns injected query:
https://customer.com/php/load.php?page=’ /*!50000union*/ select 1,2,3,4,5,6,7,8,9-- -
I didn’t find anywhere else throughout the web application, an upload form would allow to upload an image or any file extension with php code that wishfully, I could include to exploit the present Local File Inclusion, but as you can see in the previous image, I observed that I could manipulate the beginning of the path and that is great for my perspective because I know that I can try to use some php wrappers.
First I used “php://filter/convert.base64-encode/resource=” wrapper to read the index.php file:
https://customer.com/php/load.php?page=’ /*!50000union*/ select 1,2,3,4,5,’../index’,7,8,’php://filter/convert.base64-encode/resource=.’ -- -
And voila, we got a base64 encoded string of the index.php source code
Ah this point all I want is to get an RCE so I first tried the input:// wrapper, but that didn’t work because the application concatenates the input with the rest of the path, and because of the mighty Mod_Security module the use nullbyte %00 was not possible. Then I decided to try with the data:// wrapper to send some php code that hopefully will execute:
https://customer.com/php/load.php?page=' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php echo system(“uname -a”);?>’-- -
And once again I got a Mod_Security 406 response blocking me. Thinking some I supposed that the problem was in the “system(“ string, and I went back to cook some php lines:
<?php $a=”sy”; $b=”stem”; $c=$a.$b; $c(“uname -a”); ?>
And finally the payload was:
https://customer.com/php/load.php?page=' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -
And the response with our command result:
Then finally got RCE !!! ^_^
About the Author
Efrén Díaz is a IT Security Analyst at Open Data Security, he started his career programming and developing applications in 2006. After doing several studies and projects in the computing field, he specialised in the computer security area.
The article has been originally published at: https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862