From SQLi to ROOT

H0nus
H0nus
Jun 11 · 4 min read

So, days ago a friend told me about a strange error in a website because he accidentally put the single quote.
So I immediately went to check the “problem”.
I checked the link “https://website.redacted/shop/index.php?action=showCatalogue&categoryID=212&subCategoryID=325” and I’ve found with some testing that subCategoryID was vulnerabile to Error based SQL injection and database was MySQL. Also the error was printing the full query, so exploitation would be easier.

MySQL Error

It was enough to do some “math” checking for the parameter.
By checking for subCategoryID=325 and subCategory=326–1 the responses were the same and also for others checks live 315 and 325–10 ans so on.

What now? Of course i’ve fired up SQLMap (yes i’m a lamer as you can see :P) and got the admin data.
Password were hashed as MD5 and I got one of them cracked easily just by using hashkiller website (awesome site!).

SQLMap verfies the SQLi
Logged in as Admin to CMS

Now I logged in (from /admin page) as an Admin and got to a new place, the CMS.
I have searched for a bit around and my attention got attracted by the List Product page.
I was admin , so I could edit products info and images as well!
I tried to replace an image with a php webshell (i used c99 edited by locus7s) and the upload page didn’t filter php5 extension.

Now that I got the webshell, I searched for interesting files and things and I have found that someone (or maybe the owner) had backdoored the payment form with a fake paypal form that was saving CCs and customers infos, so i immediately delete it.
I didn’t get much further because the user in use was really limited.

Webshell uploaded :)

After the researches I tried to get a reverse shell, and I fired up Metasploit (I also tried with Empire and PoshC2 successfully ) and tried with a web delivery with a python payload.
Luckly the server was using Python 2.6 and it was usable by the user, so the meterpreter shell popped out! Nice!

Meterpreter shell popped out :D

I wasn’t satisfied enough, I wanted more! So I started to find some way to escalate privileges.
By using uname I understood that the server was using Centos 6.6 with Linux Kernel 2.6.32.
So I’ve searched for some local privilege escalation exploit to get the work done faster and I’ve found this one: https://www.exploit-db.com/exploits/40839 , maybe It could have work!
I used wget to download the code to a writable path for the user and I’ve also found that gcc was installed and usable.
After the compilation i fired up the DirtyCow exploit and everything went fine!

Downloaded and compiled the exploit, after I’ve runned it

I’ve set the user as firefart and password as imcool2.
After that I closed the meterpreter shell and tried to ssh to the server with firefart account and I’ve actually logged in!
By using id command I had root privileges and permissions! Awesome!

Logged in with firefart with root permissions!

The ssh server gave me as motd (message of the day) a list of commands and one of them was to login to Plesk dashboard with URL Token.
So now I’ve got the server total control!

Time to report and write down a new article!
I hope you ejoyed reading this and learned something new!
Follow me on twitter for any other news! @IvanBiagi1

H0nus

Written by

H0nus

Cyber Security lover, somewhat hunter IT lover.