Help with Advanced (Manual) SQL Injection
Hey there, fellow tinkerers. Long time lurker, first time poster (isn't everyone?)... I've got a couple questions regarding manual exploitation of SQLi vulnerabilities. Yes, I have - and regularly use - sqlmap for my projects and I love it, but it doesn't do much in the way of explaining. I am one of those people who has to know the hows and whys of everything. I know that, simply put, SQL is the language that web applications use to communicate with their back-end DBMS. I know that sub-par coding or poorly maintained servers can allow the user to fool the back-end DBMS into executing SQL commands that eventually reveal almost everything about the target machine and its front end. I know that if you know how to speak to the server you can coax it into doing some pretty naughty things, up to and including dumping databases or gaining root privileges.
So it goes like this:
Find a target and confirm vulnerability. Vulnerable pages are those with parameters that directly query server and whos user-supplied input is either poorly sanitized or not sanitized at all (...customers/online/shop.php?item=00012). Here the "item" parameter appears vulnerable. To confirm, we toss a ' at the end of the URL (...customers/online/shop.php?item=00012'). We are looking for a SQL error, if none, we try this:
A lot of times simply sticking a couple brackets after the target parameter will cause a SQL error, even when the above attempt failed.
Get column information. Use UNION ALL SELECT to 1. help determine the MySQL version, as UNION ALL does not work on older versions, and 2. to determine the number and position of the columns that are responding to your queries.
Force the vulnerable columns to give up the MySQL version and contents of 'information schema'. Use this info to dump the 'admin' or 'user' or similarly named tables, along with any other useful data.
Now, here's where I'd like to expand upon my extremely limited understanding of SQL injection. Usually I'd just dump any desirable info and move on to the next target, but I know much more is possible.
How do I escalate my privileges? What privileges do I have to begin with? Does the output of sqlmap's '--current-user' option reflect my privilege level? In other words, if the current user is 'dude1', and dude1 is a moderator, do I have moderator privileges? How do I give myself admin access?
Can I upload a backdoor to the server? How? My goal is to upload a persistent shell that has admin privileges. How would I go about writing the payload?
Also, can XSS be used to upload a file to the back-end? How?
I guess what I'm looking for is the syntax.
Anyhoo, it's nice to meet everyone. OTW, Null-Byte is an excellent blog and one of my favorite sources of reliable information, keep up the awesome work!