SQL injection to RCE

Aditya Chauhan
3 min readFeb 17, 2023

--

SQL injection is a type of web application vulnerability that allows an attacker to execute arbitrary SQL commands on a vulnerable web application’s backend database. If the web application is not properly secured, an attacker can leverage a successful SQL injection attack to achieve Remote Code Execution (RCE) on the target server.

In this blog, we will explore how SQL injection vulnerabilities can be exploited to achieve RCE on a vulnerable server, along with examples of payloads that can be used to exploit these vulnerabilities.

Exploiting SQL Injection to Achieve RCE

SQL injection vulnerabilities allow an attacker to inject SQL commands into a web application’s backend database by manipulating the input data that is passed to the application. If the web application does not properly validate and sanitize the user input data, an attacker can craft a malicious SQL statement that can bypass the application’s security and execute arbitrary commands on the backend database.

If an attacker can successfully execute arbitrary SQL commands on the backend database, they can use these commands to gain access to the server’s file system, upload and execute malicious code, and achieve RCE on the server.

Example Payloads for SQL Injection to RCE Attacks

Let’s take a look at some example payloads that can be used to exploit SQL injection vulnerabilities to achieve RCE.

Example 1: Uploading a PHP shell to the server

Suppose a vulnerable web application contains an SQL injection vulnerability in its login page. An attacker can craft a malicious SQL statement to bypass the login and gain access to the server’s file system. Once the attacker has access to the file system, they can upload a PHP shell to the server and execute arbitrary commands.

The following is an example of an SQL injection payload that can be used to upload a PHP shell to the server:

' UNION SELECT '<?php system($_GET['cmd']); ?>' INTO OUTFILE '/var/www/html/shell.php' #

This payload injects a new SELECT statement into the original SQL query and writes the PHP code to a file called “shell.php” in the “/var/www/html/” directory on the server. The attacker can then access the PHP shell by navigating to “http://target-server/shell.php?cmd=[command]" in a web browser.

Example 2: Reading the “etc/passwd” file

Suppose a vulnerable web application contains an SQL injection vulnerability in a search field that searches a database for user information. An attacker can craft an SQL statement to read the “/etc/passwd” file on the server and retrieve sensitive information about the users.

The following is an example of an SQL injection payload that can be used to read the “/etc/passwd” file on the server:

' UNION SELECT load_file('/etc/passwd') #

This payload injects a new SELECT statement into the original SQL query and loads the contents of the “/etc/passwd” file into the result set.

Preventing SQL Injection to RCE Attacks

Preventing SQL injection vulnerabilities involves implementing several security measures, such as input validation, parameterized queries, and stored procedures. It is also important to regularly monitor for suspicious activity and stay up-to-date on the latest security best practices.

In the examples above, the vulnerable web applications could have prevented the attacks by validating and sanitizing user input data, using parameterized queries, and limiting the privileges of the database user account.

Conclusion

SQL injection vulnerabilities can have severe consequences for vulnerable web applications, including the risk of RCE. It is crucial to implement a multi-layered approach to security to prevent these attacks. By following security best practices, such as input validation, parameterized queries, and monitoring for suspicious activity, organizations can reduce the risk of SQL injection to RCE attacks. It’s important to regularly conduct security assessments and stay up-to-date on the latest security best practices to stay ahead

SQL Injection Authentication Bypass Cheat Sheet

https://www.excelinfosec.com/2023/04/sql-injection-authentication-bypass.html

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher