Running SQL Injection Exploits With K2HackBot

Run Sample SQL Injection Exploits with K2HackBot.

Overview

This script runs SQL Injection top vulnerabilities and it gets detected by K2 Platform seamlessly. This script will install K2HackBot and run SQL Injection exploits.

Working

The run_mysql.sh performs the following operations:

1. Start the application Docker container

Firstly, the script will run the Docker container of the application. The application Docker image used is k2cyber/ic-test-application:sql-injection. This is a Java based application that includes SQL-Injection vulnerabilities.

If the k2agent is already present on the machine, the application will be attached STATICALLY. On the other hand, if the k2agent is not present on the machine, the application will be attached DYNAMICALLY.

2. Install K2HackBot

Once the application is started successfully, the script will try to install the latest K2HackBot on the same machine. The installation directory for K2HackBot is /tmp.

If the K2HackBot package is already present inside the /tmp directory, then the script will skip the installation and use the existing K2HackBot.

3. Trigger K2HackBot

The script will create the K2HackBot config file dynamically and trigger the K2HackBot.

The K2HackBot is started in the scan-web-application mode. Once the scanning is over, all the exploits will be reported by the K2HackBot.

Ideally, it should report 5 Vulnerabilities.

Mysql Exploits Script

Copy the following run_mysql.sh file anywhere on the Linux machine or you can find script in demo_exploits folder of your installation.

#!/bin/bash

# Constants 
application_container=k2hackbot-mysql-demo-app
k2hackbot_root_dir=/tmp
application_image="k2cyber/ic-test-application:sql-injection"
application_log='org.apache.catalina.startup.Catalina.start Server startup in'
default_hackbot_bundle="https://github.com/k2io/K2HackBot-Release/releases/download/1.0.0-rc2/K2HackBot-v1.0.0-rc2.tar.gz"
application_server_status=false
count=0
mount_path=""
mandatory_option_specified=false

# Check if docker is present on the machine.
docker ps > /dev/null 2>&1
if ! [ $? -eq 0 ]; then
    echo ""
    echo "Either Docker is not installed on the machine or this user does not have permissions to connect to the Docker daemon socket."
    echo "Please verify it and re-run the script."
    echo ""
    exit 1
fi

# Displays the Help page
display_help (){
    echo ""
    echo "Usage: bash $0 --mode k2-hackbot-test --options [VALUE]"
    echo ""
    echo "Options:"
    echo "  k2-email               K2Cloud User Account Email"
    echo "  k2-password            K2Cloud User Account Password"
    echo "  k2hackbot-bundle-url   K2HackBot bundle URL"
    echo "  k2collector-path       Path that contains K2agent collectors"
    echo ""
    exit 1
}

# Print help page if no arguments are provided.
if [[ "$@" == "" ]]; then
    display_help
fi


opts=$(getopt \
    --longoptions "mode:,k2-email:,k2-password:,k2hackbot-bundle-url:,k2collector-path:,help," \
    --name "$(basename "$0")" \
    --options "" \
    -- "$@"
)

# Used to exit the execution if getopt command throws some error.
if [[ $? -ne 0 ]]; then
    exit 1
fi

eval set --$opts

# echo $opts
# echo $opts


while [[ $# -gt 0 ]]; do
    case "$1" in

        --mode)
            mandatory_option_specified=true
            mode=$2
            shift 2
            ;;

        --k2-email)
            k2m_email=$2
            shift 2
            ;;

        --k2-password)
            k2m_password=$2
            shift 2
            ;;

        --k2hackbot-bundle-url)
            bundle_url=$2
            shift 2
            ;;
        --k2collector-path)
            mount_path=$2
            shift 2
            ;;  
        --help)

            display_help
            exit 1
            ;;
        *)
            break;;
        
    esac
done

# Condition to check if mode is provided by the user
if ! $mandatory_option_specified; then
    echo ""
    echo -e "Option 'mode' is mandatory. Use bash $0 --help for more details \n"
    exit 1

fi

# Validation for the mode type
if ! [[ "$mode" == "k2-hackbot-test" ]]; then
    if [ "$mode" != "" ];then
        echo ""
        echo -e "Invalid mode used: $mode \n"
        echo -e "Use bash $0 --help for more details \n"
        exit 1
        # display_help
    fi

fi

get_collectors_dir () {

    #CASE 1: If the user passes the K2 collector path explicitly
    if [ "$mount_path" != "" ]; then
        echo ""
        FILE="$mount_path/K2-JavaAgent-1.0.0-jar-with-dependencies.jar"
        if [ -f "$FILE" ]; then
            echo "> Using collectors from $mount_path"
        else
            echo "> Unable to find the K2 collectors in $mount_path"
            exit 1
        fi

    #CASE 2: If the user is running the script from demo_scripts directory
    elif [ -d "../env_variables" ]; then
        mount_path=$(cat ../env_variables | grep K2_COLLECTORS_HOME | awk -F'=' '{print $2}')
        echo "> Using collectors from $mount_path"
    
    #CASE 3: Check in /opt/ directory
    elif [[ -f "/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" ]]; then
        mount_path="/opt/k2-ic"   
        echo "> Using collectors from $mount_path"

    #CASE 4: Check in ${HOME} directory
    elif [[ -f "${HOME}/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" ]]; then
        mount_path="${HOME}/k2-ic"   
        echo "> Using collectors from $mount_path"
    else
        echo "Unable to find the K2 collectors."
        exit 1
    fi
    echo ""

}

# Check if the K2agent component is installed on the machine.
is_k2agent_installed() {
    runner_process_count=$(ps -ef | grep -v grep | grep  "com.k2cybersecurity.intcodeagent.Runner" | wc -l)

    # k2agent is already installed
    if [ $runner_process_count == 1 ]; then
        echo ""
        return 0

    # k2agent not installed
    else
        echo ""
        return 1

    fi
}

# Clean the Environment
echo -e '\n\n> Removing existing docker containers \n'
docker rm -f $application_container > /dev/null 2>&1

# Check if K2agent is already installed
runner_process_count=$(ps -ef | grep -v grep | grep  "com.k2cybersecurity.intcodeagent.Runner" | wc -l)

if [ $runner_process_count == 1 ]; then
    echo "K2agent already installed."
    echo -e "Proceeding with the STATIC attachment of the application \n"

    get_collectors_dir
    
    # Start MySql-Demo-App application container with STATIC attachment
    echo -e "> Starting application docker container: $application_container"
    echo ""
    docker pull $application_image
    echo ""
    docker run -itd -p 8080:8080 -v $mount_path:/opt/k2-ic -e K2_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar " --name $application_container $application_image

    if [[ $? -ne 0 ]]; then
        echo -e "\nFailed to run the application container.\n"
        exit 1
    fi
    echo ""

else
    echo "K2agent not installed."
    echo -e "Proceeding with the DYNAMIC attachment of the application \n"
    
    # Start MySql-Demo-App application container with Dynamic attachment
    echo -e "> Starting application docker container: $application_container"
    echo ""
    docker pull $application_image
    echo ""
    docker run -itd -p 8080:8080 --name $application_container $application_image

    if [[ $? -ne 0 ]]; then
        echo -e "\nFailed to run the application container.\n"
        exit 1
    fi
    
    echo ""

fi

# Wait for the application server to start
while ! $application_server_status; do
    lines=$(docker logs "$application_container" | grep "$application_log" | wc -l)
    echo "Waiting for the application to start..."

    count=$((count+1))

    if [ $lines == 1 ]; then
        application_server_status=true
    elif [ $count == 5 ]; then
        echo "ABORTED"
        echo "Application did not start. Please check docker container logs."
        exit 1
    else
        sleep 30s
    fi
done

echo -e "\n> Application started successfully."

# Remove the existing K2HackBot Bundle if bundle_url is provided in the argument by the user.
if ! [ "$bundle_url" == "" ]; then
    default_hackbot_bundle=$bundle_url
    echo -e "\n> Removing existing K2HackBot bundle if already present in the $k2hackbot_root_dir directory."
    rm -rf $k2hackbot_root_dir/K2HackBot*
fi

# Install the K2HackBot Bundle
if [ ! -d "${k2hackbot_root_dir}/K2HackBot" ]; then
    echo -e "\n> Installing the K2HackBot bundle"

    cd $k2hackbot_root_dir

    rm -f K2HackBot.tar.gz

    echo "    Downloading K2HackBot bundle using the URL: $default_hackbot_bundle"
    wget_output=$(wget -t 2 -T 30 -O K2HackBot.tar.gz $default_hackbot_bundle > /dev/null 2>&1)

    # wget -t 2 -T 30 -O K2HackBot.tar.gz $default_hackbot_bundle    

    if [[ $? -ne 0 ]]; then
        echo ""
        echo "Network error. K2HackBot bundle cannot be downloaded."
        exit 1
    fi

    echo "    Extracting K2HackBot bundle"
    tar xf K2HackBot.tar.gz

    if [[ $? -ne 0 ]]; then
        echo ""
        echo "Failed to K2HackBot extract the tar file."
        exit 1
    fi


    cd K2HackBot/

    # Setup K2HackBot project
    echo -e "\n> Setting up the K2HackBot"
    bash install.sh

    if [[ $? -ne 0 ]]; then
        echo ""
        echo "Failed to setup the K2HackBot."
        exit 1
    fi


else
    echo "K2HackBot bundle found in $k2hackbot_root_dir directory"
    k2hackbot --version > /dev/null 2>&1
    if [[ $? -ne 0 ]]; then
        echo ""
        echo "k2hackbot command not found. Remove the existing K2HackBot from $k2hackbot_root_dir directory and rerun the script."
        exit 1
    fi

fi

#Set PATH variable for K2HackBot
mypath="$k2hackbot_root_dir/K2HackBot/bin"
export PATH=$mypath:$PATH
export LC_ALL="en_US.UTF-8"

# Create the K2HackBot config file 
echo -e "\n> Updating config file for K2HackBot"
myid=$(docker ps | grep $application_container | awk '{print $1}')
privateip=$(hostname -I | awk '{print $1}')

is_k2agent_installed
check_k2_installation=$?
if [[ $check_k2_installation == 1 ]]; then

    if [ "$k2m_email" == "" ] || [ "$k2m_password" == "" ] ; then
        config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/']}"
    else
        config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2email': '$k2m_email', 'k2password': '$k2m_password'}"
    fi
else

    if [ "$k2m_email" == "" ] || [ "$k2m_password" == "" ] ; then
        config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2icDirectoryPath':'$mount_path'}"
    else
        config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2email': '$k2m_email', 'k2password': '$k2m_password', 'k2icDirectoryPath':'$mount_path'}"
    fi
fi

echo "> Using the following config JSON: $config_json"

rm -f $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json

echo $config_json > $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json
sed -i "s/'/\"/g" $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json

echo -e "\n> Starting K2HackBot\n\n"
k2hackbot scan-web-application --config $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json

Options

Option	Description
--k2email	Provide the registered K2 email. The default value is set to installer@k2io.com.
--k2password	Provide the password corresponding to the registered K2 email.
--k2hackbot-bundle-url	Provide the K2HackBot Bundle URL.
--k2collector-path	The directory path where you want all the K2 related stuff to be downloaded.

Commands

Note: Before running the below commands, make sure that you are present inside the directory where the run_mysql.sh script is present.

• Command to display the help page:

$ bash run_mysql.sh  --help

Usage: bash runscript_mysql.sh k2-hackbot-test --options [VALUE]

Options:
  k2-email               K2Cloud User Account Email
  k2-password            K2Cloud User Account Password
  k2hackbot-bundle-url   K2HackBot bundle URL
  k2collector-path       Path that contains K2agent collectors

• Run the script when k2agent is NOT present on the machine:

bash run_mysql.sh --mode k2-hackbot-test

• Run the script when k2agent is present on the machine:

In this case, make sure to pass the k2-email and the k2-password options. Use the same k2-email which was used while installing the k2agent on the machine.

bash run_mysql.sh --mode k2-hackbot-test --k2-email example@k2io.com --k2-password mypassword

• Upgrade/Downgrade the K2HackBot Bundle:

The script provides the support to install a specific version of the K2HackBot if required. For this purpose, use the k2hackbot-bundle-url option.

bash run_mysql.sh --mode k2-hackbot-test --k2hackbot-bundle-url=<NEW_HACKBOT_VERSION_URL>

View Exploits

Detected Exploits will be shown on K2 Portal's Exploits Page.

Alternatively go to Exploits | K2 Portal