Running SQL Injection Exploits With K2HackBot
Run Sample SQL Injection Exploits with K2HackBot.
Overview
This script runs SQL Injection top vulnerabilities and it gets detected by K2 Platform seamlessly. This script will install K2HackBot and run SQL Injection exploits.
Working
The run_mysql.sh performs the following operations:
1. Start the application Docker container
Firstly, the script will run the Docker container of the application. The application Docker image used is k2cyber/ic-test-application:sql-injection. This is a Java based application that includes SQL-Injection vulnerabilities.
If the k2agent is already present on the machine, the application will be attached STATICALLY. On the other hand, if the k2agent is not present on the machine, the application will be attached DYNAMICALLY.
2. Install K2HackBot
Once the application is started successfully, the script will try to install the latest K2HackBot on the same machine. The installation directory for K2HackBot is /tmp.
If the K2HackBot package is already present inside the /tmp directory, then the script will skip the installation and use the existing K2HackBot.
3. Trigger K2HackBot
The script will create the K2HackBot config file dynamically and trigger the K2HackBot.
The K2HackBot is started in the scan-web-application mode. Once the scanning is over, all the exploits will be reported by the K2HackBot.
Ideally, it should report 5 Vulnerabilities.
Mysql Exploits Script
Copy the following run_mysql.sh file anywhere on the Linux machine or you can find script in demo_exploits folder of your installation.
#!/bin/bash
# Constants
application_container=k2hackbot-mysql-demo-app
k2hackbot_root_dir=/tmp
application_image="k2cyber/ic-test-application:sql-injection"
application_log='org.apache.catalina.startup.Catalina.start Server startup in'
default_hackbot_bundle="https://github.com/k2io/K2HackBot-Release/releases/download/1.0.0-rc2/K2HackBot-v1.0.0-rc2.tar.gz"
application_server_status=false
count=0
mount_path=""
mandatory_option_specified=false
# Check if docker is present on the machine.
docker ps > /dev/null 2>&1
if ! [ $? -eq 0 ]; then
echo ""
echo "Either Docker is not installed on the machine or this user does not have permissions to connect to the Docker daemon socket."
echo "Please verify it and re-run the script."
echo ""
exit 1
fi
# Displays the Help page
display_help (){
echo ""
echo "Usage: bash $0 --mode k2-hackbot-test --options [VALUE]"
echo ""
echo "Options:"
echo " k2-email K2Cloud User Account Email"
echo " k2-password K2Cloud User Account Password"
echo " k2hackbot-bundle-url K2HackBot bundle URL"
echo " k2collector-path Path that contains K2agent collectors"
echo ""
exit 1
}
# Print help page if no arguments are provided.
if [[ "$@" == "" ]]; then
display_help
fi
opts=$(getopt \
--longoptions "mode:,k2-email:,k2-password:,k2hackbot-bundle-url:,k2collector-path:,help," \
--name "$(basename "$0")" \
--options "" \
-- "$@"
)
# Used to exit the execution if getopt command throws some error.
if [[ $? -ne 0 ]]; then
exit 1
fi
eval set --$opts
# echo $opts
# echo $opts
while [[ $# -gt 0 ]]; do
case "$1" in
--mode)
mandatory_option_specified=true
mode=$2
shift 2
;;
--k2-email)
k2m_email=$2
shift 2
;;
--k2-password)
k2m_password=$2
shift 2
;;
--k2hackbot-bundle-url)
bundle_url=$2
shift 2
;;
--k2collector-path)
mount_path=$2
shift 2
;;
--help)
display_help
exit 1
;;
*)
break;;
esac
done
# Condition to check if mode is provided by the user
if ! $mandatory_option_specified; then
echo ""
echo -e "Option 'mode' is mandatory. Use bash $0 --help for more details \n"
exit 1
fi
# Validation for the mode type
if ! [[ "$mode" == "k2-hackbot-test" ]]; then
if [ "$mode" != "" ];then
echo ""
echo -e "Invalid mode used: $mode \n"
echo -e "Use bash $0 --help for more details \n"
exit 1
# display_help
fi
fi
get_collectors_dir () {
#CASE 1: If the user passes the K2 collector path explicitly
if [ "$mount_path" != "" ]; then
echo ""
FILE="$mount_path/K2-JavaAgent-1.0.0-jar-with-dependencies.jar"
if [ -f "$FILE" ]; then
echo "> Using collectors from $mount_path"
else
echo "> Unable to find the K2 collectors in $mount_path"
exit 1
fi
#CASE 2: If the user is running the script from demo_scripts directory
elif [ -d "../env_variables" ]; then
mount_path=$(cat ../env_variables | grep K2_COLLECTORS_HOME | awk -F'=' '{print $2}')
echo "> Using collectors from $mount_path"
#CASE 3: Check in /opt/ directory
elif [[ -f "/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" ]]; then
mount_path="/opt/k2-ic"
echo "> Using collectors from $mount_path"
#CASE 4: Check in ${HOME} directory
elif [[ -f "${HOME}/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" ]]; then
mount_path="${HOME}/k2-ic"
echo "> Using collectors from $mount_path"
else
echo "Unable to find the K2 collectors."
exit 1
fi
echo ""
}
# Check if the K2agent component is installed on the machine.
is_k2agent_installed() {
runner_process_count=$(ps -ef | grep -v grep | grep "com.k2cybersecurity.intcodeagent.Runner" | wc -l)
# k2agent is already installed
if [ $runner_process_count == 1 ]; then
echo ""
return 0
# k2agent not installed
else
echo ""
return 1
fi
}
# Clean the Environment
echo -e '\n\n> Removing existing docker containers \n'
docker rm -f $application_container > /dev/null 2>&1
# Check if K2agent is already installed
runner_process_count=$(ps -ef | grep -v grep | grep "com.k2cybersecurity.intcodeagent.Runner" | wc -l)
if [ $runner_process_count == 1 ]; then
echo "K2agent already installed."
echo -e "Proceeding with the STATIC attachment of the application \n"
get_collectors_dir
# Start MySql-Demo-App application container with STATIC attachment
echo -e "> Starting application docker container: $application_container"
echo ""
docker pull $application_image
echo ""
docker run -itd -p 8080:8080 -v $mount_path:/opt/k2-ic -e K2_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar " --name $application_container $application_image
if [[ $? -ne 0 ]]; then
echo -e "\nFailed to run the application container.\n"
exit 1
fi
echo ""
else
echo "K2agent not installed."
echo -e "Proceeding with the DYNAMIC attachment of the application \n"
# Start MySql-Demo-App application container with Dynamic attachment
echo -e "> Starting application docker container: $application_container"
echo ""
docker pull $application_image
echo ""
docker run -itd -p 8080:8080 --name $application_container $application_image
if [[ $? -ne 0 ]]; then
echo -e "\nFailed to run the application container.\n"
exit 1
fi
echo ""
fi
# Wait for the application server to start
while ! $application_server_status; do
lines=$(docker logs "$application_container" | grep "$application_log" | wc -l)
echo "Waiting for the application to start..."
count=$((count+1))
if [ $lines == 1 ]; then
application_server_status=true
elif [ $count == 5 ]; then
echo "ABORTED"
echo "Application did not start. Please check docker container logs."
exit 1
else
sleep 30s
fi
done
echo -e "\n> Application started successfully."
# Remove the existing K2HackBot Bundle if bundle_url is provided in the argument by the user.
if ! [ "$bundle_url" == "" ]; then
default_hackbot_bundle=$bundle_url
echo -e "\n> Removing existing K2HackBot bundle if already present in the $k2hackbot_root_dir directory."
rm -rf $k2hackbot_root_dir/K2HackBot*
fi
# Install the K2HackBot Bundle
if [ ! -d "${k2hackbot_root_dir}/K2HackBot" ]; then
echo -e "\n> Installing the K2HackBot bundle"
cd $k2hackbot_root_dir
rm -f K2HackBot.tar.gz
echo " Downloading K2HackBot bundle using the URL: $default_hackbot_bundle"
wget_output=$(wget -t 2 -T 30 -O K2HackBot.tar.gz $default_hackbot_bundle > /dev/null 2>&1)
# wget -t 2 -T 30 -O K2HackBot.tar.gz $default_hackbot_bundle
if [[ $? -ne 0 ]]; then
echo ""
echo "Network error. K2HackBot bundle cannot be downloaded."
exit 1
fi
echo " Extracting K2HackBot bundle"
tar xf K2HackBot.tar.gz
if [[ $? -ne 0 ]]; then
echo ""
echo "Failed to K2HackBot extract the tar file."
exit 1
fi
cd K2HackBot/
# Setup K2HackBot project
echo -e "\n> Setting up the K2HackBot"
bash install.sh
if [[ $? -ne 0 ]]; then
echo ""
echo "Failed to setup the K2HackBot."
exit 1
fi
else
echo "K2HackBot bundle found in $k2hackbot_root_dir directory"
k2hackbot --version > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo ""
echo "k2hackbot command not found. Remove the existing K2HackBot from $k2hackbot_root_dir directory and rerun the script."
exit 1
fi
fi
#Set PATH variable for K2HackBot
mypath="$k2hackbot_root_dir/K2HackBot/bin"
export PATH=$mypath:$PATH
export LC_ALL="en_US.UTF-8"
# Create the K2HackBot config file
echo -e "\n> Updating config file for K2HackBot"
myid=$(docker ps | grep $application_container | awk '{print $1}')
privateip=$(hostname -I | awk '{print $1}')
is_k2agent_installed
check_k2_installation=$?
if [[ $check_k2_installation == 1 ]]; then
if [ "$k2m_email" == "" ] || [ "$k2m_password" == "" ] ; then
config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/']}"
else
config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2email': '$k2m_email', 'k2password': '$k2m_password'}"
fi
else
if [ "$k2m_email" == "" ] || [ "$k2m_password" == "" ] ; then
config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2icDirectoryPath':'$mount_path'}"
else
config_json="{'applicationIdentifier': {'containerid':'$myid'},'applicationurl': ['http://${privateip}:8080/DemoApplication-0.0.1-SNAPSHOT/'], 'k2email': '$k2m_email', 'k2password': '$k2m_password', 'k2icDirectoryPath':'$mount_path'}"
fi
fi
echo "> Using the following config JSON: $config_json"
rm -f $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json
echo $config_json > $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json
sed -i "s/'/\"/g" $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json
echo -e "\n> Starting K2HackBot\n\n"
k2hackbot scan-web-application --config $k2hackbot_root_dir/K2HackBot/k2hackbot_config.json
Options
--k2email
Provide the registered K2 email. The default value is set to installer@k2io.com.
--k2password
Provide the password corresponding to the registered K2 email.
--k2hackbot-bundle-url
Provide the K2HackBot Bundle URL.
--k2collector-path
The directory path where you want all the K2 related stuff to be downloaded.
Commands
Note: Before running the below commands, make sure that you are present inside the directory where the run_mysql.sh script is present.
Command to display the help page:
$ bash run_mysql.sh --help
Usage: bash runscript_mysql.sh k2-hackbot-test --options [VALUE]
Options:
k2-email K2Cloud User Account Email
k2-password K2Cloud User Account Password
k2hackbot-bundle-url K2HackBot bundle URL
k2collector-path Path that contains K2agent collectorsRun the script when k2agent is NOT present on the machine:
bash run_mysql.sh --mode k2-hackbot-testRun the script when k2agent is present on the machine:
In this case, make sure to pass the k2-email and the k2-password options. Use the same k2-email which was used while installing the k2agent on the machine.
bash run_mysql.sh --mode k2-hackbot-test --k2-email example@k2io.com --k2-password mypasswordUpgrade/Downgrade the K2HackBot Bundle:
The script provides the support to install a specific version of the K2HackBot if required. For this purpose, use the k2hackbot-bundle-url option.
bash run_mysql.sh --mode k2-hackbot-test --k2hackbot-bundle-url=<NEW_HACKBOT_VERSION_URL>View Exploits
Detected Exploits will be shown on K2 Portal's Exploits Page.
Alternatively go to Exploits | K2 Portal
Last updated
Was this helpful?