This
write-up explains how one can, go from a
SQL injection to shell & gain access to the administration console.
one can download the practice iso from here
Description
about challenge:-Difficulty: EASY
This
exercise explains how you can, from a SQL injection, gain access to the
administration console, then in the administration console, how you can run
commands on the system.
Walkthrough with screenshot
Post configuration of iso you should be able to access the application on yoru browser and
it will present you a web page something like below .IP may appear different
according to your setting
Example
url in my case :
http://192.168.0.102/show.php?id=1
The
above url is vulnerable to sql injection ,which can be seen in error below on
appending the a single quote(') at the end of parameter value of id.[as show
below]
Now
to confirm the number of columns in database one can use "order by "
statement
after
confirming the number of columns let us join two queries to see the output
Now to see the table names in our
database we can do some thing like below
so figured out there are tables exist in db [as picture shown above],needless
to say I have chosen the users
tables and dump its columns values
Finding the columns values as
shown below
Just go to the some hash killer
site which maintains database for such hashes,or you can script in python or
use some exisiting tools to get the hash
P4ssw0rd.
using admin : P4ssw0rd I can login
into the admin panel of web app
There is uploading feature in
admin dashboard ,let us try to look for insecure file uploading .when tried to
upload a php file instead of valid image.returned error
Lets try to bypass it
so php is blocked but not php3 so
uploaded a php3
now shelling the sever using a
popular widely availble php shell,Now using the shell one can start a netcat listener on web server and connect it suign the netcat.doing further exploitation.
0 comments:
Post a Comment