Sqli to Shell Walkthrough



This write-up  explains how one can, go from a SQL injection to shell &  gain access to the administration console.

one can download the practice iso from here



Description about challenge:-Difficulty: EASY
This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.

Walkthrough with screenshot

Post configuration of iso you should be able  to access the application on yoru browser and it will present you a web page something like below .IP may appear different according  to your setting



Example url in my case :
http://192.168.0.102/show.php?id=1

The above url is vulnerable to sql injection ,which can be seen in error below on appending the a single quote(') at the end of parameter value of id.[as show below]
Now to confirm the number of columns in database one can use "order by " statement
after confirming the number of columns let us join two queries to see the output


Now to see the table names in our database we can do some thing like below

so figured out there are  tables  exist in db [as picture shown above],needless to say I have chosen the users tables and dump its columns values

Finding the columns values as shown below

Just go to the some hash killer site which maintains database for such hashes,or you can script in python or use some exisiting tools to get the hash

P4ssw0rd.

using admin : P4ssw0rd I can login into the admin panel of web app

There is uploading feature in admin dashboard ,let us try to look for insecure file uploading .when tried to upload a php file instead of valid image.returned error
Lets try to bypass it


so php is blocked but not php3 so uploaded a php3

now shelling the sever using a popular widely availble php shell,Now using the shell one can start a netcat listener on web server and connect it suign the netcat.doing further exploitation.
SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment