Pentesterlab--From SQL Injection to Shell
All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. —– The Art of War
This course details the exploitation of SQL injection in a PHP based website and how an attacker can use it to gain access to the administration pages.
Detail Assessment and Planning
- Port scan to identify opened ports, running services and services version. —-Nmap
- Check php version and other http headers. —-NC
- Scan all requests and pages. —-wfuzz
- SQL injection and get admin password. —- sqlmap
- Get the php request path. —-Burp
- Get the web shell —- webshell
Weaknesses and Strengths
Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.
By checking the application HTTP headers with nc, I can get php version.
The tool wfuzz can be used to detect directories and pages on the web server using brute force.
There is one page I want to try cat.php
In order to upload my websell, one thing I need to do is get admin. I use sqlmap to dump user’s information:
sqlmap -u " sqlmap -u "http://192.168.79.165/cat.php?id=2" --dump", after a while, I got this:
looks like I get the admin’s password is P4ssw0rd and md5 hash. I also use John and ripper to verifyed the md5, the result matches P4ssw0rd.
Lets try to login use this password:
success….. keep going.
There is a page can be used to upload new picture.
Let’s try to upload php web shell.
1 2 3
The result is:
The application filters .php file.
Okay, let’s try to change the file name to upload2.php3 with the same code.
Then I want to get the path to that page using Burp
get the shell: