Pentesterlab--From SQL Injection to Shell

All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. —– The Art of War

This course details the exploitation of SQL injection in a PHP based website and how an attacker can use it to gain access to the administration pages.

Difficluty: 2/5


  • Nmap
  • NC
  • wfuzz
  • sqlmap
  • Burp
  • webshell

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —-Nmap
  • Check php version and other http headers. —-NC
  • Scan all requests and pages. —-wfuzz
  • SQL injection and get admin password. —- sqlmap
  • Get the php request path. —-Burp
  • Get the web shell —- webshell

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

By checking the application HTTP headers with nc, I can get php version.

GET / HTTP/1.1

The tool wfuzz can be used to detect directories and pages on the web server using brute force.

 python -c -z file,wordlist/general/big.txt --hc 404 

 python -c -z file,wordlist/general/big.txt --hc 404 


There is one page I want to try cat.php

In order to upload my websell, one thing I need to do is get admin. I use sqlmap to dump user’s information:

sqlmap -u " sqlmap -u "" --dump", after a while, I got this:

looks like I get the admin’s password is P4ssw0rd and md5 hash. I also use John and ripper to verifyed the md5, the result matches P4ssw0rd.

Lets try to login use this password:

success….. keep going.

There is a page can be used to upload new picture.

Let’s try to upload php web shell.


The result is:

The application filters .php file.

Okay, let’s try to change the file name to upload2.php3 with the same code.


Then I want to get the path to that page using Burp

get the shell: