This exercise explains how you can, from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system.
This machine is for beginners and can be downloaded from here.
After installing FROM SQLI TO SHELL we must find its IP address as it is the first step to get access of a any machine, and for it we use a tool name ARP-SCAN. The command for it is :-
arp-scan -l
After getting the IP address we need to scan it by using the tool NMAP.
nmap -sV <ip address>
sV-used to probe open ports to determine service/version info. You can use more options as you feel better for getting information about more options to use Nmap -h for help.
Here, we got some ports open that is of 22 and 80 and the service running on it is ssh and http.
http means some website is running on it, so let’s check on the browser.
At the top right we got some options, let’s check another option that is test.
Here, we found the GET method in URL. Therefore, it is vulnerable to SQL INJECTION. There is one more interesting option in the extreme top right that is admin. Let’s check it.
There, we go there is a login page and its login and password can be found by SQL INJECTION at test URL.
First step is to check the tables present in database of the website.
Command is :- sqlmap -u <url> --tables
Here, we found a table with a name user.
Lets, check the columns of this table, the commands for this is
sqlmap -u <url> -T <table name> --columns
Here, we found some columns out of which there are two columns with name login and password.
Let’s dump that the command for this is
sqlmap -u <url> -T <table name> -C <column name> –dump
Here, we get the login to get the password follow some step
With the help of this finding,I was able to log in.
Here, we got login in the account and what I found a extreme right there is column of New picture its seems we can upload something.
Now, we can get reverse shell by uploading a malicious file and this type of attack is called FILE INCLUSION ATTACK.
I try to upload a .php file but it denied then a bypass .php extension there are few methods to bypass it and one of them are change .php to .pHP . To get the reverse shell file just google reverse shell file .php
I upload a file with title Reverse Shell.
After that start the listener on terminal using NETCAT command is : – nc -nvlp <port no>
And now click on the file you upload in my case it is the name of the picture is Reverse Shell.
When you click it on a webpage will get open after that check your listener there you had got the reverse access of it .
Damn, its done we got the access of it’
Writer: Harsh is Penetration testing student at Azure Skynet. You can contact him here.
Visit Cosmicskills to get Cyber Security Certification Bundle.
#ctf #azureskynet #manishbhardwaj #cosmicskills #oscp #htb #vulnhub #ethicalhacking #hacking #penetrationtesting