SQLi to Shell:1 Vulnhub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

This exercise explains how you can, from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system.

This machine is for beginners and can be downloaded from here.

After installing FROM SQLI TO SHELL we must find its IP address as it is the first step to get access of a any machine, and for it we use a tool name ARP-SCAN. The command for it is :-

arp-scan -l

After getting the IP address we need to scan it by using the tool NMAP.

nmap -sV <ip address>

sV-used to probe open ports to determine service/version info. You can use more options as you feel better for getting information about more options to use Nmap -h for help.

Manish Bhardwaj's Blog

Here, we got some ports open that is of 22 and 80 and the service running on it is ssh and http

http means some website is running on it, so let’s check on the browser. 

Manish Bhardwaj's Blog

At the top right we got some options, let’s check another option that is test.

manish bhardwaj's blog

Here, we found the GET method in URL. Therefore, it is vulnerable to SQL INJECTION. There is one more interesting option in the extreme top right that is admin. Let’s check it.

manish bhardwaj's blog

There, we go there is a login page and its login and password can be found by SQL INJECTION at test URL.

First step is to check the tables present in database of the website. 

Command is :- sqlmap -u <url> --tables

Here, we found a table with a name user.

Lets, check the columns of this table, the commands for this is

	sqlmap -u <url> -T <table name> --columns 
Manish Bhardwaj's Blog

Here, we found some columns out of which there are two columns with name login and password.

Let’s dump that the command for this is

sqlmap -u <url> -T <table name> -C <column name> –dump

Here, we get the login to get the password follow some step

manish bhardwaj's blog

With the help of this finding,I was able to log in.

Manish Bhardwaj's Blog

Here, we got login in the account and what I found a extreme right there is column of New picture its seems we can upload something. 

Now, we can get reverse shell by uploading a malicious file and this type of attack is called FILE INCLUSION ATTACK.

I try to upload a .php file but it denied then a bypass .php extension there are few methods to bypass it and one of them are change .php to .pHP . To get the reverse shell file just google reverse shell file .php

I upload a file with title Reverse Shell.

Manish Bhardwaj's Blog

After that start the listener on terminal using NETCAT command is : – nc -nvlp <port no>

And now click on the file you upload in my case it is the name of the picture is Reverse Shell. 

When you click it on a webpage will get open after that check your listener there you had got the reverse access of it .

Damn, its done we got the access of it’

Manish Bhardwaj's Blog

Writer: Harsh is Penetration testing student at Azure Skynet. You can contact him here.

Visit Cosmicskills to get Cyber Security Certification Bundle.

#ctf #azureskynet #manishbhardwaj #cosmicskills #oscp #htb #vulnhub #ethicalhacking #hacking #penetrationtesting

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top