SQLi to Shell
First thing first, I downloaded the VM and as this was a grey-box test, I minimized the VM I would be attacking so I knew nothing about it, then I scanned a range of IP's on my network. As shown in fig 1.
|
Fig 1 |
I saw two open ports (SSH & HTTP). It would be pointless going after SSH, so I looked at what was running on port 80. It turns out there was a 'Photoblog' which was hosting a couple of images. A quick click through the hyperlinks showed that these images were being stored in a database, as I could replace the ID and see a different picture (Fig 2).
|
Fig 2 |
The ID number represented a different picture in the database. This meant that there *could* be some juicy information in the database.
|
Fig 3 |
|
|
I knew there was a SQLi to be had on this machine, as the title on VulnHub said so, so I began working on it, finding out what version was running (Fig 4):
|
Fig 4 |
|
|
|
|
And what user was currently active on the webserver (Fig 5):
|
Fig 5 |
I could have spent a short while manually doing a SQLi attack, but to save time, I used a tool to fetch the column names/rows for further recon (Fig 6):
|
Fig 7 |
I thought this was going to be fruitless, as I wasn't presented with any passwords at first, that was, until I scrolled down and saw a hash which was already cracked for me. I now had a login of 'admin' and a password 'P4ssw0rd' (Fig 8).
|
Fig 8 |
Next, I logged into the webserver and browsed to the upload page. I tried uploading a shell (Fig 9):
|
Fig 9 |
But a nice little curveball: PHP uploads were not allowed! This took me longer than it should have to figure out how to bypass it. I was wondering whether a .htaccess file was sitting on the server blocking PHP uploads (Fig 10):
|
Fig 10 |
I renamed my shell to shell.php5, thinking that this would bypass the filter, which it did! (Fig 11):
|
Fig 11 |
|
I now looked at the source and navigated to where the shell was located (Fig 12):
|
Fig 12 |
Unfortunately, php5 just wanted to download the file, so I went back and changed it to php3 in the end. (Fig 13):
|
Fig 13 |
Finally, I had a LFI which allowed me to execute code on the server (Fig 14).
|
Fig 14 |
I set up my listener and got the reverse shell (Fig 15). The shell was limited and I couldn't seem to escalate it, so I left it at that. In a real-world test, the SQLi vector would need to be patched along with having a stronger, more complex password that wouldn't be so easily crackable would have stopped me getting the shell.
|
Fig 15 |
Thanks for reading! Many more to come!
No comments:
Post a Comment