Shell with SQLi


The course is part of this learning path

Start course

This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability. 


Hi. Within this lecture, we're going to see how we can use this read and write vulnerability in this SQL Injection site and gain a shell access to the web server itself. So, we're basically going to hack into the website using a SQL Injection vulnerability, which is a little bit advanced and it's hard to detect. But if you can do it, it's a great bug bounty. You're definitely going to get rewarded for this. And here is how it works. As you know, we managed to write something into the server using SQL Injection in the previous lecture, right? So, rather than writing some stuff like test, we're going to write a code that executes a PHP shell like we did in the But this time we're not going to use, rather we're going to use a simple PHP code in here. So, let me write the code and you will see what it is. So, you write it like that- passthru. Okay. And this passthru command will execute and Linux commands that we have seen before. So, I'm going to write if config and see my IP address, yep, It's . I'm going to run a NetCat over here like we have done before with port 1234. And don't forget to add this executive bin bash thing as well. So, this is exactly the same code that we have run before  or either SH or bash. Whatever works for you, okay. Let's try SH this time I believe we have tried bin bash before. So, I'm going to close the PHP tag over there. So, this is a PHP code, and it executes a command in the terminal in the Linux system in the web server if we managed to write it. Okay, so let me take a note. So, this is a PHP reverse shell. So, if you can execute this on the web server, then you're definitely going to get a reverse shell back, and I'm going to change this to this. Okay. Rather than saying, test, I'm going to write exactly this into the file into the TMP folder, temp folder again. And rather than test.txt, I'm going to call this something else. Something like a shell.txt or shell.php or myshell.php. So, that's it. Actually, this is the easy part because as you can see, we are writing this into the temp directory and it will definitely work. But the hard part is to find this file and click on it, right? Right now, I cannot actually go to that file because if I love to write this on images or if I'm allowed to write this on any directory that I have access to, for example, var/www.html, then my work should be very easy. Or var/www/dvwa So, it would be very easy, but if we test this as you can see, it says that you cannot write to that file. We are not allowed to write to that file. Generally, there is some sort of protection to write to that kind of folder but most of the time you can write into the TMP folder, because TMP folder is for temporary projects, temporary files and stuff. So, it's not generally locked like the other files as you can see, we managed to write it in the TMP folder. So, rather than just finding this on the website, we're going to hack into this using a directory traversal in the dvwa. So, if I just write myshell.php, it won't work. If I manage to write this under var/www/, then it would work. But right now I can use directory traversal to go into the temp folder and just click on that file so that I can listen for incoming connections and then hack into it. If this website hadn't have the directory traversal, then I shouldn't be bothered at all because I couldn't have done it. So, let me just listen this with ncnvlp 1234 like we have done before. And let me show you how directory traversal works in this case. So, if you go to this file inclusion, as you can see, it's showing us some web page called include.php. But rather than that, I'm just going to try the directory traversal here to see Etsy password. So, I believe it didn't work. Let me try with one more depth. It didn't work either. Let me try one more time. It didn't work as well. So, I believe it was four or five, I don't know. Let me try and see if we can make this work with more one here. Here we are. Now it works. So, it's 12345 and then Etsy password. So, we have covered this, how directory traversal works. So, rather than Etsy password, then I'm going to change this to temp, temporary TMP and then just write myshell.php and it will execute that myshell.php. Even though it didn't show it there, it got executed because if we come over here, here we go now, we get the connection back from the server. Now we hacked into the server practically. If I run some commands, then it will get executed on the server rather than my own Kali Linux right now. So, again, it wasn't easy to find this. It wasn't easy to execute this as well. So, maybe you can try to write this directly on the web server. If it doesn't work, then you can just search for a directory traversal or any kind of folder or file that you may access rather than TMP on a regular website. Okay? But in this case, we made it work just combining the SQL Injection and directory traversal together. So, again, this is a little bit hard. But if you find it, then it's great, because you're going to get a big bounty out of this, most probably. And again, if SH doesn't work, just go for bash. If this 1234 doesn't work, just go for another port like 5050, 4040, 4444, 5555, 8080. So, let me run ls. As you can see, it doesn't run on Kali Linux,  but it works on the web server. So, it works. So, let me run pwd inside of the var/www/dvwa/vulnerabilities. So, who am I? We are data. So far so good. Now we're going to stop here and see how we can automize all of this stuff to find SQL Injection vulnerabilities in a much faster and much better way.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.