Even more SQL Injection (this time i get an admin password) part 1

So I’ve been tinkering with SQL Injection for a while, trying to learn the ins and outs and the basics. I’ve previously posted on how to get bypass username and password in vulnerable forms, but this post will cover how to enumerate a vulnerable database and find the stored username/password.

This lab comes from PentesterLabs, and is put together pretty good, with a couple of different approaches. I wanted to both learn how to manually test these fields, and also learn how to use SQLMap to test these fields. I’ve used it a little bit before, but not for this.

We have our virtual machine downloaded via the website:https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell,80/#
The first step for this lab is to create a new virtual machine with the .iso file once is it downloaded. Start it up, and start your hacking box (for me, i used vm player with kali linux installed.

Since this box is password protected, you need to find the IP address it is running.  You can use netdiscover before and after you boot up the test box to see which new IP address shows up (or if you know your home network well, you can just know which one was new.)

For me, the IP address of this machine was 192.168.120.134.  I started with a simple nmap scan:
nmap -p1-1000 192.168.120.134

This returned with port 22 and port 80 as open.  Normally, for challenges I use -A but since it takes a while, and I knew that this particular box was a web application challenge, I knew 80 would be open, but wanted to see what else was too.

Since 80 is open, we can open up the browser and go to 192.168.120.134.  Here we see webpage that stores and displays photos called ‘My awesome photoblog’.  At the top right of the website, there are pages you can go to, the test, ruxcom, 2010, allpictures and admin.  If you click on test, it takes you to the webpage 192.168.120.134/cat.php?id=1
This is great, because you can test these pages for SQL injection.

Add a ‘ symbol to the end of the webpage like this:
192.168.120.134/cat.php?id=1’
and you get a SQL error.  Instead of telling you that is an invalid page, it is reading the character you entered and treating it as a command.

Using the terms ‘order by’ and ‘union’ we can play around with the page like this:
192.168.120.134/cat.php?=1 order by 1(then 2, then 3, then 4, and finally 5)
and the pictures display like normal.  This tells you how many clumns are in the table, and in this case, since we get the error at 5, there are only 4 columns.

From SQL Injection to Shell Part 2

Post Author: InfoSecJon

Info Sec Professional, Pen-Testing noob

Leave a comment or suggestion!