SQL Injection & Remote Code Execution - Double P1

Hello everyone I thought of sharing my recent finding of Double P1 which recently got solved and they are sending me Goodie Pack for it. It was a Responsible Disclosure program on which I found this. I found SQLi first and it was a normal database version disclosure so they said we can accept it only when you find something interesting, so I tried to exploit more and got the admin credentials, this SQLi was tough for me. Later after 3 days I enumerated one of its subdomain and found phpmyadmin, I randomly tried the credentials that I obtained using SQLi and I got the access. Then I used a simple PHP script to upload my shell and then I got a RCE.

Company Message 1
Company Message 2

Summary :

Everyone knows what is SQLi and what is RCE, so I’m not going to give a brief in this blog. I’ll be sharing the technique and cheat sheet that I used for exploitation.

For SQLi I used https://dev.mysql.com/doc/refman/8.0/en/select.html for knowing the query structure, it helped me a lot in exploiting SQLi on the website. I was only able to find the name of database, table names, column names and database version. But I wanted to exploit it more to because I wanted admin credentials so I googled SQLi cheatsheet and found this http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet. It helped me a lot and finally I found the admin credentials. It was a hash obviously, so I used https://crackstation.net/ to crack the hash. I also wanted to check schema table because it contains a lot of information so I used this : https://dev.mysql.com/doc/refman/8.0/en/information-schema.html.

For Remote code execution I used a simple payload inside phpmyadmin page and I got RCE.

Payload : SELECT “<?php system($_GET[‘<anyParameter>’]); ?>” into outfile “/var/www/html/<filename>.php”

I found SQLi vulnerability on 2nd level subdomain and RCE was on 3rd level subdomain.

How I found this vulnerability ?

  1. I found a parameter and 1st I tried for SSRF but it didn’t work so I thought of trying SQLi, I started with SQLi basic testing and took a help from here : http://www.securityidiots.com/Web-Pentest/SQL-Injection/MSSQL/MSSQL-Error-Based-Injection.html
Database Version
Database Name

3. Then I thought of identifying the user so for that I used a simple user() function

User name

It was simple till here but they told me to exploit more if I want them to accept my report. So I started researching for further exploitation.

4. I exploited further and found a table name from the schema table

Table Name

5. I wanted to check for some more tables so I used limit statement. I found a table hotel but this is the one I found previously.

Table Name

NOTE : LIMIT statement is used to retrieve records from one or more tables in a database and limit the number of records returned based on a limit value. “LIMIT statement is not supported in all SQL databases.”

6. The next step was to find how many tables are there so I changed the query of limit (check the below screenshot for query)

Table Name
Table Name

7. Now I had 3 tables so I wanted to find the columns from the table schema.

NOTE : We had total of three tables so I performed the query accordingly

Column Names along with the table name

8. I changed the table_schema name to mysql to find what is there in it and I found many important tables and columns

Column Names along with the table name

9. Next step was to find the admin username and password, I found the credentials and reported to them. But later after 3 days I enumerated the subdomain of a subdomain and lucky those credentials worked their on phpmyadmin page which led me to RCE

Admin Credentials

Phase 2 (RCE) :

  1. Found the phpmyadmin page, in the credentials obtained the password was in a hash form so I used online tool to crack it
phpmyadmin

2. I used a simple query to put my file on the server and check for RCE

Putting my file for RCE

3. And I successfully got the RCE

Remote Code Execution

4. I wanted to exploit it further to get a system shell-back so I used a simple python script from http://pentestmonkey.net/ to get a system shell I was successful

Python Script
System Shell

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store