Tips for an Information Security Analyst/Pentester career - Ep. 23: Shell from SQL injection

This post follows up my previous post Tips for an Information Security Analyst/Pentester career - Episode 9: DVWA (SQL injection) and especially a conversation I had on Peerlyst with Claus Cramon Houmann about it.

In this case, I'm going to show how to obtain a shell from a SQL injection by using sqlmap on DVWA (Damn Vulnerable Web Application).

I used two virtual machines for this purpose, whereas DVWA was installed on a Ubuntu machine and the attacking machine was running Kali Linux 2 2017 (for more details on how I setup the attack, please see the embedded video).

Given this configuration, I launched the attack by running the following command: sqlmap -u "http://192.168.31.129/dvwa/vulnerabilities/sqli/?id=3&Submit=Submit#" --cookie"PHPSESSID=advlvrhc0i90g6crlirs6cd4;security=low;" --os-shell

As the permissions on the document root folder are set up as 755, we cannot write to it, and so we don't get a shell.

However, if they were wrongly configured as 777, we could pop up a shell, as shown below, even though I was unable to get root privileges or to spawn an interactive shell.

Wrap-up

Once again, DVWA does a good job explaining the impact of a sloppy security implementation.

I know this isn't a real-world scenario, but reality can sometimes go beyond any wildest imagination.

Episode 24

Episode 22