SQL Injection to URL Redirect Part 1

Today we are going to show how an attacker can leverage SQL Injection to redirect users to their own site/webpage for whatever malicious activity they choose.

This will be in two parts. The first will show how using a tool called sqlmap we can carry out successful SLQ Injection, and very quickly dump usernames and passwords. The “php?id=1” part of the URL is injectable, and this is what sqlmap will exploit.

Then once we have access to the admin section, we upload our php shell, but the site has some basic filtering so we change the filename and extension from “b374k-2.8.php” to “b374k-2.8 (copy).jpg.phtml” which gets us past the filtering controls. It also shows why even in password protected areas of your site you still need rubust upload controls. It means if someone manages to access the area they will still have to work to be able to upload a shell. Always think security in depth. Always add layers.

This video ends with us logging into the uploaded webshell and accessing the www directory.

File Upload Controls File Validation 2

This shows that even with file validation controls an attacker can manipulate file extentions to get the php shell through the filters. The result is the same, from here the attacker can view files or upload their own to inject malicious content into the site. All visitors to the site are then potential victims, as they could be downloading malicious files or being redirected by tampered links without any idea the site has been compromised.