00:00 - Intro the best box to practice SQL Union Injections but I may be bias
01:05 - Start of nmap discovering nginx with PHP
01:50 - Doing recon on the website
02:45 - Starting recon in the background GoBuster/SQLMap
04:15 - Manually examining the player submission page
04:40 - Manualling testing for SQL Injection, why its important to test with a query that returns data
06:45 - Testing for union injection, then pulling up MySQL Documentation and looking at the Information_Schema database
07:45 - Testing out the Union Injection by extracting a single database name
08:20 - Showing that we can return more than one row with the GROUP_CONCAT function
09:00 - Changing up the union to extract table and column information
10:30 - Prettying up the output by setting some delimiters with GROUP_CONCAT, then extracting data from the tables
11:50 - Submitting the flag and discovering our IP Address can now ssh into the box
12:40 - Using the LOAD_FILE command to extract files from the server, discovering credentials in the config.php file
14:00 - Using SSH to access the server and then looking at how the webserver allowed our IP Address access to the server
15:45 - Adding the X-FORWARDED-FOR header to our request to firewall.php and discovering command injection
16:25 - Changing our command injection from sleep to a reverse shell
17:10 - The www-data user can use sudo to run any command, using sudo to run a shell
17:30 - Going over my filter to break SQLMap
Support the originator by clicking the read the rest link below.
