An SQL Injection attack is not only limited to dumping a database, but can also allow the attacker to upload files to the remote server and consequently gain remote access via a WebShell.
WebShells can receive commands from the attackers mainly using 2 methods:
- based on GET requests, which can easily be detected through logs and SIEM solutions as the commands are visible in the URL
- based on POST, which is a bit more stealthy as the commands are submitted in the payload and therefore not part of the logs
In this tutorial we will see how to:
- use sqlmap to perform an SQL Injection attack
- dump the database using sqlmap
- use sqlmap to automatically provide WebShell access based on GET requests
- use sqlmap to upload a custom and more advanced WebShell (b374k) which relies on POST
To test the SQL Injections, we will use the DVWA (Damn Vulnerable Web Application), which is a web application purposely built with vulnerabilities and weaknesses for pen-testing.