Description:
There is a SQL Injection in a web app. The connection to database is made as "scott" (unprivileged) user. First we run bsqlbf with default parameters and find the username as "scott". Then when we try to read password hashes, the attack fails because the user scott does not have privs to query sys.user$ table. So, we do priv escalation with bsqlbf and it returns password hash of sys user.Then we execute O.S command. In this case, the database server already had a nc.exe in C:\ drive, which we used to throw us a reverse shell.
This video has been referred to us by Sid ( sid [] notsosecure.com ).
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments: