The vulnerable web application has an SQL injection vulnerability. SQL injection allows an attacker to inject arbitrary SQL queries and execute them on the backend DBMS. This vulnerability is present on the following URL:

http://<ip>/books1.php?title=&author=t

An SQL injection on a web application that is potentially running with admin privileges means that there is a possibility of a complete takeover of the web application. For this purpose, we shall use sqlmap. To attack the URL with sqlmap, the syntax is as follows:

sqlmap --url="http://<IP>/books1.php?title=&author=t"

A sqlmap confirms that the injection vulnerability is present, as seen here:

The next step is to use sqlmap to gain shell access on the remote server. sqlmap comes with a very handy feature, that uploads a stager for uploading further files into the webroot. Then it follows it up by uploading a web shell that executes commands and returns the output of the command, all with a single command. In order to trigger this, execute the following:

sqlmap --url="http://<IP>/books1.php?title=&author=t" --os-shell --tmp-path=C:\xampp\htdocs

The --os-shell asks sqlmap to spawn a shell using the method described previously and the --tmp-path value specifies where to upload the PHP files for the purpose of spawning a shell. Once the command is executed, user input would be prompted twice. The first instance is to select the technology, which is PHP in this case. The second instance is to trigger full path disclosures, which can be enabled. If everything goes well, we should be presented with an interactive shell:

As with the Linux exploitation, any commands can be executed through this interactive shell.