Skiddies in action

Nothing much to do during this festive holiday, so I decided to setup a lab to test SQL injection using POST method. I know, this is a NO BRAINER, SKIDDIES LVL 6 and a B1G J0k3 to all of you, but mind me, im just learning.

1. Setup an application that authenticate controlled by MSSQL through form submission.

2. Boot up Kali Linux

3. Using ZAP/Burp to monitor the parameter passed by browser during the crawling.

4. Using that parameter, pass it to sqlmap for further testing.

5. Grab the SQL banner using sqlmap.. Succeed.

6. Next, try to gain shell using --os-shell -> failed because of xp_cmshell was kind of fuct up.

7. Next, try to gain shell using MSF's sql_payload connecting to MSSQL port -> failed since the IPS runing like a rottweiler.

Conclusion: same ol, same ol....