After having found the injection point, exploiting the vulnerability using sqlmap is trivial. I proceed to extract the database tables list first to get an idea of which tables to dump first:

Then I go after the table ‘user’:

Now that I have all the users and their corresponding password hashes the next step is to try cracking those in order to get access to the system. After identifying the hash type, that turned out to be the default for MySQL DB, I use sqlmap integrated hash cracking option to get the plaintext credentials:

raining passwords

SSH

Right after having found valid credentials the next natural thing to do it’s to test them over ssh to see if we have access to the box. I used hydra to try every combination: