UHC- Union

00:00 - Intro the best box to practice SQL Union Injections but I may be bias 01:05 - Start of nmap discovering nginx with PHP 01:50 - Doing recon on the website 02:45 - Starting recon in the background GoBuster/SQLMap 04:15 - Manually examining the player submission page 04:40 - Manualling testing for SQL Injection, why its important to test with a query that returns data 06:45 - Testing for union injection, then pulling up MySQL Documentation and looking at the Information_Schema database 07:45 - Testing out the Union Injection by extracting a single database name 08:20 - Showing that we can return more than one row with the GROUP_CONCAT function 09:00 - Changing up the union to extract table and column information 10:30 - Prettying up the output by setting some delimiters with GROUP_CONCAT, then extracting data from the tables 11:50 - Submitting the flag and discovering our IP Address can now ssh into the box 12:40 - Using the LOAD_FILE command to extract files from the server, discovering credentials in the config.php file 14:00 - Using SSH to access the server and then looking at how the webserver allowed our IP Address access to the server 15:45 - Adding the X-FORWARDED-FOR header to our request to firewall.php and discovering command injection 16:25 - Changing our command injection from sleep to a reverse shell 17:10 - The www-data user can use sudo to run any command, using sudo to run a shell 17:30 - Going over my filter to break SQLMap