SQL injection
Metasploit has several modules that exploit SQL injection vulnerabilities, allowing us to test and verify whether our targets are susceptible to this attack.
Getting ready
For this recipe, we will install a vulnerable version of ATutor, a free open source LMS.
To download ATutor 2.2.1, go to https://www.exploit-db.com/exploits/39514/ and click the save button next to the vulnerable app:
Note
To install ATutor, follow the installation instructions at the official site: http://www.atutor.ca/atutor/docs/installation.php.
How to do it...
This module exploits a SQL injection vulnerability and an authentication weakness vulnerability in ATutor 2.2.1, meaning that we can bypass authentication, reach the administrator's interface, and upload malicious code.
- First, let us look at the
exploit/multi/http/atutor_sqli
exploit options:
- Before running the exploit, we can use the
check
command to verify if the target is vulnerable:
msf exploit(atutor_sqli) > check [+] 192.168.216.136:80 The target...