Metasploit has several modules that exploit SQL injection vulnerabilities, allowing us to test and verify whether our targets are susceptible to this attack.
For this recipe, we will install a vulnerable version of ATutor, a free open source LMS.
To download ATutor 2.2.1, go to https://www.exploit-db.com/exploits/39514/ and click the save button next to the vulnerable app:
Note
To install ATutor, follow the installation instructions at the official site: http://www.atutor.ca/atutor/docs/installation.php.
This module exploits a SQL injection vulnerability and an authentication weakness vulnerability in ATutor 2.2.1, meaning that we can bypass authentication, reach the administrator's interface, and upload malicious code.
- First, let us look at the
exploit/multi/http/atutor_sqli
exploit options:
- Before running the exploit, we can use the
check
command to verify if the target is vulnerable:
msf exploit(atutor_sqli) > check [+] 192.168.216.136:80 The target...