[WEB SECURITY] Cmd Execution on linux using SQL injection(MySQL) in PHP application

SneakySimian sneaky.simian at gmail.com
Sun Jun 27 22:00:37 EDT 2010


I haven't tried UDF stuff yet, but you need either MySQL 4 (with
default privs) or MySQL 5 with the app running as root (there are
still apps that encourage this!). OUTFILE doesn't quite behave the
same way in MySQL 5 due to some permission changes.

On Sun, Jun 27, 2010 at 10:32 AM, Vaibhav <vaibhg at gmail.com> wrote:
> Hello List
>
> I am exploiting a PHP application with MySQL database on Red Hat linux
> thorough SQL Injections. I am able to view any file on the system using
> load_file() function, even the /etc/passwd and /etc/shadow file. I am having
> root permissions. One of the queries that i executed are :
> http://www.example.com/test.php?id=9 UNION ALL SELECT
> 1,concat(0x7e,0x27,load_file('/etc/shadow'),0x27,0x7e),3,4,5 and
> 1=1--&DummyText
>
> I tried to create a simple php shell using OUTFILE command but it's showing
> that "Read/Write access is not permitted". The query was :
> http://www.example.com/test.php?id=9 UNION ALL SELECT 1,"<? /* Some code*/
> ?>",3,4,5 INTO OUTFILE "/var/www/html/website/shell.php" --&DummyText
>
> Now i want to execute some commands through SQL injection (as i am not able
> to upload the php shell). What are the possible solutions ? One solution
> that i found on net was creating a UDF(User Defined Function) but i am not
> clear with the concept of creating UDF on victim machine.
>
> Can anyone please help with this problem.
>
> Thanks in anticipation.
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list