[WEB SECURITY] Cmd Execution on linux using SQL injection(MySQL) in PHP application

Vaibhav vaibhg at gmail.com
Mon Jun 28 02:29:18 EDT 2010


*@Sneaky*

MySQL version : 5.0.77
@@datadir : /var/lib/mysql/
user() : root at localhost.com
system_user() : root at localhost.com

I am not able to see the folder permissions (as i m not having any access
other dn SQL injecs) but was just trying to create the shell in all the
public directories but OUTFILE didn't work.


On Mon, Jun 28, 2010 at 7:56 AM, SneakySimian <sneaky.simian at gmail.com>wrote:

> I guess it'd help if I finished reading the email. So you have the
> webapp running as root on the MySQL instance?
>
> Have you made sure that the folder you are trying to write to has the
> appropriate chmod/chown settings? If it is a recent RH (RHEL?) have
> you checked to see if SELinux is preventing the writing of the file? I
> used this technique on a Windows box running MySQL 4 with ZenCart
> (they are so helpful in giving the admin user a default password where
> you can run full SQL queries in the admin panel) to pwn the box, but
> obviously *nix is going to be a little different.
>
> On Sun, Jun 27, 2010 at 7:00 PM, SneakySimian <sneaky.simian at gmail.com>
> wrote:
> > I haven't tried UDF stuff yet, but you need either MySQL 4 (with
> > default privs) or MySQL 5 with the app running as root (there are
> > still apps that encourage this!). OUTFILE doesn't quite behave the
> > same way in MySQL 5 due to some permission changes.
> >
> > On Sun, Jun 27, 2010 at 10:32 AM, Vaibhav <vaibhg at gmail.com> wrote:
> >> Hello List
> >>
> >> I am exploiting a PHP application with MySQL database on Red Hat linux
> >> thorough SQL Injections. I am able to view any file on the system using
> >> load_file() function, even the /etc/passwd and /etc/shadow file. I am
> having
> >> root permissions. One of the queries that i executed are :
> >> http://www.example.com/test.php?id=9 UNION ALL SELECT
> >> 1,concat(0x7e,0x27,load_file('/etc/shadow'),0x27,0x7e),3,4,5 and
> >> 1=1--&DummyText
> >>
> >> I tried to create a simple php shell using OUTFILE command but it's
> showing
> >> that "Read/Write access is not permitted". The query was :
> >> http://www.example.com/test.php?id=9 UNION ALL SELECT 1,"<? /* Some
> code*/
> >> ?>",3,4,5 INTO OUTFILE "/var/www/html/website/shell.php" --&DummyText
> >>
> >> Now i want to execute some commands through SQL injection (as i am not
> able
> >> to upload the php shell). What are the possible solutions ? One solution
> >> that i found on net was creating a UDF(User Defined Function) but i am
> not
> >> clear with the concept of creating UDF on victim machine.
> >>
> >> Can anyone please help with this problem.
> >>
> >> Thanks in anticipation.
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100628/c74268c3/attachment.html>


More information about the websecurity mailing list