[WEB SECURITY] Cmd Execution on linux using SQL injection(MySQL) in PHP application

Vaibhav vaibhg at gmail.com
Mon Jun 28 04:17:13 EDT 2010


*@Jacky*
Yes .. /var/www/html/website/ actually exist.

*@Shlomi*

Yes, i am able to upload shell into /tmp/ and /usr/tmp/ . But how to exploit
it ?? If i upload the shell in these directories and view the shell using
load_file(), then its just showing me the php code and not the output of php
script.
I am not clear with the concept of using UDF in injections. Can you please
elaborate on this stuff as well.

Thanks

On Mon, Jun 28, 2010 at 12:25 PM, Shlomi Narkolayev <shlominar at gmail.com>wrote:

> 1) Try to upload the php_shell to these folders: /tmp or /usr/tmp/ or ~/.
>
> 2) You can use this library to run UDF queries: http://www.mysqludf.org/ -
> Great library!!
>
> 3) If you can't get to the real DB that contains the juicy info, you can
> always insert a link to the application to simple JavaScript KeyLogger to
> login page or a link to XSSShell to any page and to get admin/other
> credentials.
>
> You can also add a link to malicious ActiveX or Java applet using the
> database and to an IT ticket to the administrator and to install Trojans on
> his machine ;-)
>
> Kind Regards,
> Narkolayev Shlomi.
>
> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>
>
>
> On Sun, Jun 27, 2010 at 8:32 PM, Vaibhav <vaibhg at gmail.com> wrote:
>
>> Hello List
>>
>> I am exploiting a PHP application with MySQL database on Red Hat linux
>> thorough SQL Injections. I am able to view any file on the system using *
>> load_file()* function, even the /etc/passwd and /etc/shadow file. I am
>> having root permissions. One of the queries that i executed are :
>> *http://www.example.com/test.php?id=9 UNION ALL SELECT
>> 1,concat(0x7e,0x27,load_file('/etc/shadow'),0x27,0x7e),3,4,5 and
>> 1=1--&DummyText*
>>
>> I tried to create a simple php shell using OUTFILE command but it's
>> showing that "Read/Write access is not permitted". The query was :
>> *http://www.example.com/test.php?id=9 UNION ALL SELECT 1,"<? /* Some
>> code*/ ?>",3,4,5 INTO OUTFILE "/var/www/html/website/shell.php" --&DummyText
>> *
>>
>> Now i want to execute some commands through SQL injection (as i am not
>> able to upload the php shell). What are the possible solutions ? One
>> solution that i found on net was creating a UDF(User Defined Function) but i
>> am not clear with the concept of creating UDF on victim machine.
>>
>> Can anyone please help with this problem.
>>
>> Thanks in anticipation.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100628/13075007/attachment.html>


More information about the websecurity mailing list