Waraxe IT Security Portal

Maxer · Regular user

I found a sql injection on a site , then i try to load_file using hex and it works , i want to load a php shell with outfile on it but i don't know the full web path , do u have any idea of what i could do ?

Server:redhat
Mysql
' <--- not allowed

syntax is like this site.com/script.php?var1=blabla&var2=blabla&var3=100&var4=100&var5=100 union select @@version <--- var5 vulnerable to sql injection
i try to load_file /etc/passwd/ and it works perfeclty , but when i try to load / i have an error.

Pls help! thanks in advance.

pexli · Valuable expert

You can read file's not dir's.

Try
/etc/hosts

Maxer · Regular user

Thanks pexli , i pulled the /etc/hosts , but i didn't see too much useful information , maybe i'm missing something.

I managed to force php to produce an error so i know the full web path now Smile

, when i load file the / etc / passwd , i do it without any problems , but when i try to load file the index.php file for the site , i get this:

Error: Can't get stat of '/mnt/www/Website/index.php' (Errcode: 2)

I checked loading phpinfo.php on the site to confirm the web path and yeah , it says phpinfo.php is located in /mnt/www/Website/

I don't know why i can't load file the index.php :S
Any ideas?

waraxe · Site admin

Are you sure, that it's "index.php"? When you try "http://****.com/index.php", you get normal page? Try to read ".htaccess", if it's present - default index files can be overridden.

Maxer · Regular user

Hello waraxe , thanks for your reply!

Im sure it's there , i also tried loading the exact file that is causing the php error , also some other files that i know are present on the website.

What i find really odd , is that when i try to load a non existent file , i obviously get an error , when i try to load a folder that is valid, it just shows me the website with no error.
So, when i try to load / , no error , /var/ , no error , /mnt/ no error , but when i try /mnt/www/ just to see if it really exists , it gives me an error ...

Could this be because mnt is a mounted folder ?
I'm having headaches :S

waraxe · Site admin

I see one possible reason for this behavior. When you use "LOAD_FILE()", then file operation is done with UID/GID of MySql daemon. So based on operating system specifics you can access files, if 1) file owner is not mysql and they are world readable, and 2) if file owner is mysql. So "/" can be accessible, because it's owner is root, but it's world readable dir. But that specific website's home directory is owned by specific user! And if it's not world readable, then you can't access it!
I suggest to look for world writable directories in that specific web root. Example: "avatars", "files", "temp", "cache", "uploads", etc. Then use "INTO OUTFILE" and write your own php file. From php code level you have more possibilities to elevate your privileges, of course depending on php version, apache API and other details.

pexli · Valuable expert

I think you can't read .php files because this is limitation of this bug.
Why you try to read dir with load_file Smile

Try to upload your code like waraxe says.

Maxer · Regular user

If i use:
site.com/script.php?var=999 union select load_file(0x2f6574632f706173737764)

to load_file /etc/passwd , and the web full path is /mnt/www/website/ , what would i have to do to load a simple php shell ?
I dont know how to use into outfile :S