|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Sql injection , waraxe plz help ! :S |
|
Posted: Sat Nov 08, 2008 1:30 am |
|
|
Maxer |
Regular user |
|
|
Joined: Sep 30, 2008 |
Posts: 7 |
|
|
|
|
|
|
|
I found a sql injection on a site , then i try to load_file using hex and it works , i want to load a php shell with outfile on it but i don't know the full web path , do u have any idea of what i could do ?
Server:redhat
Mysql
' <--- not allowed
syntax is like this site.com/script.php?var1=blabla&var2=blabla&var3=100&var4=100&var5=100 union select @@version <--- var5 vulnerable to sql injection
i try to load_file /etc/passwd/ and it works perfeclty , but when i try to load / i have an error.
Pls help! thanks in advance. |
|
|
|
|
Posted: Sat Nov 08, 2008 10:36 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
You can read file's not dir's.
Try
/etc/hosts |
|
|
|
|
Posted: Sat Nov 08, 2008 8:06 pm |
|
|
Maxer |
Regular user |
|
|
Joined: Sep 30, 2008 |
Posts: 7 |
|
|
|
|
|
|
|
Thanks pexli , i pulled the /etc/hosts , but i didn't see too much useful information , maybe i'm missing something.
I managed to force php to produce an error so i know the full web path now , when i load file the / etc / passwd , i do it without any problems , but when i try to load file the index.php file for the site , i get this:
Error: Can't get stat of '/mnt/www/Website/index.php' (Errcode: 2)
I checked loading phpinfo.php on the site to confirm the web path and yeah , it says phpinfo.php is located in /mnt/www/Website/
I don't know why i can't load file the index.php :S
Any ideas? |
|
|
|
|
Posted: Sat Nov 08, 2008 8:45 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Are you sure, that it's "index.php"? When you try "http://****.com/index.php", you get normal page? Try to read ".htaccess", if it's present - default index files can be overridden. |
|
|
|
|
Posted: Sat Nov 08, 2008 9:02 pm |
|
|
Maxer |
Regular user |
|
|
Joined: Sep 30, 2008 |
Posts: 7 |
|
|
|
|
|
|
|
Hello waraxe , thanks for your reply!
Im sure it's there , i also tried loading the exact file that is causing the php error , also some other files that i know are present on the website.
What i find really odd , is that when i try to load a non existent file , i obviously get an error , when i try to load a folder that is valid, it just shows me the website with no error.
So, when i try to load / , no error , /var/ , no error , /mnt/ no error , but when i try /mnt/www/ just to see if it really exists , it gives me an error ...
Could this be because mnt is a mounted folder ?
I'm having headaches :S |
|
|
|
|
|
|
|
|
Posted: Sat Nov 08, 2008 9:15 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
I see one possible reason for this behavior. When you use "LOAD_FILE()", then file operation is done with UID/GID of MySql daemon. So based on operating system specifics you can access files, if 1) file owner is not mysql and they are world readable, and 2) if file owner is mysql. So "/" can be accessible, because it's owner is root, but it's world readable dir. But that specific website's home directory is owned by specific user! And if it's not world readable, then you can't access it!
I suggest to look for world writable directories in that specific web root. Example: "avatars", "files", "temp", "cache", "uploads", etc. Then use "INTO OUTFILE" and write your own php file. From php code level you have more possibilities to elevate your privileges, of course depending on php version, apache API and other details. |
|
|
|
|
|
|
|
|
Posted: Sun Nov 09, 2008 12:20 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
I think you can't read .php files because this is limitation of this bug.
Why you try to read dir with load_file
Try to upload your code like waraxe says. |
|
|
|
|
Posted: Sun Nov 09, 2008 8:46 am |
|
|
Maxer |
Regular user |
|
|
Joined: Sep 30, 2008 |
Posts: 7 |
|
|
|
|
|
|
|
If i use:
site.com/script.php?var=999 union select load_file(0x2f6574632f706173737764)
to load_file /etc/passwd , and the web full path is /mnt/www/website/ , what would i have to do to load a simple php shell ?
I dont know how to use into outfile :S |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|