Description: Use Sqlmap to get database's account then upload php shell
Tags: SQL injection , php shell , sqlmap , upload , php shell ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Good stuff!
Very nice :)!
it only works in very specific cases (mysql's user has rights of writing files).
And linux's user "mysql" has right +w on /var/www folder.
Though there is no need of creating a new db and table.
You can just use :
select ... where id=30 and 1=0 union select 0x[PHP source hex encoded] into outfile ('/var/www/pwned.php')
And before searching for apache interpreted folders where mysql can write in, you can try writing and reading on /tmp/pwnNameHere
It's easier trying to upload it directly using this:
SELECT "php-shell md5 enconded" INTO OUTFILE 'DIR';