├── hom.png
├── download.png
├── images
    ├── who.jpg
    ├── head2.png
    ├── marine.jpg
    ├── marine_ford.jpg
    ├── Gear_Four_luffy.jpg
    ├── straw_hat_crew.jpg
    ├── Newgate_Vs_Teach.jpg
    └── Whitebeard_luffy_ace.jpg
├── local file disclosure using SQL Injection.pdf
├── dsqli.sql
├── README.md
├── head.php
└── index.php


/hom.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/hom.png


--------------------------------------------------------------------------------
/download.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/download.png


--------------------------------------------------------------------------------
/images/who.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/who.jpg


--------------------------------------------------------------------------------
/images/head2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/head2.png


--------------------------------------------------------------------------------
/images/marine.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/marine.jpg


--------------------------------------------------------------------------------
/images/marine_ford.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/marine_ford.jpg


--------------------------------------------------------------------------------
/images/Gear_Four_luffy.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/Gear_Four_luffy.jpg


--------------------------------------------------------------------------------
/images/straw_hat_crew.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/straw_hat_crew.jpg


--------------------------------------------------------------------------------
/images/Newgate_Vs_Teach.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/Newgate_Vs_Teach.jpg


--------------------------------------------------------------------------------
/images/Whitebeard_luffy_ace.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/images/Whitebeard_luffy_ace.jpg


--------------------------------------------------------------------------------
/local file disclosure using SQL Injection.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/HEAD/local file disclosure using SQL Injection.pdf


--------------------------------------------------------------------------------
/dsqli.sql:
--------------------------------------------------------------------------------
 1 | -- phpMyAdmin SQL Dump
 2 | -- version 3.4.7
 3 | -- http://www.phpmyadmin.net
 4 | --
 5 | -- Host: localhost
 6 | -- Generation Time: Mar 12, 2017 at 08:09 PM
 7 | -- Server version: 5.5.17
 8 | -- PHP Version: 5.6.12
 9 | 
10 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
11 | SET time_zone = "+00:00";
12 | 
13 | 
14 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
15 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
16 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
17 | /*!40101 SET NAMES utf8 */;
18 | 
19 | --
20 | -- Database: `dsqli`
21 | --
22 | 
23 | -- --------------------------------------------------------
24 | 
25 | --
26 | -- Table structure for table `download`
27 | --
28 | 
29 | CREATE TABLE IF NOT EXISTS `download` (
30 |   `id` int(4) NOT NULL AUTO_INCREMENT,
31 |   `image_name` varchar(225) NOT NULL,
32 |   `location` varchar(225) NOT NULL,
33 |   PRIMARY KEY (`id`)
34 | ) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=6 ;
35 | 
36 | --
37 | -- Dumping data for table `download`
38 | --
39 | 
40 | INSERT INTO `download` (`id`, `image_name`, `location`) VALUES
41 | (1, 'Marine ford', 'images/marine.jpg'),
42 | (2, 'Luffy fourth gear', 'images/Gear_Four_luffy.jpg'),
43 | (3, 'Newgate Vs Teach', 'images/Newgate_Vs_Teach.jpg'),
44 | (4, 'straw-hat crew', 'images/straw_hat_crew.jpg'),
45 | (5, 'Whitebeard luffy ace ', 'images/Whitebeard_luffy_ace.jpg');
46 | 
47 | /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
48 | /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
49 | /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
50 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Local-file-disclosure-SQL-Injection-Lab
 2 | This is sample code to demonstrate how one can use SQL Injection vulnerability to download local file from server in specific condition
 3 | 
 4 | exploit SQL Injection vulnerability in file download function which download file from server on the basis of output 
 5 | returned by vulnerable SQL query. 
 6 | Let’s consider scenario in which, there is one user supplied parameter which is getting process in SQL query and after processing, SQL query is returning location of the file. Now, let’s suppose that value returned by SQL query is getting pass to a function which download local file from server. In this case if user input is not getting check by web application, in that case attacker can easily manipulate SQL query to download any file from server with known location (file must have read permission on it).
 7 | 
 8 | You can download detailed Paper from here 
 9 | <a href="https://github.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/raw/master/local%20file%20disclosure%20using%20SQL%20Injection.pdf">Local file disclosure using SQL Injection</a>
10 | 
11 | To setup this lab on your machine, create database with name dsqli
12 | grant all privileges on that database for user with 
13 | username = dsqli
14 | and 
15 | password = icadsqli
16 | 
17 | To create database and user which will be having read permission on the database, just follow given below process: 
18 | 
19 | --> Login to MySQL console with root account 
20 | 
21 | Command to create new database: -Create database dsqli;
22 | 
23 | Command to create user dsqli with password icadsqli which will be 
24 | having read/write permission on database dsqli: -
25 | 
26 | grant all on dsqli.* to dsqli@localhost IDENTIFIED BY 'icadsqli';
27 | 
28 | Once you have setup database and user account, just import the database 
29 | 
30 | dump file (dsqli.sql which is available with the sample code) to database dsqli.
31 | 
32 | Introdunction page
33 | 
34 | <img src="https://github.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/blob/master/hom.png">
35 | 
36 | Vulnerable page
37 | 
38 | <img src="https://github.com/incredibleindishell/Local-file-disclosure-SQL-Injection-Lab/blob/master/download.png">
39 | --==[[ With Love from Team IndiShell ]]==--
40 | 
41 | --==[[ Greetz To ]]==--
42 | Zero cool, code breaker ICA, root_devil, google_warrior, INX_r0ot, Darkwolf indishell,
43 | Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, Local root indishell, Irfninja 
44 | indishell, Reborn India,L0rd Crus4d3r,cool toad, Hackuin, Alicks,Gujjar PCP,Bikash,Di nelson 
45 | Amine,Th3 D3str0yer, SKSking, rad paul,Godzila,mike waals,zoo zoo,cyber warrior,shafoon, 
46 | Rehan manzoor, cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,  D2
47 | Yash, Aneesh Dogra, AR AR, saad abbasi, hero, Minhal Mehdi, Raj bhai ji, Hacking queen,
48 | lovetherisk, D3.
49 | --==[[ Love to To ]]==--
50 | My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Ashu bhai ji, Soldier Of God, Bhuppi,
51 | Rafay Baloch, Mohit, Ffe, Ashish, Shardhanand, Budhaoo, Jagriti, Salty, Hacker fantastic, 
52 | Jennifer Arcuri and Don(Deepika kaushik), Govind
53 | 


--------------------------------------------------------------------------------
/head.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | 
  4 | 
  5 | 
  6 | $head = '
  7 | <html>
  8 | <head>
  9 | <link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
 10 | </script>
 11 | <title>--==[[IndiShell Lab]]==--</title>
 12 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 13 | <STYLE>
 14 | body {
 15 | 	background: url(images/head2.png);
 16 | 	background-size: 100% 690px;
 17 |     background-repeat: no-repeat;
 18 | font-family: Tahoma;
 19 | color: white;
 20 | 
 21 | }
 22 | .side-pan {
 23 |    margin: 0;
 24 |    border:0px;
 25 |    
 26 |    width:200px;
 27 |    padding: 5px 23px;
 28 |    margin:0px;
 29 |    -webkit-border-radius: 0px;
 30 |    -moz-border-radius: 0px;
 31 |    border-radius: 0px;
 32 |    border-bottom: 1px solid black;
 33 |    color: white;
 34 |    font-size: 20px;
 35 |    font-family: Georgia, serif;
 36 |    text-decoration: none;
 37 |    vertical-align: left;
 38 |    align:left;
 39 |    }
 40 |    div#left {
 41 |     width: 100%;
 42 |     height: 50px;
 43 |     float: left;
 44 | 	}
 45 | div#right {
 46 |     margin-left: 20%;
 47 |     height: 50px;
 48 | 	color: white;
 49 |     font-size: 20px;
 50 |     font-family: Georgia, serif;
 51 | 	}
 52 | .main div {
 53 |   float: left;
 54 |   clear: none; 
 55 | 	}
 56 | 
 57 | input {
 58 | border			: solid 2px ;
 59 | border-color		: black;
 60 | BACKGROUND-COLOR: #444444;
 61 | font: 8pt Verdana;
 62 | color: white;
 63 | }
 64 | submit {
 65 | BORDER:  buttonhighlight 2px outset;
 66 | BACKGROUND-COLOR: Black;
 67 | width: 30%;
 68 | color: #FFF;
 69 | }
 70 | #t input[type=\'submit\']{
 71 | 	COLOR: White;
 72 | 	border:none;
 73 | 	BACKGROUND-COLOR: black;
 74 | }
 75 | #t input[type=\'submit\']:hover {
 76 | 	
 77 | 	BACKGROUND-COLOR: #ff9933;
 78 | 	color: black;
 79 | 	
 80 | }
 81 | tr {
 82 | BORDER: dashed 1px #333;
 83 | color: #FFF;
 84 | }
 85 | td {
 86 | BORDER: dashed 0px ;
 87 | }
 88 | .table1 {
 89 | BORDER: 0px Black;
 90 | BACKGROUND-COLOR: Black;
 91 | color: #FFF;
 92 | }
 93 | .td1 {
 94 | BORDER: 0px;
 95 | BORDER-COLOR: #333333;
 96 | font: 7pt Verdana;
 97 | color: Green;
 98 | }
 99 | .tr1 {
100 | BORDER: 0px;
101 | BORDER-COLOR: #333333;
102 | color: #FFF;
103 | }
104 | table {
105 | BORDER: dashed 2px #333;
106 | BORDER-COLOR: #333333;
107 | BACKGROUND-COLOR: #191919;;
108 | color: #FFF;
109 | }
110 | textarea {
111 | border			: dashed 2px #333;
112 | BACKGROUND-COLOR: Black;
113 | font: Fixedsys bold;
114 | color: #999;
115 | }
116 | A:link {
117 | border: 1px;
118 | 	COLOR: red; TEXT-DECORATION: none
119 | }
120 | A:visited {
121 | 	COLOR: red; TEXT-DECORATION: none
122 | }
123 | A:hover {
124 | 	color: White; TEXT-DECORATION: none
125 | }
126 | A:active {
127 | 	color: white; TEXT-DECORATION: none
128 | }
129 | 
130 | .download {
131 |    margin: 0;
132 |    border:0px;
133 |    background:#C0C0C0;
134 |    width:110px;
135 |    height:30px;
136 |    
137 |    margin:0px;
138 |    -webkit-border-radius: 0px;
139 |    -moz-border-radius: 0px;
140 |    border-radius: 6px;
141 |    border-bottom: 1px solid black;
142 |    color: #28597a;
143 |    font-size: 20px;
144 |    font-family: Georgia, serif;
145 |    text-decoration: none;
146 |    vertical-align: left;
147 |    align:left;
148 |    }
149 | 
150 | </STYLE>
151 | <script type="text/javascript">
152 | <!--
153 |     function lhook(id) {
154 |        var e = document.getElementById(id);
155 |        if(e.style.display == \'block\')
156 |           e.style.display = \'none\';
157 |        else
158 |           e.style.display = \'block\';
159 |     }
160 | //-->
161 | </script>
162 | '; 
163 | 
164 | echo $head ;
165 | 
166 | echo '
167 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.7;border:0px;" >
168 | 			
169 |        <td width="100%" align=center valign="top" rowspan="1">
170 | 	   <font color=#ff9933 size="-2"> 
171 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
172 |            <font color=white size=5 face="comic sans ms"><b>--==[[ Local File disclosure using SQL Injection ]]==--</font><br>
173 | 		   <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ </font><font color=white size=5 face="comic sans ms"><b>With Love From Team IndiShell </font><font color=green size=5 face="comic sans ms"><b>]]==--</font>
174 | 		   <div class="hedr"> 
175 |         <td height="10" align="left" class="td1"></td></tr><tr><td 
176 |         width="100%" align="center" valign="top" rowspan="1">
177 | 		<font color=#ff9933 size="-2"> 
178 |         ##########################################</font><font color=white size="-2">#############################################</font><font color=green size="-2">#############################################</font><br>
179 | 		<font 
180 |         color="red" face="comic sans ms"size="1">
181 |         
182 | 						
183 |           
184 |        </table> 
185 | '; 
186 | ?>


--------------------------------------------------------------------------------
/index.php:
--------------------------------------------------------------------------------
  1 | <?php 
  2 | function file_download($download)
  3 | {
  4 | 	if(file_exists($download))
  5 | 				{
  6 | 					header("Content-Description: File Transfer"); 
  7 | 					
  8 | 					header('Content-Transfer-Encoding: binary');
  9 | 					header('Expires: 0');
 10 | 					header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
 11 | 					header('Pragma: public');
 12 | 					header('Accept-Ranges: bytes');
 13 | 					header('Content-Disposition: attachment; filename="'.basename($download).'"'); 
 14 | 					header('Content-Length: ' . filesize($download));
 15 | 					header('Content-Type: application/octet-stream'); 
 16 | 					ob_clean();
 17 | 					flush();
 18 | 					readfile ($download);
 19 | 				}
 20 | 				else
 21 | 				{
 22 | 				echo "<script>alert('file not found');</script>";	
 23 | 				}
 24 | 	
 25 | }
 26 | 
 27 | $conn = mysqli_connect("127.0.0.1","dsqli","icadsqli","dsqli");
 28 | 
 29 | if(isset($_POST['image_download']))
 30 | {
 31 | 
 32 | $news="select * from download where id=".$_POST['image'];
 33 | if($result = mysqli_query($conn, $news)){
 34 |         while($row = mysqli_fetch_assoc($result)) 
 35 | 			{
 36 | 				$file=$row['location'];
 37 | 			file_download($file);
 38 | 
 39 | 			}
 40 |         }
 41 | 
 42 | 
 43 | else {
 44 | 	echo "something went wrong";
 45 | 	}
 46 | }
 47 | 
 48 | include('head.php');
 49 | 
 50 | 
 51 | 
 52 | 
 53 | 
 54 | 		echo '<div id="left"><div class="main"><table align=center  cellspacing="0" cellpadding="0" style="border-collapse: collapse;border:0px;">
 55 | 		<tr>
 56 | 		<form method=post action="index.php">
 57 | 		<td align=right style="padding:0px; border:0px; margin:0px;">
 58 | 				<input type=submit name=home value="Home" class="side-pan">
 59 | 		</td>
 60 | 		<td  align=right style="padding:0px; border:0px; margin:0px;" >
 61 | 				<input type=submit name=downloads value="Downloads" class="side-pan">
 62 | 		</td>
 63 | 		
 64 | 		<td  align=left style="padding:0px; border-width:0px; margin:0px;">
 65 | 				<input type=submit name=us value="Who we are" class="side-pan">
 66 | 		</td>
 67 | 				</form></tr></table></div></div>
 68 | 				<div id="right"></div><div align=center>';	
 69 | 
 70 | if(isset($_POST['home']))
 71 | {
 72 | 	
 73 | 	echo '<br><br><font size=5>This Lab is just to demonstrate how SQL Injection can be exploited to perform local file disclosure <br>if application if allowing user to download files on the basis of vulnerable SQL query';
 74 | 	
 75 | }
 76 | 
 77 | if(isset($_POST['downloads']))
 78 | {
 79 | 	
 80 | 	echo '
 81 |    <table width="40%" cellspacing="0" cellpadding="0" class="tb1" style="opacity: 0.6;">
 82 |    <tr><td width="20%" align=center style="padding: 10px;" >Serial Number</td><td width="30%" align=center style="padding: 10px;">Image name</td><td width="30%" align=center style="padding: 10px;">Image Link</td><td width="30%" align=center style="padding: 10px;">Download</td></tr></table>
 83 |    <table width="40%" cellspacing="0" cellpadding="0" class="tb1" style="margin:10px 2px 10px;opacity: 0.6;" >
 84 |    ';
 85 |     $run='select * from download';
 86 |     $result = mysqli_query($conn, $run);
 87 | 	
 88 |         if (mysqli_num_rows($result) > 0) 
 89 | 		{
 90 | 			
 91 |                 while($row = mysqli_fetch_assoc($result)) 
 92 | 					{
 93 |                        echo '<tr><td width="20%" align=center style="padding: 10px;" >'.$row['id'].'</td><td width="40%" align=center style="padding: 10px;">'.$row['image_name'].'</td><td width="40%" align=center style="padding: 10px;"><a href="'.$row['location'].'" target="_blank">Open Image</a></td><td width="30%" align=center style="padding: 10px;"><form method=post STYLE="margin: 0px; padding: 0px;"><input type=hidden name=image value="'.$row['id'].'"><input  type=submit class=download name=image_download value="Download"></form></td></tr>';
 94 | 					}
 95 |         }
 96 | 		echo '</table>';
 97 |    
 98 | 	
 99 | }
100 | 
101 | 
102 | 				
103 | if(isset($_POST['us']))
104 | 	{
105 | 		echo '
106 | <table width="100%" cellspacing="0" cellpadding="0" class="tb1" style=" border:0px;background-color: #191919; opacity: 0.6;" >
107 | 			
108 |        <tr><td 
109 |         align="center"><img src="images/who.jpg"></td><td 
110 |          align="center" valign="top" rowspan="1"><font 
111 |         color="red" face="comic sans ms"size="1"><br><font color=white >
112 |         --==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,shafoon, Rehan manzoor<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
113 | <font color=white>--==[[Love to]]==--</font><br># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP,
114 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br><br>
115 | 
116 |        
117 | 						
118 |            </table>
119 |        </table> 
120 | '; 
121 | 
122 | 	}	
123 | 								
124 | 				
125 | 
126 | ?>
127 | 
128 | 


--------------------------------------------------------------------------------