Advanced SQL Injections with LoadFile and Outfile

syringe 2952553 1280
All BlogOSCP Study material

If you already know MySQL basics then this blog is useful for you.

Today we will discuss SQL injection with Load file and Outfile.

Let’s understand the basics : –

LOAD FILE: Reads the file from the server and returns to the user on the screen, It will show the file contents as a string on the screen.

OUTFILE: it writes the resulting rows to a file, and allows the use of column and row terminators to specify a particular output format. the file is created on the server host, so you must have the file privilege to use this syntax. File to be written cannot be an existing file, which among other things prevents files (such as “/etc/passwd”) and database tables from being destroyed.

This time for practical !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

If you are using MySQL Injection method to hack the websites, and before you find target tables and columns
check, if you have access to “mysql.user” table.
And you must replace in URL one visible column (i.e. number, that is shown, on the page), with (string) “user”, to see user name.

Let’s  take an example:
http://xyz.com/index.php?id=-1+union+all+select+1,user,3,4+from+mysql.user–
In our example, column (number) 2 can be seen on our vulnerable page.

If the page returns user name, in a place where is that visible column (shown) on site, that’s good – you have access to “mysql.user” table, and you can continue to read this tutorial. Don’t forget to remember the user name that you have seen!

In our example that happens (we have access to “mysql.user” table), and we can continue to check now if we have file privileges.
You must now replace in URL: “user”, with (string) “group_concat(user,0x3a,file_priv)”,
to check, if you have file privileges on (your) vulnerable site.

Here is our example:
http://xyz.com/index.php?id=-1+union+all+select+1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user–

Now on place, where is that (visible) column shown (i.e. replaced), it lists users and file privileges (in format: User name: File privileges, …), and you must find user name that you have seen before, and when you find that user name, look on right side (near that user name), and if it writes “Y” (that means Yes), you have file privileges (and you can continue to read this tutorial), otherwise, if it writes “N” (that means No), you haven’t file privileges.
In our example, we have file privileges (of course) – “… , our user: Y, …”.

Load File is useful when you want to read some (configuration) files (it’s like LFI – Local File Inclusion), ex. “/etc/passwd”, “/etc/shadow”, etc.

Syntax is: load_file(‘FILE’)

Here is our example – if we want to read “/etc/passwd” file:
http:/xyz.com/index.php?id=-1+union+all+select+1,load_file(‘/etc/passwd’),3,4+from+mysql.user–
In place where is column (number) 2, it will show (source of) “/etc/passwd” file (on page).

Note 1: “../” – means move to directory back.

Note 2: If it shows error (when you try to read some file) – it has magic quotes enabled (it add slashes before and after “‘” symbols), and you have to (avoid that and) convert file name (i.e. text/string), to Hex or Char (and then remove “‘” symbols):

For Hex – Always put “0x” (text) before hex string (without any spaces), and that (final) string must not contain (any) spaces(!),

ex. (Load File – “/etc/passwd”:) load_file(0x2f6574632f706173737764)
For Char – Usage: char(NUMBERS,NUMBERS,NUMBERS…)

If you convert string (i.e. text) to Char, and if converted text (to Char) contain spaces (between numbers), you must replace all that spaces with commas(!) ; ex. (Load File – “/etc/passwd”:)

load_file(char(47,101,116,99,47,112,97,115,115,119,100))
BTW. Here is one translator

http://home2.paulschou.net/tools/xlate/

That’s all for Load File syntax.

Using Into OutFile syntax

Into OutFile is useful when you want to write/make some file (on your vulnerable site/server), ex. make (simple PHP) file, that is vulnerable on RFI (Remote File Inclusion), and then exploit that hole…

The syntax is: INTO OUTFILE ‘FILE’

Note 1: That syntax must be always on end (it’s like the table)! Ex. …+INTO+OUTFILE+’/FILE’–
To write (your) text in (your) file (on vulnerable site/server), replace in URL one visible column (i.e. number, that is shown, on the page), with (your) text (to be written, in your file), in quotes…

Let’s see our example – we want to write text “testing” in file “test.txt” (on our vulnerable site/server), in site directory:
http://xyz.com.com/index.php?id=-1+union+all+select+1,”testing”,3,4+INTO+OUTFILE+’/home/xyz/www/test.txt’–

Note 2:
If you have two or more visible columns (i.e. numbers, that are shown, on your vulnerable page), you have to replace that columns (i.e. numbers, in URL), with word “null”(!) (If you don’t replace, that numbers will be written together with your text in your file, on vulnerable site/server.)
In our example, visible columns are – 2 and 3 (and we must do replacing):
http://xyz.com.com/index.php?

id=-1+union+all+select+1,”testing”,null,4+INTO+OUTFILE+’/home/xyz/www/test.txt’–
And then, if the page loads normally (without any errors), we have successfully made our file (on our vulnerable site/server), and location of our file (on our vulnerable site/server), will be: http://xyz.com/test.txt

Note 3: If you want to use in (your) text (to be written, in your file) Return/Enter button, just (type your text somewhere – in converter/translator, and) convert it to Hex or Char…

Note 4: You must write (i.e. make all your files) into site path, otherwise, Into OutFile syntax won’t work.

Note 5: If it shows blank (i.e. error, on page), where should be located (your) text (to be written, in your file) – it has magic quotes enabled (it add slashes before and after “‘” symbols), and you have to (avoid that and) convert text (i.e. string), to Hex or Char (and then remove “‘” symbols) – see above explanation (and link to converter), in (end of) part 3…

Warning: Don’t convert (your) file name into Hex or Char, otherwise, it won’t work (that’s only for Into OutFile syntax)! And, if (your) vulnerable site have magic quotes (feature) enabled, Into OutFile syntax will not work.

That’s all for Into OutFile syntax.

Thanks for visiting us. Join certcube Labs for professional cybersecurity training & IT Security Services.

Reference Links: —

  1. https://websec.wordpress.com/2007/11/17/mysql-into-outfile/
  2. https://medium.com/bugbountywriteup/sql-injection-with-load-file-and-into-outfile-c62f7d92c4e2
  3. https://sqlwiki.netspi.com/attackQueries/readingAndWritingFiles/#mysql

One thought on “Advanced SQL Injections with LoadFile and Outfile

Leave a Reply

Your email address will not be published. Required fields are marked *