54 SQL Injection Database User priviliges Reading Files Database Part 12

Reading files In addition to collecting data from various tables and databases within the DBMS, SQL Injection can be leveraged to perform many other operations, such as reading and writing files on the server and even achieving remote code execution on the backend server. Permissions Reading data is much more common than writing data, which is reserved exclusively for privileged users in modern DBMS systems, because it can lead to system exploitation, as we will see. For example, in MySQL, a DB user must have FILE permission to load the contents of a file into a table and then dump data from that table and read files. So, let's start by gathering data about our user's database permissions to decide whether to read and/or write files to the backend. DB user First, we need to determine which user we are inside the database. While we don't necessarily need database administrator (DBA) privileges to read data, this is becoming more required in modern DBMS systems, as only DBAs are granted such privileges. The same applies to other common databases. If we have DBA privileges, then it is much more likely that we have file read privileges. If not, then we need to check our permissions to see what we can do. DB user So that we can find our current user in the DB, we can use any of the following queries: SELECT USER() SELECT CURRENT_USER() SELECT user from mysql.user Injection code: admin' UNION SELECT 1, user(), 3, 4 -- - Or use that admin' UNION SELECT 1, user, 3, 4 from mysql.user -- - User permissions Now that we know our user, we can start looking for what permissions we have with that user. First of all, we can check if we have super admin privileges with the following query: SELECT SUPER_PRIV, user FROM mysql.user admin' UNION SELECT USER, super_priv, 3, 4 FROM mysql.user -- - The query returns Y, which is YES, indicating superuser privileges. LOAD_FILE Now that we know we have enough permissions to read local system files, let's do this using the LOAD_FILE() function. The LOAD_FILE() function can be used in MariaDB / MySQL to read data from files. The function takes only one argument, which is the file name. The following query is an example of how to read the etc/passwd/ file: SELECT LOAD_FILE('/etc/passwd'); admin' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -