Monday, June 25, 2012

SQLI-LABS SERIES PART-10

In the last posts we discussed about different types of SQL injections: (Click the links to follow)
Today we will take it further and discuss the use of outfile function or dumpfile function.

CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.

USING THE OUTFILE/DUMPFILE

Well if the connection user which is configured to run the queries to the back-end DB has the privileges to write to file system (webroot of server or any other folder under it), then in that case, we can build queries and use the inbuilt function called outfile or dumpfile.
example query: select * from table into outfile "path-to-file/filename"
There are two functions which can be used in this case, outfile and dumpfile. With dumpfile, it dumps only one row without any formatting details. This is specially important if you are playing with binary data. The outfile preserves the formatting, carriage returns, etc and dumps multiple rows.
To practice this you can follow the Less-7 from the labs.


same way we can use mysql to read files from the file system. for that we can use the function called load_file(). By default we cannot execute system commands through mysql, but if mysql is misconfigured, then can lead to upload of User Defined Functions which can lead to a complete compromise of server.
example injection may look like:
' union select 1,load_file("/etc/passwd"),3 into dumpfile "/var/www/test.txt"


Less -7 Line number 31
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
1'))+or+1=1--+  -- Basic injection to detect sqli

No comments:

Post a Comment