Saturday, March 24, 2012

SQL Injection Using MySQL LOAD_FILE() and INTO OUTFILE()

SQL injection is one of the most chronic threats in websites today. There are many kinds of SQL injection techniques like the use of union statements, order by statements, LOAD_FILE(), INTO OUTFILE(), INFORMATION_SCHEMA, Char(), CAST(), and LIMIT. Most attackers are just into using the union statements, information_schema and order by statements and neglecting some of the techniques just for the sake of getting the username and the password of the website administrator. Just like this:

' union select 1,username,password,4 from users -- -

But just because some attackers don't use the other techniques doesn't mean you are safe from other attackers. All right let's get to the point, in this article let's discuss about the some possible things we can by using the LOAD_FILE() and INTO OUTFILE() functions partnered with union select statements.

MySQL LOAD_FILE() reads the file and returns the file contents as a string

SYNTAX : LOAD_FILE(file_name) /* file_name should be a name of a file appended with a path. */

Ohw wait?! Path? Yes you read me right! In that case an attacker could possibly do a directory traversal just like the Local File Inclusion (LFI) attack.

Suppose we found out the number of columns, then we should execute the union select query together with the syntax of the LOAD_FILE() function to achieve the attack vector. In this example we are

' union select 1,load_file('/etc/passwd'),3,4 -- -

Thus, its is very dangerous because if an attacker gets to see the encrypted actual passwords of a user's account under /etc/shadow because he /she may try to crack it. For the detailed information about directory traversal, you can check out my previous article about Local File Inclusion 101.

Next up, the INTO OUTFILE () Function. By using this kind of function, it allows attacker to create a file on a specified path after the syntax INTO OUTFILE '.

Take for example this:

' union select 1,'shipcode was here',3,4 into outfile '/tmp/lol.txt' -- -


 ' union select null,'shipcode was here',null,null into outfile '/tmp/lolz.txt' -- -

So in case /var/www/ is writable then the attacker should be able to append a PHP system call into an injection, and writes the query into an outfile.

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.