Local File Inclusion using SQL Injection

Posted on by D3x3

When a SQL Injection attack is performed, one of the many possibilities is that in which the contents of sensitive data can be extracted from the web server

A very common example is the following: Assuming that you have found an SQL Injection on a site where a GNU / Linux system is installed. We want to extract the contents of the passwd file and the shadow file so as to obtain all users and their encrypted passwords in the system. This will be useful, once you have made a password bruteforcing with john the ripper (click to read cracking linux password with john the ripper), to access via ftp / ssh the system with root privileges, or to access the mysql database and modify the contents.

Surely the possibilities are many, but for now let us reflect on this example.

Our vulnerable page consists of:

http://website.com/news.php?id=10

Our sql injection turns out to be the following:

http://website.com/news.php?id=-10+union+all+select+1,2,3,4,5--

The columns displayed in output will be 3 and 5. We will work on 3.

If the user has not set the appropriate restrictions on the web server, it will be sufficient to use the “load_file” command to extract the contents, provided that the correct path of the file is known.

Our passwd file is in the /etc/passwd location

The first thing to do is convert the string /etc/passwd using the mysql CHAR() function.

/etc/passwd = CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)

Our sql injection will be as follows:

http://website.com/news.php?id=-10+union+all+select+1,2,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119 , 100)),4,5--

If all goes well, the contents of the passwd file will be displayed.

Note: it is very likely that the shadow file is not readable due to the restrictions that the system has by default. But there are many other interesting files that can be exploited, such as logs files, or even files containing database access data (see for example wordpress or joomla).

Fancy, and experience will always be friends, do not forget it.

Enjoy and stay safe. D3x3

Published by D3x3

Leave a comment