recently i started making a pentest to a webserver using fedora, running squirremail,apache,php and mysql, i found an sql injection vulnerability, which i quick try to explore, i found that mysql was version 5.0.27 and it was running as root, therefore i was able to use load_file and outfile, i verify too that i have access to information_schema, after i grab all tables, i grab some interesting data, username and hashs, after this i tryed connect to webserver via web interface, ssh and mysql, for upload shell, all without sucess =(. i tryed outfile shell to public var of www but i obtain error because i dont have permissions, but i verify that i can outfile to /tmp and load_file with sucess, but this is useless since load_file return a string and i cant access shell on /tmp dir via include vulnerabilities. so i get tired and start think in other ways of obtain local access to that machine, i load_file httpd.conf for obtain vhost list to look for login pages data of forums or blogs to later upload shell. i get some interesting data but unfortunately some files dont have permissions, like some pages of vhosts and .htaccess files. this is part of what i got so, about the mysql, my questions are: 1)i can load_file /etc/passwd and some *.php files but unfornately im unable to load_file some files like .htaccess and *php of some vhosts, this happen because its related to that file permissions or file_priv? 2)since i cannot read all content of a file, does load_file have limit of size when load files? how can i bypass this? 3)its possible using outfile when magic_quotes are on? because i tryed this on other machines using char, hex encoding and none of this worked, there is any solution for this? 4)for got the tables i use select null,table_name,null from information_schema.tables, what should i use to get the columns? 5)its possible updating the content of a field, for later when page displayed execute php code? help will be appreciated, regards.
use smth like that select+1,column_name,3,4,5+from+information_schema.columns+where+table_name=0xtable_name_in_hex+limit+0,1/*
thanks for the quick answer =) if possible, clarify the other questions. i discovered that i was unable to outfile due to directory permissions, fortunately i obtained a directory with permissions and this solve my problem. so, if possible try give solution for the other questions. thanks.
it is definitely related to the file permissions; as a rule, if file_priv is turned on only file permissions restrict an attacker yes, load_file has a size limit which is defined by max_allowed_packet variable More info: LOAD_FILE max_allowed_packet unfortunately, it is not possible, into_outfile accepts only a value between quotes. More info: INTO OUTFILE it depends on a certain web application; if it is prone to a php-include vulnerability so that web-app gets data from database and executes it then you can modify some fields and as a result you'll get a web-shell. However that is very rare situation. It happens much more often when you have a sql-injection where one of the columns is supposed to be opened as a file, and sometimes to be included as script. The latter is also rare
no, that won't work, as i've already said into outfile requires the quotes. And why do you use CONCAT after WHERE? You should just use the sequence of ASCII-codes in the CHAR() function, i.e.: CHAR(39,97,100,109,105,110,39)
look, i just quote that text from here forum.antichat.ru/thread61678-mysql+cheat.html so definitely is wrong.
the author of that thread wanted to say that the material given in it didn't correspond to the facts. You could guess this idea if you knew Russian =)
sometimes this is possible I described it here: http://forum.antichat.ru/showpost.php?p=663815&postcount=39 this is a script for convenience: http://forum.antichat.ru/showpost.php?p=685943&postcount=54
