Detailed explanation of outfile, dumpfile, load_file functions in MySQL injection

In the later stage of exploiting SQL injection vulnerabilities, the most common method is to use MySQL's file series functions to read sensitive files or write webshells. The following three functions are commonly used:

• into dumpfile()
• into outfile()
• load_file()

Our test data this time is as follows

Restrictions on calling functions to read and write files

Because it involves writing files on the server, whether the above function can be successfully executed is affected by the parameter secure_file_priv . The description in the official document is as follows

Translated:

• When the parameter secure_file_priv is empty, there are no restrictions on import and export.
• When the value is a specified directory, you can only import and export to the specified directory.
• When the value is set to NULL, the import and export functions are disabled.

This value can be queried using the command select @@secure_file_priv . Since this parameter cannot be changed dynamically, it can only be modified in the MySQL configuration file and then restarted to take effect.

The difference between dumpfile and outfile

Differences in exporting database scenarios

select ... into outfile

Let's first look at the explanation of these two functions in the MySQL official documentation

There are two notable pitfalls:

The outfile function can export multiple lines, while dumpfile can only export one line of data.
The outfile function has a special format conversion when writing data to a file, while dumpfile keeps the original data format.

Next, we will look at the details here by exporting the test

First, use the outfile export select * from test into outfile '/tmp/test.txt'

You can see that all the data is saved in the file /tmp/test.txt and the line is automatically wrapped at the end of a line of data.

By looking at the official documentation, you can see that the format can be adjusted using the following parameters

FIELDS ESCAPED BY can be used to escape specified characters, FIELDS [OPTIONALLY] ENCLOSED BY is used to wrap field values, FIELDS TERMINATED BY is used to separate field values.

For example, use the following command select * from test into outfile '/tmp/test.txt FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY ' " 'LINES TERMINATED BY '\n'

The resulting export file is as follows

select ... into dumpfile

Then use the command select * from test into dumpfile '/tmp/test.txt' to export using dumpfile

You can see that this command prompts more than one line of output when it is executed.

View file contents

It can be seen that there is no line break between the data rows exported by dumpfile and only part of the data is exported

Write the difference between webshell and udf

select ... into outfile

We use the command select 'a\naa\raaaa' into outfile '/tmp/test.txt' to see the results in the common file writing scenario

You can see that outfile escapes special characters such as \n in the exported content and adds a new line at the end of the file content.

Let's use the command select 'a\naa\raaaa' into dumpfile '/tmp/test.txt' to take a look

It can be seen that dumpfile writes the file content as it is, without any transfer or addition. This is why我們在平常的UDF提權中使用dumpfile進行dll文件

Another point that needs attention is that outfile cannot be followed by a path starting with 0x or a path after char conversion, but can only be a single-quoted path. This problem is more troublesome in PHP injection, because it will automatically escape single quotes to \', then basically GG, but load_file, the path behind can be single quotes, 0x, char conversion characters, but the slash in the path is / instead of \

Summarize

The above is a detailed explanation of the outfile, dumpfile, and load_file functions in Mysql injection introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!