MariaDB Read Content of a File

Context

This article explains how to exploit the LOAD_FILE function in MariaDB to read the contents of files from the file system through SQL injection. Understanding of file system permissions and SQL query structures is assumed. The objective is to guide readers on how to achieve unauthorized file access by leveraging vulnerabilities in MariaDB.

Theory

LOAD_FILE Function in MariaDB

The LOAD_FILE function is used in MariaDB to read the contents of a file into a string. This function takes a file path as an argument and is highly dependent on having the correct file system permissions. It reads a file from the server's file system and returns its content as a string. Proper permission settings and secure configurations are paramount, as misuse of this function can lead to information disclosure.

File Reading Vulnerabilities

File reading vulnerabilities occur when SQL injection is exploited to execute the LOAD_FILE function with user-specified paths. These vulnerabilities allow attackers to read sensitive files that should only be accessible by privileged users. By injecting a crafted SQL query, an attacker can call the LOAD_FILE function on an arbitrary file path, gaining unauthorized access to the file's content.

MariaDB Information Disclosure

Information disclosure in MariaDB, especially via the LOAD_FILE function, occurs when an attacker can read files from the server's file system. This is often due to improper input validation or lack of stringent security measures. The database typically trusts user input, presuming it to be sanitized, and this assumption can be exploited to access confidential files and data.

Practice

Exploiting LOAD_FILE via SQL Injection

To exploit the LOAD_FILE function in MariaDB through SQL injection, follow these steps:

  • Verify SQL Injection Existence: Before attempting to read files, ensure that SQL injection is possible in the application by testing input fields for basic SQL injection vectors.

  • Read the Password File:

    SELECT LOAD_FILE('/etc/passwd');

    Use this SQL command to attempt reading the /etc/passwd file, containing user information. Successfully reading this file might confirm the presence of the vulnerability.

  • Read Hostname File:

    SELECT LOAD_FILE('/etc/hostname');

    This command is used to read the hostname file from the server, providing confirmation of file reading capability.

  • Target Application Configuration Files:

    SELECT LOAD_FILE('/var/www/html/config.php');

    Reading configuration files such as config.php can reveal sensitive data, including database credentials, which can further the exploitation chain.

Upon successful execution of these commands, an attacker can access file contents stored on the server. This practice highlights the potential severity of inadequate input validation and permission management.

Tools

  • sqlmap
  • Burp Suite

These tools can assist in automating the detection and exploitation of SQL injection vulnerabilities to read file content using the LOAD_FILE function. They provide capabilities to craft custom payloads and automate the process, significantly easing the exploitation effort.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.