WEBSHELL - DUMPFILE Method

Context

The WEBSHELL - DUMPFILE method allows attackers to exploit writable file system locations using the MySQL DUMPFILE functionality. This method is applicable in situations where SQL injection vulnerabilities can be leveraged to execute arbitrary SQL commands that write files directly to the server's file system. To successfully apply this technique, one must already be familiar with SQL injection basics, file system permissions, MySQL functions, and general MySQL command execution techniques.

Theory

DUMPFILE Functionality in MySQL

The DUMPFILE function in MySQL enables writing raw data to a specified file on the server where the MySQL database is hosted. This capability is exploitable if an attacker can leverage a SQL injection vulnerability that allows them to execute arbitrary MySQL commands, including the use of DUMPFILE.

Attack Sequence:
An attacker crafts a SQL injection payload that utilizes DUMPFILE to create or overwrite files on the server, such as a PHP webshell, which can then be used to execute commands remotely.

Hex Payload Construction

Hexadecimal payloads are representations of binary data using hexadecimal notation. This is crucial when writing binary data through commands like DUMPFILE, which may not handle certain binary data directly in SQL queries. By converting the PHP shell script into a hexadecimal string, attackers can inject it into the server's file system, ensuring it remains intact during the writing process.

Core Principle:
Convert a PHP webshell script to its hexadecimal equivalent to inject through the SQL command, ensuring successful deployment.

PHP Webshell Basics

A PHP webshell is a script that provides an interface to execute operating system commands over HTTP. Once deployed on the server, it allows an attacker to achieve remote command execution, effectively gaining control over the underlying system.

Attack Sequence:
Access the deployed webshell via a web browser to execute commands and interact with the server.

Practice

Exploiting DUMPFILE for Webshell Deployment

  • Step 1: Start by identifying a SQL injection vulnerability that permits the use of the DUMPFILE command. This typically involves crafting input that allows for arbitrary SQL execution.

  • Step 2: Use the SQL injection to execute the following command, which writes a PHP webshell to the /var/www/html directory on the server:

    SELECT DUMPFILE('/var/www/html/shell.php', UNHEX('3C3F706870206563686F20275368656C6C204578656375746564273B3F3E')); -- Hex for '<?php echo 'Shell Executed'; ?>'

  • Step 3: Verify that the PHP webshell has been successfully deployed by accessing it through the web server using a tool such as curl or a web browser:

    curl http://target.com/shell.php

Result:
By successfully executing the above steps, the attacker can deploy a webshell on the server, achieving remote command execution. This allows further manipulation or access to the system as desired.

Tools

  • MySQL Client: To interact with the MySQL database and execute SQL commands.
  • Curl: For simple HTTP requests to verify webshell availability.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.