MySQL
In an SQL injection scenario using SELECT INTO OUTFILE, an attacker might exploit the vulnerability to upload a webshell onto the server. A webshell is a script that can be accessed via a web browser and allows the attacker to execute server commands, effectively giving them control over the server.
Example Scenario:
Imagine a website feature that allows users to export transaction details to a CSV file using a user-input controlled query, similar to the following:
An attacker could manipulate the user_input to end the initial query and append a malicious SELECT INTO OUTFILE command to upload a webshell:
Breakdown of the Injection:
Termination of Original Query: The attacker terminates the intended SQL query by injecting
1';which effectively closes the user input foruser_id.Webshell Payload: The attacker starts a new query with
SELECT, where the content to be selected is a PHP script:<?php system($_GET["cmd"]); ?>. This PHP script is a simple webshell that executes commands passed to it via thecmdGET parameter.File Creation: The payload is written into a new file named
shell.phpin the/var/www/html/directory, which is typically accessible via the web browser.
Result of the Exploit:
If the server permissions allow writing files in the web directory and the application is vulnerable to SQL injection, this will create a file named
shell.php. An attacker can then access this file via a web browser and execute server commands by appending acmdparameter to the URL, like so:This URL would execute the
whoamicommand on the server, and the output would be displayed in the browser, thus confirming the server's control to the attacker.
Impact:
This type of attack could lead to full server compromise, allowing an attacker to execute arbitrary commands, manipulate server data, or use the server to launch further attacks.
This example highlights the severity of SQL injection vulnerabilities and underscores the importance of validating and sanitizing all user inputs to prevent such security breaches.
Last updated
