Web Application Security
mysql selecting into outfile in an insert Jul 20 2010 06:00PM
Robin Wood (robin digininja org) (1 replies)
Re: mysql selecting into outfile in an insert Jul 20 2010 08:13PM
Spiros Antonatos (antonat ics forth gr) (1 replies)
Re: mysql selecting into outfile in an insert Jul 20 2010 09:14PM
Robin Wood (robin digininja org) (1 replies)
Re: mysql selecting into outfile in an insert Jul 21 2010 12:41AM
Camilo Uribe (camilo uribe gmail com) (1 replies)
Re: mysql selecting into outfile in an insert Jul 21 2010 08:02AM
Robin Wood (robin digininja org)
On 21 July 2010 01:41, Camilo Uribe <camilo.uribe (at) gmail (dot) com [email concealed]> wrote:
> On Tue, Jul 20, 2010 at 4:14 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>
>> On 20 July 2010 21:13, Spiros Antonatos <antonat (at) ics.forth (dot) gr [email concealed]> wrote:
>> > You need to check if you have permissions to read/write files
>> > from mysql. Normally, non-root users do not have permission to
>> > call LOAD_FILE and INTO OUTFILE.
>>
>> Not sure on the vulnerable app I'm testing but in my lab I'm on as
>> root and can run the "select into outfile" fine.
>
> Look for the file privilege:
> http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_fil
e
>
> By the way as a security measure, mysql will not overwrite existing files.

As I said, on my box I'm root, I've all the privs available and the
"into outfile" works fine on its own.

Robin

>>
>> Robin
>>
>> >
>> > Spiros
>> >
>> >
>> >> I've got a vulnerable web app with a MySQL backend where I can inject
>> >> into an INSERT query and I want to create a file. With a SELECT I
>> >> would use a UNION and then SELECT whatever INTO OUTFILE "filename" but
>> >> how do you do it with an INSERT query?
>> >>
>> >> I tried:
>> >>
>> >> INSERT INTO size VALUES (22, (SELECT "abc" INTO OUTFILE "/tmp/test")) ;
>> >>
>> >> That executes and size gets a new row with 22 and "abc" in it but it
>> >> doesn't create the file.
>> >>
>> >> I also tried an UPDATE and had the same problem:
>> >>
>> >> UPDATE size SET big=22 WHERE big =  (SELECT "abc" INTO OUTFILE
>> >> "/tmp/test");
>> >>
>> >> The update happens where big="abc" but no outfile.
>> >>
>> >> Can it be done?
>> >>
>> >> Robin
>> >>
>> >>
>> >>
>> >> This list is sponsored by Cenzic
>> >> --------------------------------------
>> >> Let Us Hack You. Before Hackers Do!
>> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> >> Request Yours Now!
>> >> http://www.cenzic.com/2009HClaunch_Securityfocus
>> >> --------------------------------------
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus