0

I have access to MySQL database which the current user has FILE privilege. I want to upload a web shell but I do not know the root directory of the web server.

Is it possible to somehow locate the root directory using a SQL query?

1 Answers1

0

If you have permissions to write files, you probably have permission to read them, too.

I'd start from reading web server configuration files, e.g.

SELECT * LOAD_FILE('/etc/apache2/apache2.conf');
SELECT * LOAD_FILE('/etc/nginx/nginx.conf');

However, it's not guaranteed that the MySQL has permissions to write to the document root.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • Figured out that the system was running on Alpine Linux, the web server configuration is located at "/opt/apache2/apache2.conf". Thanks! – maximillian1 Aug 29 '20 at 09:48