Understanding select into outfile

Question

I was going through OOB scenario as mentioned here (Windows scenario).

https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf

I have very few queries that I couldn’t get answer over internet.

• Does select into outfile or load_file allows writing directly to a remote filesystem on ubuntu and Windows?
• if by default, it does not allow writing to remote system, I assume we get this in Windows through \\, UNC path. Is there any way for Ubuntu?
• What would be the case for Windows and Ubuntu regarding DNS and HTTP?

I think the core answer lies in the fact if the original functions allow network request.

Answer 1

• Does select into outfile or load_file allows writing directly to a remote filesystem on ubuntu and Windows?

It allows writing to any file that a user of the server could write to. If the server has a remote filesystem mounted, you may be able to write to it.

However, the MySQL system variable secure_file_priv may be set. When set, it contains a directory pathname, and only files in this directory may be written to. And even if this isn't set, the directory needs to have permissions that allow the user running mysqld to write into it. This generally means that the directory must be world-writable.

It also won't overwrite existing files, so you can't use it to replace a file.

• if by default, it does not allow writing to remote system, I assume we get this in Windows through \\, UNC path. Is there any way for Ubuntu?

If the automounter is enabled, you may be able to access remote NFS servers this way.

• What would be the case for Windows and Ubuntu regarding DNS and HTTP?

DNS would be involved to resolve the hostname if you use the automounter or UNC. It doesn't accept HTTP URLs, only ordinary filenames.