Shulou(Shulou.com)06/01 Report--

Author: LoRexxar@ knows about Chuangyu 404 laboratory & Dawu@ knows Chuangyu 404 laboratory

Original address: https://paper.seebug.org/1112/

English version: https://paper.seebug.org/1113/

This is supposed to be a loophole that burst a long time ago, and the time I saw it was in the off-line game of TCTF2018 Final, a technique used by Dragon Sector and Cykor to unexpected h5x0r's club.

Http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

In the later research, the discussion with @ Dawu immediately thought that this should be a very interesting trick. In the process of gradually tracing back to the past of this loophole, I gradually found that this problem has existed as a feature of mysql for many years, and it has been shared since 13 years.

Database Honeypot by design (August 2013 Presentation from Yuri Goltsev) Rogue-MySql-Server Tool (September 2013 MySQL fake server to read files of connected clients) Abusing MySQL LOCAL INFILE to read client files (April 23, 2018)

In the process of mining this vulnerability, we continue to find new ways to exploit it, so we summarize most of these findings and prepare topics to be shared on CSS. Let's analyze them step by step.

Load data infile

Load data infile is a very special syntax. Friends who are familiar with injection or often typing CTF may be familiar with this syntax. In CTF, we often encounter the situation where there is no way for load_file to read the file. At this time, the only person who is likely to read the file is load data infile. Generally speaking, our commonly used sentences are as follows:

Load data infile "/ etc/passwd" into table test FIELDS TERMINATED BY'\ n'

Mysql server reads the server's / etc/passwd and inserts the data into the table according to'\ n', but now this statement also requires you to have FILE permission, and non-local loaded statements are also restricted by secure_file_priv

Mysql > load data infile "/ etc/passwd" into table test FIELDS TERMINATED BY'\ nEquity error 1290 (HY000): The MySQL server is running with the-- secure-file-priv option so it cannot execute this statement

If we modify the statement, add the keyword local.

Mysql > load data local infile "/ etc/passwd" into table test FIELDS TERMINATED BY'\ nQuery OK, 11 rows affected, 11 warnings (0.01 sec) Records: 11 Deleted: 0 Skipped: 0 Warnings: 11

After adding local, the statement becomes. Read the file from the client and send it to the server. The execution result of the above statement is as follows

Obviously, this statement is not safe, and this is fully illustrated in the mysql documentation.

Https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html

As mentioned in the mysql document, the server can require the client to read any file with readable permissions.

Mysql believes that clients should not connect to untrusted servers.

The problem we have today revolves around this foundation.

Construct a malicious server

After thinking about the previous question, the core question becomes how to construct a malicious mysql server.

Before we figure this out, we need to look at the packet structure that mysql normally performs links and queries.

1. Greeting package. The server returns banner, which contains the version of mysql.

2. Client login request

3. Then there is the initialization query. There are many initialization queries here because it is phpmyadmin.

4 、 load file local

Since my environment is under windows, it is read as C:/Windows/win.ini here with the following statement

Load data local infile "C:/Windows/win.ini" into table test FIELDS TERMINATED BY'\ n'

First of all, the client sends the query.

Then the server returns the required path

Then the client sends the content directly to the server.

It seems that the process is very clear, and the path for the client to read the file is not specified by the client, but sent to the server, which is determined by the server.

The original query process is

Client: I want to insert win.ini into the test table server: I want your win.ini content client: the content of win.ini is as follows.

Assuming that the server is controlled by us, tamper with a normal process as follows

Client: I want the data server in the test table: I want your win.ini content client: the content of win.ini is as follows?

Will the third sentence above be implemented?

Let's go back to the mysql document, where there is a sentence:

The server can reply to the file transfer request after any query statement, which means that our idea is valid.

In the process of in-depth study of the vulnerability, it is not difficult to find that whether this vulnerability is established lies in the configuration of the Mysql client side, and after some research, I found that in the process of mysql login verification, the configuration of the client will be sent.

After the greeting package, the client will link and try to log in, and there is a configuration on whether to allow the use of load data local in the package, from which you can directly see whether the client has this problem (the client configuration returned here is not necessarily accurate, which will be mentioned later).

Poc

After figuring out the principle, it becomes less difficult to build a malicious server, and the process is simple. Reply to mysql client a greeting package 2. Wait for the client to send a query packet 3. Reply to a file transfer packet

The main problem here is to construct the package format, you can follow the original text and various documents to complete the above queries.

It is worth noting that the poc given by the original author does not fit all the cases. Some mysql clients will send ping packets after a successful login, and will disconnect if there is no reply. There are also some mysql client terminals that have strong verification of greeting packages. It is recommended that you directly grab the packets and construct them according to the real package content.

Https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::Handshakehttps://dev.mysql.com/doc/internals/en/com-query-response.html

The poc given by the original author

Https://github.com/Gifts/Rogue-MySql-Server

Demo

Here, a Tencent Cloud is used as the server, and the client connects with phpmyadmin

We successfully read the file.

The underlying application of the scope of influence

When it comes to the impact of this vulnerability, we must first know what kind of clients are threatened by this vulnerability.

Mysqlclient (pwned) php mysqli (pwned,fixed by 7.3.4) php pdo (default disabled) python MySQLdb (pwned) python mysqlclient (pwned) java JDBC Driver (pwned, default disabled under some conditions) navicat (pwned) probe

In the process of deeply excavating this loophole, the first way I thought of was the mysql probe, but unfortunately, after testing most of the probes on the market, I found that most of the probes connected only accepted the greeting package and then disconnected, without any query, due diligence.

Yahi PHP probe failed iprober2 probe failed PHP probe for LNMP one-click installation package failed UPUPW PHP probe failed. Cloud service provider cloud database data migration service

Domestic

Tencent Cloud DTS failed, data migration failed to disable Load data local Ali Cloud RDS, and Load data local Huawei Cloud RDS DRS service was disabled successfully

Jingdong Cloud RDS does not support remote migration. Distributed relational database does not support remote migration. UCloud RDS does not support remote migration. Distributed relational database cannot synchronize external data. QiNiu cloud RDS does not support remote migration. New Ruiyun RDS does not support remote migration. NetEase Cloud RDS external instance migrated successfully.

Jinshanyun RDS DTS data migration succeeded

Qingyun Cloud RDS data import failed. Load data local Baidu Cloud RDS DTS was disabled successfully.

International cloud service provider

Google could SQL database migration failed, Load data infileAWS RDS DMS service disabled successfully

Excel online sql query

As mentioned in a previous article, there is generally a feature in Excel that synchronizes data from a database into a table so that files can be read in the above way.

Inspired by this idea, we thought that we could find this function of online's excel, so that we could read arbitrary files.

WPS failed (not found) Microsoft excel failed (disabled infile statement) Google table (native does not have this feature, but supports plug-ins, the following is mainly about plug-ins) Supermetrics pwned

-Advanced CFO Solutions MySQL Query failed- SeekWell failed- Skyvia Query Gallery failed- database Borwser failed- Kloudio pwned

Expansion? 2RCE!

Leaving aside some of the very special scenarios we mentioned earlier, we are also going to discuss some of the attack chains that exploit this vulnerability in general scenarios.

Since it is discussed around arbitrary file reading, the most direct thought must be the vulnerability caused by the disclosure of the configuration file.

Arbitrary file read with configuration file disclosure

There are two files in the configuration of Discuz x3.4

Config/config_ucenter.phpconfig/config_global.php

In the background of dz, there is a ucenter setting function, which provides the database server configuration function of ucenter. By configuring the database to link to a malicious server, you can read arbitrary files and obtain configuration information.

Configure the access address for ucenter.

The original address: http://localhost:8086/upload/uc_server is changed to: http://localhost:8086/upload/uc_server\');phpinfo();//

When we get the authkey, we can calculate the cookie of the admin through the uid of the admin and the salt. Then use admin's cookie and UC_KEY to access and take effect.

Arbitrary file read to deserialization

The File Operation Induced Unserialization via the "phar://" Stream Wrapper topic shared by Sam Thomas at the 2018 BlackHat conference, original text https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It-wp.pdf.

In this topic, it is mentioned that there is a pseudo-protocol called Stream API in PHP, which registers the corresponding pseudo-protocol by registering the extension, and the extension phar registers the stream wrapper of phar://.

We know that seaii, a security researcher at Chuangyu 404 laboratory, has studied it (https://paper.seebug.org/680/) said that all file functions support stream wrapper.

Going deep into the function, we can find that the reason why steam wrapper can be supported is that it calls the

Stream = php_stream_open_wrapper_ex (filename, "rb"....)

From here, we go back to the load file local statement of mysql. In mysqli, mysql reads the file through the function of php.

Https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_loaddata.c#L43-L52if (PG (open_basedir)) {if (php_check_open_basedir_ex (filename, 0) =-1) {strcpy (info- > error_msg, "open_basedir restriction in effect. Unable to open file "); info- > error_no = CR_UNKNOWN_ERROR; DBG_RETURN (1);}} info- > filename = filename; info- > fd = php_stream_open_wrapper_ex ((char *) filename," r ", 0, NULL, context)

The php_stream_open_wrapper_ex function is also called, that is, we can also trigger deserialization by reading the phar file.

Reappearance

First of all, you need to generate a phar.

Pphar.php

Use this file to generate a phar.phar

Then we simulate a query.

Test.php

Then we can upload the file directly through the headpicture uploaded in the foreground, or there is also a file upload interface in the background, and then rogue mysql server to read the file.

Phar://./dedecms.phar/test.txt

Monitoring 5555 can be received.

Ssrf can further attack redis and expand the attack surface, so let's not say much.

Some CMS test results show that the CMS name affects whether there is a version of mysql, whether any file is read, whether there is a controllable MySQL server setting, whether there is controllable deserialization, whether it can be uploaded, phpmyadmin < 4.8.5, whether it is a patch Dz is not fixed, whether it is NoneNonedrupalNone (using PDO), no (installation) is NonededecmsNone, (ucenter) is, (ssrf) is NoneecshopNone, whether it is None, Zen, None, no (PDO), no NoneNoneNonephpcmsNone is, yes (ssrf). Whether None Imperial cmsNone is NoneNonephpwindNone No (PDO) is NoneNoneNonemediawikiNone (there is no way to modify mysql configuration in the background) is NoneZ-BlogNone (there is no way to modify mysql configuration in the background) is None repair mode

For most mysql clients, load file local is a useless statement, and most of its usage scenarios are used to transfer data or upload data. For the client, this feature can be turned off directly without affecting normal use.

For more information on how to close it, please see the document-https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html.

For different servers, this configuration has different relationships. For JDBC, this configuration is called allowLoadLocalInfile.

Https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html

In php's mysqli and mysql linking methods, the underlying code directly determines this configuration.

This configuration is PHP_INI_SYSTEM, and in the php documentation, this configuration means Entry can be set in php.ini or httpd.conf.

So you can fix it only by modifying mysqli.allow_local_infile = Off in php.ini.

In the update of php7.3.4, this configuration in mysqli is also changed to off by default.

Https://github.com/php/php-src/commit/2eaabf06fc5a62104ecb597830b2852d71b0a111#diff-904fc143c31bb7dba64d1f37ce14a0f5

Unfortunately, in older versions of mysql5.6 that are no longer updated, both mysql and mysqli are on by default.

This option can also be configured before the link through mysqli_option in the current code.

Http://php.net/manual/zh/mysqli.options.php

Interestingly, in this way, although allow_local_infile is disabled, if you use wireshark to grab the package, you will find that allow_local_infile is still started (but not effective).

In the old version of phpmyadmin, mysqli_real_connect was executed first, and then mysql_option was set, so that allow_local_infile was actually disabled, but allow_local_infile was not disabled when the link request was initiated.

This is actually because mysqli_real_connect initializes the allow_local_infile when it is executed. At the bottom of the php code, mysqli_real_connect actually executes mysqli_common_connect. In the code of mysqli_common_connect, allow_local_infile is set once.

Https://github.com/php/php-src/blob/ca8e2abb8e21b65a762815504d1fb3f20b7b45bc/ext/mysqli/mysqli_nonapi.c#L251

If you set mysql_option before mysqli_real_connect, its allow_local_infile configuration will be overwritten and its modifications will be invalid.

Phpmyadmin also fixed this vulnerability by swapping the relative positions of the two functions on January 22nd. Https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900#diff-cd5e76ab4a78468a1016435eed49f79f

Said that at the end,

This is an attack mode against mysql feature, and the idea is very interesting. For now, it cannot be fixed at the mysql level, and the impression can only be avoided by turning off this configuration on the client side. Although it is not very extensive as an attack surface, it may be particularly effective in transforming a normal function into arbitrary file reading for some special scenarios, which is very effective in expanding the attack surface.

The detailed attack scenario will not be assumed here, and the harm is still relatively great.

REF http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/https://lightless.me/archives/read-mysql-client-file.htmlhttps://dev.mysql.com/doc/refman/8.0/en/load-data.htmlhttps://dev.mysql.com/doc/refman/8.0/en/load-data.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.