One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300155 |
| Date de publication | 2018-04-23 16:10:10 (vue: 2023-01-11 16:56:00) |
| Titre | Abusing MySQL LOCAL INFILE to read client files |
| Texte | Recently, I was playing the VolgaCTF 2018 CTF with my teammates from TheGoonies and we came across an interesting Web challenge that we didn't manage to solve during the competition. The following day, I read the write-up and learned a cool technique to attack the MySQL client directly via the LOAD DATA INFILE statement.The "Corp Monitoring" task consisted of a Corporate Monitoring API that would test the healthcheck of a given server by connecting and verifying if the FTP, Web and MySQL servers were up. The MySQL user for the connection was restricted and the healthcheck validation was based on a few queries including the "SHOW DATABASE" command.The key to solve the challenge was to identify the "Can Use LOAD DATA LOCAL" client capability and point the API to a Rogue MySQL server that would read arbitrary files from the client via LOAD DATA INFILE statements.After reading about the technique, I decided to check how several libraries, clients and Web Frameworks could be exploited. I also ended up writing a a Bettercap module to abuse this feature in combination with MITM attacks. Previous Research Before I start I would like to point that this technique is not new: it's a known and documented feature from the MySQL clients. I gathered prior posts, tools and presentations and they're all written by Russians - it looks like these techniques are not very widespread outside there.- Database Honeypot by design - Presentation from Yuri Goltsev (August 2013)- Rogue-MySql-Server Tool: MySQL fake server to read files of connected clients (September 2013)- MySQL connect file read - Post from the Russian Security (April 2016)Revisiting MySQL LOAD DATA INFILEAccording to the MySQL documentation, the handshake connection phase performs the following tasks:- Exchange the capabilities of client and server- Setup SSL communication channel if requested- Authenticate the client against the serverAfter the successful authentication, the client sends the query and waits for the server response before actually doing something. The "Client Capabilities" packet includes an entry called "Can Use LOAD DATA LOCAL". |
| Envoyé | Oui |
| Condensat | mysql rogue the 0ubuntu0 136 153 172 2013 2016 2018 5zabbix 7wordpress 8drupal ;here @@version @evilsocket accept a successful about abuse abused abused:joomla abusing accepted across action: action:the actually admin administrator advises after against all allow already also and another api application applications april arbitrary are army arp arp/dns arrays ask attack attacks august authenticate authentication authenticity automatically away backronym bad based because become before behave behavior being below:load best bettercap bundled busy but byte called came can capabilities capability care case challenge changing channel check choose client clients clientsthe close/reopen code:writing combination command commands comment common communication competition components conclusiondespite connect connect/manage connected connecting connection connection:the connector connector/net connectorif connectors connects consisted contacted containing content cool core corp corporate could create ctf data database database>from databases day decided default defined demo: design details devel didn directly dirty disable displays dns document documentation documented doesn doing don done downgrade download driver works: drupal duo during easy editing efforts enable enables enabling encryption ended enforce enforces enter entry establish etc example excel exchange executing explicitly exploitation exploited exported external fake far feature few fields file files files:abusing filesthis fingerprint first firstly flag flags fly following follows: for form format fortunately framework frameworks from ftp functionality gathered given golang goltsev gonna good hack hacked had handle handler handshake happens hash hashes have healthcheck here homebrew/macos honeypot honeypots hope host how identify ignore illustrating impersonate includes including infile infileaccording initial insecure install installation installed installer and integrity interesting internet into isn it:for its keep key knife know known learned least legit let libraries library like limit line links load local login logo long look looks machine make manage maybe means mentioning microsoft might mitm mode modify module modules modules for monitoring monitoring/dashboard most much mysql mysql: need needs net network new new: news not ntlm occurs office official older one only open options:it order our out outside overview packet panel panels particular password paths patterns perform performs phase php platform playing point position possible post posts presentation presentations previous prior privileged probably project proper properly protocol proxy pull purely put pwn queries query query>from quick quite rarely rcesbonus: read read reading really reason receiver recently redirect register remote request requested research respond response responses restrict restricted retrieve revisiting rogue running russian russians same save scan scanners scripts secure security select sends sent september server serverafter servers set sets setting settings setup several should show simple simply simulate sniffed solution solve some something soon spoofing spreadsheet sql ssl stable start statement statements stops successful successfully support supports supports several swiss switching system tab table task tasks: tcp teammates technique technique:if techniques terminated test thanks that that: the the go the load the mysql thegoonies and them there there: these they things this time tls too tool tool: mysql tools track traffic transferred ubuntu unc unencrypted up and upcoming update uri use user username users using validation verifying very via video volgactf vulnerability vulnerable wait waits warning was way web website were when where while whitelisting widespread will winbettercap is windows with without won work workbench worth would write writing written wrote xss/csrf/clickjacking you your yuri |
| Tags | Hack Tool Vulnerability |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.