Uncategorized

MySQL Out-of-Band Hacking

Overview

Out-of-band injections are very well researched when it comes to MSSQL and Oracle. But in MySQL I noticed that this topic is not well researched. I thought of researching about this topic based on my experiences in SQL injections. For this purpose we can take advantage of functions such as load_file() and select ā€¦ into outfile/dumpfile. Apart from that we can also steal NetNTLM hashes and perform SMB relay attacks. All this is possible only in MySQL under Windows.

What is Out-of-Band Injection?

These attacks involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.

Limitations in MySQL

In MySQL there exists a global system variable known as ā€˜secure_file_privā€™. This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT … INTO OUTFILE statements and the LOAD_FILE() function.

  • If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist, the server will not create it.
  • If the variable is empty it has no effect, thus insecure configuration.
  • If set to NULL, the server disables import and export operations. This value is permitted as of MySQL 5.5.53

Before MySQL 5.5.53 this variable is empty by default, hence allowing us to use these functions. But in the versions after 5.5.53 the value ā€˜NULLā€™ will disable these functions.
To check the value of this variable you can use any of these methods. The ā€˜secure_file_privā€™ is a global variable and itā€™s a read only variable, which means you cannot change this during runtime.

select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv";

(more…)

Alternative for Information_Schema.Tables in MySQL

Overview

Starting from MySQL 5.5 and above the default storage engine was known as the InnoDB. In MySQL versions 5.5 and above if you do a ā€œselect @@innodb_versionā€ you can see the version of the InnoDB, which is almost same as your MySQL version.
innodb-version

But in MySQL 5.6 and above I noticed 2 new tables by InnoDB. ā€œinnodb_index_statsā€ and ā€œinnodb_table_statsā€. Both these tables contains the database and table names of all the newly created databases and tables.
The MySQL documentation explains these two tables as follows.

The persistent statistics feature relies on the internally managed tables in the mysql database, named innodb_table_stats and innodb_index_stats. These tables are set up automatically in all install, upgrade, and build-from-source procedures.

For injection purposes letā€™s take the ā€œinnodb_table_statsā€ table. Unfortunately InnoDB doesnā€™t store columns.

If you simply do ā€œshow tables in mysqlā€ you can view this from your localhost.
(more…)

Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$latex al < 2^{5}&bg=232225&fg=bbbbbb&s=4$
$latex bl < 2^{3}&bg=232225&fg=bbbbbb&s=4$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

Packing

1
2
3
4
; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or  dl, bl  ; xor would also work fine

Unpacking

1
2
3
4
5
mov cl, dl   ; Make a copy of dl
and dl, 111b ; Extract lowest 3 bits (b)
mov bl, dl
shr cl, 3    ; Extract highest 5 bits (a)
mov al, cl

(more…)

Passed eCRE!

ecre_certificate_sm
I donā€™t know how to begin with, Iā€™m not a expert experienced reverse engineer. I actually entered this field recently. Before that I had experience with basic exploit development and solving crackmes. But reverse engineering is not about solving a hard crackme, anyone can code a hard algorithm. However at the beginning some people said that this course is hard for me and not suitable for me. As the course title suggests “Advanced Reverse Engineering of Software” it is surely advanced to a level. I havenā€™t spent years in this field but I dedicated the last few months in this area and I really learned a lot from this course. If you ask the existing people in this field how to enter this area 9/10 people would recommend the tutorial series of ā€œLena151ā€. Actually those tutorials do not give a complete idea and is a bad choice. Iā€™m not the only person who says this.

I have been thinking about why this happens. Thinking back to myself, I started learning reverse engineering by reading the Lena151 tutorials. I thought they were awesome until Daeken told me that was an awful approach to learn reverse engineering.
At first I didnā€™t understand why they were so bad. After all, Lenaā€™s tutorials had taught me how to crack my first software.

You can check his post from here.

The things I learned in here really helped me to take my C/C++/ASM skills to the next level. Each topic I learned helped me research more and more into the subject.
(more…)

Freeze a Computer Using Ruby

When performing illogical ranges in Ruby and converting it to an array it uses 100% memory, disk and CPU which will freeze your computer. I have tested this issue on a Windows 10 64-bit machine. In a 64-bit Ubuntu machine after sometime the process will get killed when the process is out of memory. These types of issues can be caused in most languages, in which it tries to allocate more and more memory. This is a simple example I found in Ruby.

Ruby version:
[code]
ruby 2.3.1p112 (2016-04-26 revision 54768) [x64-mingw32]
[/code]

PoC:
[code language=”ruby”]
(‘malith’..’osanda’).to_a
[/code]

screenshot_3

Content Spoofing on Infiniteskills

O’Reilly’s video training website is http://www.infiniteskills.com/. One day while I was browsing I found out that their online player can be spoofed with our own content. For example I was able to watch my favorite music videos šŸ˜‰

After reporting I was given to choose any 2 courses for free. Thanks for the reward šŸ™‚
(more…)