The WIse SECurity
[ Back ]
Wednesday, April 21, 2010, 12:38
MySQL Stacked Queries with SQL Injection...sort of
Security experts know that is possible to inject stacked queries on Microsoft SQL Server, when dealing with SQL Injections but not on other DBMS.
Suppose now that a `user` table exists on users DB.
So run mysql client and create the following trigger:
We can see that two files were created in data directory of users DB:
What happens if we successfully write user.TRG and atk.TRN in /var/lib/mysql/users/users.TRG using INTO OUTFILE ?
Then do the same to create atk.TRN
MySQL will check if a TRG extension is present and will execute the trigger.
So, in this scenery, after a user registration every user will be an admin... and Stored Xss like Frame Injection could be accomplished as well.
Also some privilege escalation could probably be done since the DEFINER keyword says to MySQL the user on behalf the trigger should be executed.
Another interesting thing about this attack is that we can try fuzzing
file format and try to exploit the file format parsers.
I found some crash on TRG which doesn't seem to be exploitable, but who knows..further research could result in exploitable parser errors on those file formats.
kuza55, Thursday, April 22, 2010, 02:45
Sadly INTO OUTFILE is pretty much dead, I haven't seen a box with it enabled for years due to the default off state...
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.