1、Comprehensive analysis of the mysql client attack chainLoRexxarKnownsec 404TeamAbout meLoRexxarKnownsec 404Team/Vidar-TeamSecurity researcher/ctferWeb/smart contracthttps:/ Dawu Knownsec 404Team Security researcher Evernote For Windows Read Local File and Command Execute VulnerabilitiesWhats Mysql C
2、lient Attack?2018.06 TCTF2018 Final h4x0rs.club pt.3Whats Mysql Client Attack?2018.06 TCTF2018 Final h4x0rs.club pt.3Write a file with controlled dataControllable mysqlconfigControllable mysqlqueryFurther useWhats Mysql Client Attack?2018.06 TCTF2018 Final h4x0rs.club pt.3Dragon Sector&Cykor Unexpec
3、ted use to get FlagWrite a file with controlled dataControllable mysqlconfigRead mysql client fileWhats Mysql Client Attack?load data infile/etc/passwd into table test FIELDS TERMINATED BY n;mysql select*from test;+-+-+-+|id|a|b|+-+-+-+|0|daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin|bin:x:2:2:bin
4、:/bin:/usr/sbin/nologin|0|sync:x:4:65534:sync:/bin:/bin/sync|games:x:5:60:games:/usr/games:/usr/sbin/nologin|0|lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin|mail:x:8:8:mail:/var/mail:/usr/sbin/nologin|0|uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin|proxy:x:13:13:proxy:/bin:/usr/sbin/nologin|0|b
5、ackup:x:34:34:backup:/var/backups:/usr/sbin/nologin|list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin|0|gnats:x:41:41:Gnats Bug-Reporting System(admin):/var/lib/gnats:/usr/sbin/nologin|nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin|0|systemd-network:x:101:103:systemd Network
6、Management,:/run/systemd/netif:/bin/false|systemd-resolve:x:102:104:systemd Resolver,:/run/systemd/resolve:/bin/false|0|syslog:x:104:108:/home/syslog:/bin/false|_apt:x:105:65534:/nonexistent:/bin/false|0|messagebus:x:107:111:/var/run/dbus:/bin/false|uuidd:x:108:112:/run/uuidd:/bin/false|0|sshd:x:110
7、:65534:/var/run/sshd:/usr/sbin/nologin|ubuntu:x:500:500:ubuntu,:/home/ubuntu:/bin/bash|0|mysql:x:1000:1000:/home/mysql:/sbin/nologin|www:x:1001:1001:/home/www:/sbin/nologin|Read server file/etc/passwd insert into table test.Limit bysecure-file-privWhats Mysql Client Attack?load data local infile/etc
8、/passwd into table test FIELDS TERMINATED BY n;Read Client file insert into tableNot limit by secure-file-privMost Mysql Client default allowedWhats Mysql Client Attack?load data local infile/etc/passwd into table test FIELDS TERMINATED BY n;How to make a rogue Mysql Server?1、GreetingMysql and Serve
9、r bannerHow to make a rogue Mysql Server?1、Greeting2、Authentication-User password-Client configurationHow to make a rogue Mysql Server?1、Greeting2、Authentication3、QueryLoad data local infile“c:/Windows/win.ini”into table test FIELDS TERMINATED BY n;How to make a rogue Mysql Server?1、Greeting2、Authen
10、tication3、Query4、WaitingHow to make a rogue Mysql Server?1、GreetingMysql and Server banner2、AuthenticationUser password and some config3、QueryLoad data local infile4、WaitingHi.I want to insert the contents of data fileOK.get me thecontents of data fileThis is the contents of data file,xxxxxxxxClient
11、ServerHow to make a rogue Mysql Server?1、GreetingMysql and Server banner2、AuthenticationUser password and some config3、QueryLoad data local infile4、WaitingHi.select*from test.OK.get me thecontents of data fileThis is the contents of data file,xxxxxxxxClientServerHow to make a rogue Mysql Server?How
12、to make a rogue Mysql Server?Hi.select*from test.OK.get me thecontents of data fileThis is the contents of data file,xxxxxxxxClientServerA patched server could in fact reply with a file-transfer request to any statement,not just LOAD DATA LOCAL.Client会回复任何一个file-transfer请求How to make a rogue Mysql S
13、erver?Hello,GreetingUser=root,pass=rootSet character set utf-8;HelloOKRead/etc/passwdroot:x:0:0:root.How to make a rogue Mysql Server?2013.08 Presentation from Yuri GoltsevDatabase Honeypot by design2013.09 MySQL fake server to read files of connected clients(github)2018.04.23 Abusing MySQL LOCAL IN
14、FILE to read client files(multiple ways of use)What should we need?A website or app that can control mysql configurationA vulnerable Mysql Client?Vulnerable vendorMysql Client pwnedPHP MysqlpwnedPHP MysqliClose by default in PHP 7.3.4PHP PDO Close by defaultPython MySQLdbpwnedPython Mysqlclientpwned
15、Java JDBC Driver pwnedNavicatpwnedProbe雅黑PHP探针failureiprober2 探针failurePHP探针 for LNMP一键安装包failureUPUPW PHP 探针failure.What should we need?A website or app that can control mysql configurationA vulnerable Mysql ClientOne query?Load data in ExcelLocal ExcelpwnedWPS onlionfailure(None)Microsoft excel fa
16、ilure(disable)Google SheetsSupermetricepwnedAdvanced CFO Solutions MySQL Query failure(disable)SeekWellfailure(disable)Skyvia Query Gallery failure(disable)database Borwser failed failure(disable)Kloudiopwned云服务商 云数据库 数据迁移服务云服务商DTSDisable Load datavulnerableStatus腾讯云阿里云华为云Fixed 2018.12.14京东云UcloudQi
17、Niu云新睿云网易云Fixed 2018.11.27金山云Fixed 2018.11.29青云Cloud百度CloudFixed 2018.11.28Google CloudAWSReport 2018.11.27What should we need?A website or app that can control mysql configurationA vulnerable Mysql ClientOne queryArbitrary File ReadMaybe do more?HoneypotNumerous github monitoring tools are actively
18、 capturing mysql account password leaks every dayNumerous scanners open mysqlscan weak passwords for external networksHoneypotFrom 2018.09 to 2018.11A ez open honeypot in internet499 ip connection requests1 file read from linux5 file read from windowsWhat should we need?Mysql configuration in github
19、Or Weakless Mysql ServerA vulnerable Mysql ClientHoneypotMake Arbitrary File Read better?How about CMS?AFR To Leak ProfileUcenter in back of Discuz x3.4AFR To Leak ProfileUcenter in back of Discuz x3.4AFR the Discuz x3.4 config file configconfig/config_ucenter.phpconfig/config_global.php.define(UC_K
20、EY,yeN3g9EbNfiaYfodV63dI1j8Fbk5HaL7W4yaW4y7u2j4Mf45mfg2v899g451k576);.$_configsecurityauthkey=asdfasfas;.AFR To Leak ProfileUcenter in back of Discuz x3.4AFR the Discuz x3.4 config file configconfig/config_ucenter.phpconfig/config_global.phpUC_KEY+action=Code for UCAPI authkey+saltkey+admin uid+admi
21、n username=Formhash for UCAPI A Vulnerable to getshell in UCAPIAFR To Leak Profile To GetshellCan we make AFR better more?Can we make AFR better more?Phar:/Phar:/2018 BlackHat.Sam Thomas“Phar:/”Stream API in file Function can cause unserialization.Phar:/“Phar:/”Stream API in file Function can cause
22、unserialization./php/php-src/blob/master/ext/standard/file.c L551PHP_FUNCTION(file_get_contents).stream=php_stream_open_wrapper_ex(filename,rb,(use_include_path?USE_PATH:0)|REPORT_ERRORS,NULL,context);.Phar:/php/php-src/blob/master/ext/mysqlnd/mysqlnd_loaddata.c L43-L52if(PG(open_basedir)if(php_chec
23、k_open_basedir_ex(filename,0)=-1)strcpy(info-error_msg,open_basedir restriction in effect.Unable to open file);info-error_no=CR_UNKNOWN_ERROR;DBG_RETURN(1);info-filename=filename;info-fd=php_stream_open_wrapper_ex(char*)filename,r,0,NULL,context);Phar file with a stubstartBuffering();$phar-setStub(G
24、IF89a.);/设置stub$o=new A();$phar-setMetadata($o);$phar-addFromString(test.txt,test);$phar-stopBuffering();?Test PHP codetpl);$this-dsql-Close(TRUE);._call()Example in Real worldUcenter in back of DEDECMSv5.7Ucenter config contain Mysql Server configNo POP chain for DEDECMSv5.7,but a little trickDeser
25、ialization+_call+SoapClient=SSRFDeserialization SoapClient to SSRFdeleteExample in Real worldUcenter in back of DEDECMSv5.7Upload a file with stub(Phar)in back or avatarDeserialization+_call+SoapClient=SSRFCan we make AFR better more?A website or app that can control mysql configurationA vulnerable
26、Mysql ClientOne queryUpload a file with stub(Phar)A gadgets could call any methodSSRFCan we make AFR better more again?POP chainCan we make AFR better more again?POP chain to RCEFinal VulerableA website or app that can control mysql configurationA vulnerable Mysql ClientOne queryUpload a file with s
27、tub(Phar)A POP chain to?Can we make it easier?Can we make it easier?ARP or DNS cache pollutionARP or DNS cache pollutionDatabaseWebSelect 1ARP or DNS cache pollutionDatabaseWebSelect 1Rogue databaseARP/DCPFinal VulerableA website or app that can control mysql configurationA vulnerable Mysql ClientOn
28、e queryUpload a file with stub(Phar)A POP chain to?Lets Fix itFix itFor ServerSet local_infile disabledFor ClientFor mysql client.Use local-infile=0For JDBC.Set allowLoadLocalInfile=falseFor PHP mysqli or mysqlSet mysqli.allow_local_infile=Off in php.iniUse mysqli_option to set MYSQLI_OPT_LOCAL_INFI
29、LE=false after mysqli_real_connectA little hintphpmyadmin patch in 2019.01.22https:/ little hintphpmyadmin patch in 2019.01.22https:/ mysqli_options($link,MYSQLI_OPT_LOCAL_INFILE,false);.$return_value=mysqli_real_connect($link,$host,$user,$password,$serverport,$serversocket,$client_flags);A little hintUse mysqli_option to set MYSQLI_OPT_LOCAL_INFILE=false after mysqli_real_connectvoid mysqli_common_connect(INTERNAL_FUNCTION_PARAMETERS,zend_boolis_real_connect,zend_bool in_ctor)/*/mysql_options(mysql-mysql,MYSQL_OPT_LOCAL_INFILE,(char*)&MyG(allow_local_infile);Thanks