GitBook: [#3583] No subject
This commit is contained in:
parent
ac10e3751f
commit
5d7c86366f
|
@ -521,7 +521,7 @@
|
|||
* [MS Access SQL Injection](pentesting-web/sql-injection/ms-access-sql-injection.md)
|
||||
* [MSSQL Injection](pentesting-web/sql-injection/mssql-injection.md)
|
||||
* [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
|
||||
* [Mysql SSRF](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
|
||||
* [Mysql File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
|
||||
* [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
|
||||
* [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
|
||||
* [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo\_import-data-exfiltration.md)
|
||||
|
|
|
@ -70,8 +70,6 @@ show tables;
|
|||
describe <table_name>;
|
||||
show columns from <table>;
|
||||
|
||||
select grantee, table_schema, privilege_type FROM schema_privileges; #Exact privileges
|
||||
select user,file_priv from mysql.user where user='root'; #File privileges
|
||||
select version(); #version
|
||||
select @@version(); #version
|
||||
select user(); #User
|
||||
|
@ -101,6 +99,34 @@ mysql -u username -p < manycommands.sql #A file with all the commands you want t
|
|||
mysql -u root -h 127.0.0.1 -e 'show databases;'
|
||||
```
|
||||
|
||||
### MySQL Permissions Enumeration
|
||||
|
||||
```sql
|
||||
#Mysql
|
||||
SHOW GRANTS [FOR user];
|
||||
SHOW GRANTS;
|
||||
SHOW GRANTS FOR 'root'@'localhost';
|
||||
SHOW GRANTS FOR CURRENT_USER();
|
||||
|
||||
#From DB
|
||||
select * from mysql.user where user='root';
|
||||
## Get users with file_priv
|
||||
select user,file_priv from mysql.user where file_priv="Y";
|
||||
## Get users with Super_priv
|
||||
select user,Super_priv from mysql.user where Super_priv="Y";
|
||||
|
||||
# List functions
|
||||
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
|
||||
```
|
||||
|
||||
You can see in the docs the meaning of each privilege: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute)
|
||||
|
||||
### MySQL File RCE
|
||||
|
||||
{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %}
|
||||
[mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## MySQL arbitrary read file by client
|
||||
|
||||
Actually, when you try to **load data local into a table** the **content of a file** the MySQL or MariaDB server asks the **client to read it** and send the content. **Then, if you can tamper a mysql client to connect to your own MyQSL server, you can read arbitrary files.**\
|
||||
|
|
|
@ -1,25 +1,20 @@
|
|||
|
||||
# Mysql File priv to SSRF/RCE
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)
|
||||
|
||||
## Using LOAD\_FILE/LOAD DATA/LOAD XML
|
||||
### Using LOAD\_FILE/LOAD DATA/LOAD XML
|
||||
|
||||
Every SQL Out of Band data exfiltration article will use the `LOAD_FILE()` string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.
|
||||
|
||||
|
@ -35,7 +30,7 @@ This Server Side Request Forgery, although useful, is restricted to only TCP por
|
|||
|
||||
![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/3.png)
|
||||
|
||||
## Using User Defined Functions
|
||||
### Using User Defined Functions
|
||||
|
||||
Another cool technique with MySQL databases is the ability to use User Defined Functions (UDF) present in external library files that if present in specific locations or system $PATH then can be accessed from within MySQL.
|
||||
|
||||
|
@ -43,11 +38,11 @@ You could use a SQL Injection to write a library (`.so` or `.dll` depending on L
|
|||
|
||||
This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the `plugin_dir` variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
|
||||
|
||||
Basically for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need the
|
||||
Basically **for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need**:
|
||||
|
||||
* ability to write to the location specified in `@@plugin_dir` via SQL Injection
|
||||
* `file_priv` set to `Y` in `mysql.user` for the current database user
|
||||
* `secure_file_priv` set to `""` so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
|
||||
* ability to **write to the location** specified in **`@@plugin_dir`** via SQL Injection
|
||||
* **`file_priv`** set to **`Y`** in `mysql.user` for the current database user
|
||||
* **`secure_file_priv`** set to **`""`** so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
|
||||
|
||||
Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib\_mysqludf\_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
|
||||
|
||||
|
@ -79,21 +74,14 @@ For automating this, you can use SQLMap which supports [the usage of custom UDF
|
|||
|
||||
For Blind SQL Injections you could redirect output of the UDF functions to a temporay table and then read the data from there or use [DNS request smuggled inside a `sys_eval` or `sys_exec` curl command](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration).
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue