Comments on: MySql Stored Procedures And Functions http://www.notsosecure.com/folder2/2008/11/04/mysql-stored-procedures-and-functions/ From Pentesters To Pentesters Sun, 22 Aug 2010 14:39:55 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: Infosec Update http://www.notsosecure.com/folder2/2008/11/04/mysql-stored-procedures-and-functions/comment-page-1/#comment-60105 Infosec Update Fri, 07 Nov 2008 09:34:06 +0000 http://www.notsosecure.com/folder2/?p=154#comment-60105 Interesting stuff, I've never seen SQL Security Invoker used in a real world LAMP-type application. Actually I've found that for internally developed applications (as in within companies by in-house developers) stored procedures are quite rare on MySQL compared to Oracle (which probably explains why I haven't seen SQL Security Invoker used). In fact overall I'd say I'm more likely to see Oracle security than MySQL security (in terms of application use, I don't see people hardening databases themselves at all). Do you see many differences between Oracle and MySQL security functionality use in web apps? Interesting stuff, I’ve never seen SQL Security Invoker used in a real world LAMP-type application.

Actually I’ve found that for internally developed applications (as in within companies by in-house developers) stored procedures are quite rare on MySQL compared to Oracle (which probably explains why I haven’t seen SQL Security Invoker used). In fact overall I’d say I’m more likely to see Oracle security than MySQL security (in terms of application use, I don’t see people hardening databases themselves at all).

Do you see many differences between Oracle and MySQL security functionality use in web apps?

]]> By: sid http://www.notsosecure.com/folder2/2008/11/04/mysql-stored-procedures-and-functions/comment-page-1/#comment-60045 sid Tue, 04 Nov 2008 21:31:26 +0000 http://www.notsosecure.com/folder2/?p=154#comment-60045 One of the things, i wanted to achieve here, was to create a function with "sql security invoker" directive and then inject a function into the vulnerable stored procedure. This would have helped me to bypass the input length restrictions, but it seems that function drops its privs(or may be i have missed something). Anyways, this is what i was trying: mysql> create function testing(input varchar(100)) returns varchar(50) READS SQL DATA sql security invoker -> begin -> DECLARE sUserName VARCHAR(50); -> select user into outfile '/tmp/a.txt' from mysql.user; -> return 'aaa'; -> end -> // Query OK, 0 rows affected (0.01 sec) mysql> call sp_root(testing(1)); -> // ERROR 1045 (28000): Access denied for user 'test'@'%' (using password: NO) One of the things, i wanted to achieve here, was to create a function with “sql security invoker” directive and then inject a function into the vulnerable stored procedure. This would have helped me to bypass the input length restrictions, but it seems that function drops its privs(or may be i have missed something). Anyways, this is what i was trying:

mysql> create function testing(input varchar(100)) returns varchar(50) READS SQL DATA sql security invoker
-> begin
-> DECLARE sUserName VARCHAR(50);
-> select user into outfile ‘/tmp/a.txt’ from mysql.user;
-> return ‘aaa’;
-> end
-> //
Query OK, 0 rows affected (0.01 sec)

mysql> call sp_root(testing(1));
-> //
ERROR 1045 (28000): Access denied for user ‘test’@'%’ (using password: NO)

]]>