Read and Write files as MySQL root
#11
(07-26-2015, 01:07 PM)MuddyBucket Wrote:
(07-26-2015, 12:49 PM)Root Wrote: " Read and Write files as MySQL root "
Do you understand what's code doing ?

LOL I accuse you of not understanding his code, and your response is to ask me if I understand what his code is doing. Ya... I think you're just deflecting the fact that you're an idiot.

And yes, I understand what this/his code is doing. It's very clearly reading the passwd file, into a publicly readable file in a web directory. and then provided another example doing the same for the id_rsa file. So again I ask you - what part of that did you interpret as 'uploading a shell'?

IF he just want to read a file he can easily read it with

select load_file('/etc/passwd')


" what part of that did you interpret as 'uploading a shell'? "
SELECT * FROM file_hax INTO OUTFILE '/var/www/html/file.txt';
Reply
#12
(07-29-2015, 05:20 PM)Root Wrote:
(07-26-2015, 01:07 PM)MuddyBucket Wrote:
(07-26-2015, 12:49 PM)Root Wrote: " Read and Write files as MySQL root "
Do you understand what's code doing ?

LOL I accuse you of not understanding his code, and your response is to ask me if I understand what his code is doing. Ya... I think you're just deflecting the fact that you're an idiot.

And yes, I understand what this/his code is doing. It's very clearly reading the passwd file, into a publicly readable file in a web directory. and then provided another example doing the same for the id_rsa file. So again I ask you - what part of that did you interpret as 'uploading a shell'?

IF he just want to read a file he can easily read it with

select load_file('/etc/passwd')


" what part of that did you interpret as 'uploading a shell'? "
SELECT * FROM file_hax INTO OUTFILE '/var/www/html/file.txt';

Select_load_file wont work for most files.

Quote:The mysql documentation specifically says: For security reasons, when reading text files located on the server, the files must either reside in the database directory or be readable by all... https://dev.mysql.com/doc/refman/5.6/en/load-data.html
Reply
#13
(07-29-2015, 05:20 PM)Root Wrote: " what part of that did you interpret as 'uploading a shell'? "
SELECT * FROM file_hax INTO OUTFILE '/var/www/html/file.txt';

haha so you are an idiot.

A. That doesn't 'upload' anything. That merely writes the contents of whats in the db to a file.

B. The output is a .txt file. This means that no code will be run, unless specifically configured to do so. No mention of this was made so it is safely assumed to NOT be the case.


Sheesh. In the future. Might wanna stay out of conversations you don't know shit about, especially if you're going to act like you know something about the topic.
Reply
#14
(07-25-2015, 01:11 AM)NO-OP Wrote:
(07-24-2015, 01:22 PM)Root Wrote:
(07-22-2015, 08:51 AM)NO-OP Wrote:
(07-21-2015, 06:53 PM)Root Wrote: Nice copy paste my friend . I bet you don't even know wtf you just posted

I haven't sourced this method or the SQL statements from any specific source.  I have looked into how to parse lines from a file and how to write to files(well that one I've known for a while, but either way).

If you have a source please provide a link and I'll gladly include it in the original post, since it might including more information for people to learn from.  But even if such a document does exist it is purely under independent creation both existing without knowledge of each other.

I think you should look at what people post and the threads they create before you make accusations that are presented with no actual proof.  I think you should take a step back next time and really think about what you write.

The way you behave really does not make your vague answer for your age in your intro post justice, because your actions are similar to that of a twelve year old.  "Age ~ Old Enough to join"

Either way thank you for bumping my response-less thread.


Why did you created a table and done all the shit while You can easily drop a php shell using Outfile
I see no point why u need to create a table to upload a shell

http://www.example .com/abh.php?=10'UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,'phpcode ',22,23,24,25,26,27,28,29,30,31 into outfile '/mnt/var/www/html/user/shell.php'--+-/

"It was frustrating trying to figure out how to properly read and write file within MySQL but I was able to figure out a hacky way of doing it."

This was during a challenge at which point I had www shell access and mysql creds.  The thing I was trying to do was become root on a fully patched system and it worked by grabbing a private key.  Alternatively I could have crack the passwd  file but grabbing the private key was quicker and in a real life scenario would do more potential damage.

You know you won't get UID 0 permission from MySQL's file privileges? You will get read and write access as MySQL. So in your case you wouldn't be able to read their shadow file nor write to their authorized_keys.

You did kinda overdo the whole thing by creating tables and whatnot.
You can simply just use hex to maintain its format and use
Code:
mysql> select 0x'hex encoded code' into outfile 'file location';
mysql> select load_file('/etc/passwd');

Of course, unless you actually have backdoored their MySQL that can trigger functions.
Reply
#15
(09-10-2015, 10:42 AM)Yagmi Wrote: You know you won't get UID 0 permission from MySQL's file privileges? You will get read and write access as MySQL. So in your case you wouldn't be able to read their shadow file nor write to their authorized_keys.

You did kinda overdo the whole thing by creating tables and whatnot.
You can simply just use hex to maintain its format and use
Code:
mysql> select 0x'hex encoded code' into outfile 'file location';
mysql> select load_file('/etc/passwd');

Of course, unless you actually have backdoored their MySQL that can trigger functions.

In this challenge the mysql user was root and the process owner of MySQL was root so this resulted in a lot of access. But I don't think you get what I'm trying to do here since in your example you're writing to a file then loading.

The ultimate goal is to load a file and copy it to a web readable directory. So what I ended up doing was creating a table, loading each line into the table from a file, read each line in the file and writing those records to a web accessible dir. So in my case I copied the private key of root and placed it in /var/www/html/. A shell had already been achieved using different methods at this point.
Reply
#16
(09-10-2015, 05:23 PM)NO-OP Wrote:
(09-10-2015, 10:42 AM)Yagmi Wrote: You know you won't get UID 0 permission from MySQL's file privileges? You will get read and write access as MySQL. So in your case you wouldn't be able to read their shadow file nor write to their authorized_keys.

You did kinda overdo the whole thing by creating tables and whatnot.
You can simply just use hex to maintain its format and use 
Code:
mysql> select 0x'hex encoded code' into outfile 'file location';
mysql> select load_file('/etc/passwd');

Of course, unless you actually have backdoored their MySQL that can trigger functions.

In this challenge the mysql user was root and the process owner of MySQL was root so this resulted in a lot of access.  But I don't think you get what I'm trying to do here since in your example you're writing to a file then loading.

The ultimate goal is to load a file and copy it to a web readable directory.  So what I ended up doing was creating a table, loading each line into the table from a file, read each line in the file and writing those records to a web accessible dir.  So in my case I copied the private key of root and placed it in /var/www/html/.  A shell had already been achieved using different methods at this point.

I'm showing that you don't have to create a table and put in each line just to write the file to a location in MySQL.
First command shows that you can just use hex encoded strings to write files that also keeps their format, instead of doing all that fancy create table shit.
MySQL have by default setuid as mysql, so I highly doubt that in a real life scenario that someone would have manually changed the setuid of MySQL in my.cnf to root.

To be honest, it just sounds like you are using big words that you can't keep up with.
Also, what do you mean by "In this challenge", just curious if it was some online hacking challenge, if it was, then I understand your scenario but wouldn't really use it for teaching.
Reply
#17
(09-10-2015, 07:35 PM)Yagmi Wrote:
(09-10-2015, 05:23 PM)NO-OP Wrote:
(09-10-2015, 10:42 AM)Yagmi Wrote: You know you won't get UID 0 permission from MySQL's file privileges? You will get read and write access as MySQL. So in your case you wouldn't be able to read their shadow file nor write to their authorized_keys.

You did kinda overdo the whole thing by creating tables and whatnot.
You can simply just use hex to maintain its format and use 
Code:
mysql> select 0x'hex encoded code' into outfile 'file location';
mysql> select load_file('/etc/passwd');

Of course, unless you actually have backdoored their MySQL that can trigger functions.

In this challenge the mysql user was root and the process owner of MySQL was root so this resulted in a lot of access.  But I don't think you get what I'm trying to do here since in your example you're writing to a file then loading.

The ultimate goal is to load a file and copy it to a web readable directory.  So what I ended up doing was creating a table, loading each line into the table from a file, read each line in the file and writing those records to a web accessible dir.  So in my case I copied the private key of root and placed it in /var/www/html/.  A shell had already been achieved using different methods at this point.

I'm showing that you don't have to create a table and put in each line just to write the file to a location in MySQL.
First command shows that you can just use hex encoded strings to write files that also keeps their format, instead of doing all that fancy create table shit.
MySQL have by default setuid as mysql, so I highly doubt that in a real life scenario that someone would have manually changed the setuid of MySQL in my.cnf to root.

To be honest, it just sounds like you are using big words that you can't keep up with.
Also, what do you mean by "In this challenge", just curious if it was some online hacking challenge, if it was, then I understand your scenario but wouldn't really use it for teaching.

I know you don't required a table to write to a directory. But to copy a file that you do not know the contents of it becomes significantly easier to pull it into MySQL and then use MySQL to write it to the desired directory. In your example you show that you have to already have the hex of a file, which would make copying files with MySQL a moot point, why would I copy a file that I want, when I already have the file. And yes I am aware that MySQL sets user to mysql by default, but at the same time I have been around long enough to where I have seen weird things like people having issues with creating sockets, but they don't understand file permissions so they set the user to root. People who don't use Linux but run Linux servers make a lot of weird mistakes. I've had the displeasure of working for many companies with similar individuals.

As for using big words, I don't see what "big words" I used. But I try not to judge people competence without knowing them. As for the challenge, it was a CTF type event. First person to root wins. As for why I used this example for teaching is because of the fact people use the root MySQL user all of the time and even with that you can copy files from MySQL readable areas into things like the web dir and still cause damage without root access. It's a concept that I figured out while working on a challenge and thought it was an interesting way to leverage MySQL
Reply
#18
(09-10-2015, 05:23 PM)NO-OP Wrote: I know you don't required a table to write to a directory.  But to copy a file that you do not know the contents of it becomes significantly easier to pull it into MySQL and then use MySQL to write it to the desired directory.  In your example you show that you have to already have the hex of a file, which would make copying files with MySQL a moot point, why would I copy a file that I want, when I already have the file.  And yes I am aware that MySQL sets user to mysql by default, but at the same time I have been around long enough to where I have seen weird things like people having issues with creating sockets, but they don't understand file permissions so they set the user to root.  People who don't use Linux but run Linux servers make a lot of weird mistakes.  I've had the displeasure of working for many companies with similar individuals.

As for using big words, I don't see what "big words" I used.  But I try not to judge people competence without knowing them.  As for the challenge, it was a CTF type event.  First person to root wins.  As for why I used this example for teaching is because of the fact people use the root MySQL user all of the time and even with that you can copy files from MySQL readable areas into things like the web dir and still cause damage without root access.  It's a concept that I figured out while working on a challenge and thought it was an interesting way to leverage MySQL

How does it become significantly easier to pull it into a folder rather than just doing
Code:
mysql> select load_file('/etc/passwd') into outfile '/tmp/imgay.txt';
Query OK, 1 row affected (0.00 sec)

mysql> \! head -n 2 /tmp/imgay.txt
root:x:0:0:root:/root:/bin/bash\
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\

I judge people based on what they say and write, so far you aren't really proving my wrong.
Of course people do stupid things, but if someone that stupid would be running a linux enviorment, what makes you think he would go into MySQL's configuration folder and change the setuid variable?
Reply
#19
(09-10-2015, 07:58 PM)Yagmi Wrote: How does it become significantly easier to pull it into a folder rather than just doing
Code:
mysql> select load_file('/etc/passwd') into outfile '/tmp/imgay.txt';
Query OK, 1 row affected (0.00 sec)

mysql> \! head -n 2 /tmp/imgay.txt
root:x:0:0:root:/root:/bin/bash\
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\

I judge people based on what they say and write, so far you aren't really proving my wrong.
Of course people do stupid things, but if someone that stupid would be running a linux enviorment, what makes you think he would go into MySQL's configuration folder and change the setuid variable?

I wanted to use SELECT load_file but you run into the issue of..

Quote:The mysql documentation specifically says: For security reasons, when reading text files located on the server, the files must either reside in the database directory or be readable by all... https://dev.mysql.com/doc/refman/5.6/en/load-data.html

As I stated earlier in a different convo in this thread. Also if I'm connecting remotely t the MySQL server running commands with \! will run them on my local machine. Otherwise I would have just used cp in the first place. While working through this I attempted load_file() and running commands through mysql but they don't work.

Because people google things and do them without thinking. user = root pops up a lot. Here is s perfect example., noticed how no one mentions security issues. People run MySQL, Nginx, Apache, and all kinds of other services as root because of permissions. http://stackoverflow.com/questions/14270...ql-as-root
Reply
#20
(09-10-2015, 05:23 PM)NO-OP Wrote: As I stated earlier in a different convo in this thread.  Also if I'm connecting remotely t the MySQL server running commands with \! will run them on my local machine.  Otherwise I would have just used cp in the first place.  While working through this I attempted load_file() and running commands through mysql but they don't work.

Because people google things and do them without thinking.  user = root pops up a lot.  Here is s perfect example., noticed how no one mentions security issues.  People run MySQL, Nginx, Apache, and all kinds of other services as root because of permissions.  http://stackoverflow.com/questions/14270...ql-as-root

lol, alright you seem confused.
\! was just to show that it actually wrote the file content of /etc/passwd to a writeable directory.
Had no relation to my argument.

That is also far from a perfect example, I'm sorry but you are delusional.
I feel bad for the firms that hire you and actually get something useful out of it.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 642 06-16-2020, 02:53 AM
Last Post: Insider
  Basics of website and server hacking Insider 0 1,716 03-26-2020, 09:34 PM
Last Post: Insider
  Re-posted and Updated [Complete MySQL Injection] Insider 5 12,779 04-28-2019, 09:46 PM
Last Post: thunder
  Web scraper/parser and spider/crawler ipwn 4 5,821 06-20-2018, 03:10 PM
Last Post: ekultek