-
Notifications
You must be signed in to change notification settings - Fork 425
Exploit
The main security issue of a server is the system access which allows you to execute commands remotely.
Injection can also lead to system access or at least to write files on the server in some indirect techniques described here.
When exploitation is successful a text terminal opens to enter commands like you were on the server.
Important
This content is delivered for education purpose and security concern, to use on a controlled environment.
Tip
Share also your concern, add new techniques to the list and open a pull request.
Provided that the injection is successful, each exploit creates a function or adds a file to the remote system first, then it proceeds to the exploit. The modes allowing to write the exploit are also described below.
Remote command execution is performed by a user defined function either packaged into a library or built by crafted methods, it then gives access to system commands via an additional SQL function that runs the command.
Following process describes the methodology for the library use case:
- finds the database plugins folder
- identifies target's system architecture
- writes the correct library to the folder using the proper mode
- loads library into the database
- opens the terminal when SQL function is confirmedProcess for crafted methods use case is more straightforward:
- create a SQL function into the database
- opens the terminal when SQL function is confirmedUDF needs several requirements to setup, but it's really easy to build as it does not require any user input, just a single click.
It also gives access to system commands, though it calls web requests to a presumed web folder that you have to choose:
- writes the payload to the presumed folder using the proper mode
- opens the terminal when connection to the presumed web page is confirmedIt just needs basic queries and file db privilege, and also some guessing to find the correct working folder.
Warning
RCE can be difficult to craft, here are the requirements by db vendor for a successful process :
| Need stack query |
Web+db on same server |
⛔ GET large payload |
Db file priv |
Db grant |
Write access |
Execute access |
Need JDBC bridge |
Not exploitable |
|
|---|---|---|---|---|---|---|---|---|---|
[UDF] mysql |
✔ | ✔ | ✔ | ||||||
[UDF] postgres |
✔ | ||||||||
[UDF] sqlite |
✔ | ❌ 💬 | |||||||
[UDF] oracle |
✔ | ✔ | ❌ 💬 | ||||||
[Web] mysql |
✔ | ✔ | |||||||
[Web] postgres |
✔ | ||||||||
[Web] sqlite |
✔ | ✔ | |||||||
[Web] hsqldb |
✔ | ✔ | ✔ | ||||||
[Web] h2 |
✔ | ✔ | ✔ |
Similar to Web, it runs directly SQL queries without any injection layer:
- writes the payload to the presumed folder using the proper mode
- checks the connection method (e.g. `new PDO()`, `mysqli_connect()`, `mysql_connect()`)
- opens the terminal when connection to the presumed web page is confirmedDepending on the vendor, database credentials are required and can be set by you.
Tip
To retrieve username and password you can use tab Read file and open any file containing the hard-coded credentials (eg. index.php, mydb.php).
Any target that runs a language like PHP may also gives access to direct upload via Content-Type: multipart/form-data:
- writes the payload to the presumed folder using the proper mode
- starts uploading when connection to the presumed web page is confirmedYou also select the file on your system to start uploading.
Any exploit can be created by three unique modes, you select one mode or leave it to auto.
A single query that includes the exploit's body encoded in hex creates the file, it means that when using method GET it's limited to relatively small payloads.
Warning
Use POST and mode temp table for large payload, like for UDF.
Exploit is split into small chunks encoded to hex then loaded into a temp table, next the table is loaded into the destination file.
Limitation existing with the small GET max. size is avoided by processing smaller chunks, but you need stack queries.
You can also connect directly the database to your file system for transferring the exploit, for example on a local network during a CTF.
You set your path to the network share folder where the exploit is created, like \\127.0.0.1\C$\folder\, then the database loads it with a direct connection from the remote server to your netshare.