Avoid local attack through Mysql
$100-300 USD
Bezahlt bei Lieferung
Mysql,as we have known, is a very popular DBMS (Database Management System),includes 4 types:
* MySQL Standard includes the standard storage engine, as well as the InnoDB storage engine, which is touted as a “transaction-safe, ACID-compliant database” with some additional features over the standard version.
* MySQL Pro is the commercial version.
* MySQL Max includes the more technologically advanced features that are available during early access programs.
* MySQL Classic is the standard storage engine without the InnoDB engine. This is another commercial version.
For increasing usability, the Mysql developer team have added some functions which is vulnerable for server [url removed, login to view] probably have heard about Local attack method through [url removed, login to view] try an example:
(In this example,I suppose attacker had owned one mysql account which had rights to create,edit,and add/remove DB on server)
By creating a table like this :
use atttacker;
Create table readfile(text LONGTEXT);
Insert into readfile values(loadfile('/etc/passwd');
As you can see,the result is :
Select * from readfile;
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ident:x:100:101::/home/ident:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
canna:x:39:39:Canna Service User:/var/lib/canna:/sbin/nologin
wnn:x:49:49:Wnn Input Server:/var/lib/wnn:/sbin/nologin
mysql:x:101:102:MySQL server:/var/lib/mysql:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
Some probably wonder : "Oops,Why could the attacker exploit my server although I had already hardened it carefully ,Safe_mod on ,open_basedir set,System funcions had been disable?".This could be your administrator had forgotten or had not care enough about this [url removed, login to view] problem here is web need to find out the risk from mysql's usability ,on the view of customers(in case you are managing a shared-host enviroment).
"Do they really need those functions?"
"How could an attacker do when they had an account in mysql"
You can find a solution and deploy it after answering two questions [url removed, login to view] have a look on mysql's functions.
Which one could be the most danger?
First,consider load_file() [url removed, login to view] one structure is LOAD_FILE(file_name) .This is used to read a file content and return as a [url removed, login to view] mysql manual pages,you can see its' requirements :
" To use this function, the file must be located on the server host, you must specify the full pathname to the file, and you must have the FILE privilege. The file must be readable by all and its size less than max_allowed_packet bytes. "
To read a file through mysql,user must has File Privilege,then this file must be readable by [url removed, login to view] are two golden keys for us,poor sysadmin,to prevent the [url removed, login to view] a normal customer,when they need to manipulate file,
there are 2 cases:
[url removed, login to view] php ,perl,or Cgi,asp,file manager in hosting control panel
[url removed, login to view] directly through FTP
So it is not necessary for a normal customer to own File [url removed, login to view] preventing this risk ,simply you can disable File privilege all users in mysql
The next one is "load data infile" function :
"LOAD DATA [LOW_PRIORITY | CONCURRENT] [LOCAL] INFILE 'file_name'
[REPLACE | IGNORE]
INTO TABLE tbl_name
[FIELDS
[TERMINATED BY 'string']
[[OPTIONALLY] ENCLOSED BY 'char']
[ESCAPED BY 'char']
]
[LINES
[STARTING BY 'string']
[TERMINATED BY 'string']
]
[IGNORE number LINES]
[(col_name,...)] "
(This mini-article considers you have already know about mysql [url removed, login to view] we don't metion about the use or its' structure).
This one is the same with load_file() but the speed is [url removed, login to view],this one has one more keyword is "local".
In case "local" had been added in [url removed, login to view] would read file in the client and sent it to [url removed, login to view] vast majaority servers set up mysql on localhost (themselves) so that it isn't important to has it or [url removed, login to view] its' requirement:
"For security reasons, when reading text files located on the server, the files must either reside in the database directory or be readable by all. Also, to use LOAD DATA INFILE on server files, you must have the FILE privilege "
Also,the File Privil is the most important key to prevent this rick.
About dumping file on server ,it's not really popular so it's not important to discuss about it here.
Conclusion:
Mysql is a really ,really powerful DBMS for its' Power,speed,and usabilities but for so many unneeded functions make it become potential risk to [url removed, login to view] you can earn a litle bit experience to improve sercurity for yourself
Projekt-ID: #173006