This MySQL OOB technique, seem to be getting out of control. It didn’t exist in the wild (for as far as we know about), so we started to look into it even further. Malware can use this SMB vulnerability (?) in order to spread itself to other locations. To let’s say, all Windows boxes on the local network. Rather easy too.
More+Last week there was a lot to do on MySQL and the load_file() function on our blog, we found ways of generating DNS and ARP packets…
More+Both me and my fellow researcher Mathias have heard all from “It’s impossible to make DNS requests in MySQL” to “There is no out-of-band techniques for MySQL”. So we both thought “Hey, it can’t be that hard…” So ladies and gentlemen, here’s a (so far) theory on a MySQL out-of-band request. As long as you have the File_priv set to Y in MySQL it is a possible scenario. So let’s…
More+It’s possible to write and read files to remote locations in your network through the INTO OUTFILE and LOAD_FILE() features, in MySQL. This has only been tested in MySQL 5.1.37 in Microsoft Windows 7, but it’s possible that older/newer versions of MySQL on other platforms got the same unexpected feature. I haven’t heard about this, but it feels bad. Here’s a PoC:
More+So, well. There isn’t any public content on how to perform attacks against MySQL INSERT’s. Sure, you can insert some data into some column, it doesn’t take a genius to figure that out. But what about extraction? The INSERT-statements don’t return anything. So what can we do?
More+