On 12/04/2017 10:57, vinny wrote:
> On 2017-04-12 09:09, Lifepillar wrote:
>> So, I am here to ask if you have
>> interesting/(in)famous stories to share on database security/privacy
>> "gone wrong" or "done right"(tm), possibly with technical details
>
> One case that I remember from an ancient version of the book "hacking
> exposed"
> was about a MySQL server that was running under the root user. A badly
> written
> application allowed some SQL injection that let a hacker issue a SELECT
> INTO OUTFILE
> query that "selected" a bash script into the .login file of the root user,
> and the next time the root user logged in, the script would create a new
> superuser account
> for the hacker.
After tweaking MySQL to be really insecure by unsetting
secure_file_prev, using grant file, etc..., I am indeed able to write
anywhere where the user running MySQL is able to. This, combined with
a trivial SQL injection vulnerability in a popular web application,
makes (I think) an interesting and easy to explain example of how one
might take over a system or an account.
Correct me if I am wrong, in PostgreSQL something similar can be
achieved using lo_export(), although you must connect as a superuser to
do that (while in MySQL you may grant file system access to any user).
> I remember this particular example mainly because of the way that people
> I told it to reacted;
> some were of the opinion that the application was at fault for allowing
> injection,
> some thought the DBA was to blame for running as root,
> but the vast majority did not know that MySQL could write files, let
> alone overwrite system files.
Good point.
Thanks!
Life.