9
SELECT name, add, content FROM data WHERE id=4444 UNION SELECT
0x8A789C.........,0x00,0x00 INTO DUMPFILE ‘file’
The first column in the example above is filled with our compressed arbitrary data. When
Zlib library is used, the Adler32 checksum [21] will be found at the end of the compressed
data in the first column . As mentioned in the RFC 1950 [22] , any data which may appear
after the Adler32 checksum is not part of the Zlib stream. We can abuse this functionality
by injecting any value into the other columns. This may help the compressed arbitrary file
to be decompressed without having any issues.
Another method is to ensure that all the arbitrary data is filled in sequence into all columns
in the second query. It would not be an issue if one of the columns contains more data than
the other columns as seen in the following example.
SELECT name, add, content FROM data WHERE id=4444 UNION SELECT 0x8A,
0x78,0x9CED......9EEC....... INTO DUMPFILE ‘file’
10 Remote code execution on LAMP
Remote code execution on LAMP contains several limitations and constraints. By default,
MySQL runs as a mysql user. Arbitrary files created through SELECT INTO DUMPFILE
can only be uploaded onto the directory where the mysql user is allowed to write onto. By
default, the uploaded file is not executable but readable. This file also is owned by mysql
user. A PHP script can be used to read the file and write the same file content to a new file.
This new file created is owned by the www-data user and the same PHP script can be used
to change the permission of this file to be executable using the PHP SYSTEM function. To
perform this action, this file needs to be uploaded onto the web server directory that is
writable by mysql and www-data users. By default, any directory created by other users are
not writable by these users. In some cases, these directories are set to be writable. An
example of this can be found in an application where a user is allowed to upload content
onto the web server directories, through the file upload feature.
If the writable directories can be discovered on the web server and the file is successfully
uploaded, PHP script can be used to execute the malicious file using the PHP SYSTEM
function.