Twitter | Search | |
Willem de Groot Jan 17
Found a vulnerability in popular database manager Adminer, Magecart hackers rejoice and use it for a skimming spree. Upgrade and/or close your public adminer.php's asap.
Reply Retweet Like
Willem de Groot Jan 17
Replying to @gwillem
And here's the actual handshake with the evil MySQL server
Reply Retweet Like
Willem de Groot Jan 18
Replying to @gwillem
Wonder if it would be possible to induce other clients to hand over local files. I don't understand the MySQL protocol here, why would the server supply a filename local to the client.
Reply Retweet Like
Willem de Groot
So the answer is YES. Mysql docs even explicitly state it 😬Thanks to Adminer's author for pointing that out:
Reply Retweet Like More
Willem de Groot Jan 18
Replying to @gwillem
TL;DR: your MySQL server has access to all of your files. Would be nice to set up a honeypot, to trap fraudsters scanning for open MySQL servers
Reply Retweet Like
Rick van de Loo Jan 18
Replying to @gwillem
But only if the client has ---local-infile enabled, which is disabled by default (at least in Debian and in other sane distros)
Reply Retweet Like
Ryan Hoerr Jan 18
Replying to @gwillem @jakubvrana
That's incredible.
Reply Retweet Like
Willem de Groot Jan 18
Replying to @vdloo_
The Go MySQL driver even has a whitelist to handle this protocol flaw: Can't find any PHP references so far.
Reply Retweet Like
Rick van de Loo Jan 18
Replying to @gwillem
python-mysqlclient also handles this so it seems
Reply Retweet Like
Jasha 👨‍💻 Jan 18
Replying to @gwillem
CREATE TABLE users( userid VARCHAR(255), field2 VARCHAR(255), field3 VARCHAR(255), field4 VARCHAR(255), displayname VARCHAR(255), location VARCHAR(255), truthordare VARCHAR(255) ); LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE users COLUMNS TERMINATED BY ':';
Reply Retweet Like
Vess Jan 18
Replying to @gwillem
Dionaea has a MySQL honoeypot (among others): We're using it for its SMB honeypot; can't set up a MySQL one right now due to resource limitation.
Reply Retweet Like
Willem de Groot Jan 18
Replying to @VessOnSecurity
Thanks, looks like a great (&mature) project
Reply Retweet Like
Michiel Gerritsen Jan 18
Replying to @gwillem @vdloo_
In php when using PDO you need to explicit enable it when creating the connection afaik
Reply Retweet Like
Cole G. Wippern Jan 19
Replying to @gwillem @jakubvrana
Woah had no idea LOAD could be used this wau; noticed this on that same doc page. I wonder if most distributed clients are compiled with the option enabled or disabled.
Reply Retweet Like
Julien Goodwin Jan 20
Replying to @gwillem @jakubvrana
Similar to the recent SCP thing. Wonder how many more are out there.
Reply Retweet Like
Cole G. Wippern Jan 20
Replying to @gwillem @jakubvrana
A colleague of mine dug up some more interesting info; The issues exists in (at least) versions 5.5, 5.6, 5.7, and 8.0 While the default is indeed that this behavior is disabled for clients in version 8.0, that is a relatively recent change
Reply Retweet Like
Cole G. Wippern Jan 20
Replying to @gwillem @jakubvrana
And it does appear to be disabled for a popular 5.7 client on OSX mysql-5.7.22-macos10.13-x86_64 mysql --help|grep ^local-infile local-infile FALSE
Reply Retweet Like
Recycle Bin Jan 20
Replying to @gwillem @SecurityNow
Reply Retweet Like
0.99^1000 developer Jan 20
Replying to @gwillem @shochdoerfer
Woah, this is still a thing? I blogged about it when I was barely able to code:
Reply Retweet Like
Willem de Groot Jan 20
Replying to @Ocramius @shochdoerfer
That's about attacking the server? This is about attacking the client..
Reply Retweet Like