MariaDB DIOS (Dump in One Shot)

Context

This article teaches how to perform a full database dump using the DIOS (Dump in One Shot) technique in MariaDB. Understanding SQL syntax, database schema, and common data extraction methods is essential for effectively conducting this technique.

Theory

DIOS Technique in MariaDB

DIOS, or Dump in One Shot, is a powerful method used to extract entire databases through a single SQL query. This technique is typically executed by exploiting SQL injection vulnerabilities. By leveraging this exploit, an attacker can use functions like GROUP_CONCAT to concatenate data from multiple rows and extract large datasets efficiently.

Usage of CONCAT and GROUP_CONCAT Functions

The CONCAT function in SQL is used to combine multiple strings into one. This function is particularly useful in data extraction when you want to assemble strings from various data fields. On the other hand, GROUP_CONCAT aggregates multiple row values into a single string, bypassing the typical row restrictions in SQL queries. These functions are crucial in facilitating the aggregation and extraction of data when performing a DIOS attack.

Using INTO OUTFILE for Data Extraction

INTO OUTFILE is an SQL clause used to write the results of a query directly into a file on the server. In the context of a DIOS attack, an attacker can inject SQL commands into a vulnerable application, causing the database server to write its content into a file in a web-accessible directory. This approach effectively exfiltrates critical database information by making it available in a format the attacker can easily access.

Practice

Performing a Full Database Dump with DIOS

Conducting a full database dump using DIOS requires a crafted SQL injection to write database content to a file on the server. Below are the steps executed in a test environment.

  • Step 1: Extract all table names from the target database and dump them into a file.

    SELECT GROUP_CONCAT(table_name) INTO OUTFILE '/var/www/html/db_tables.txt' 
FROM information_schema.tables 
WHERE table_schema='target_db';

    This command harvests all table names from the specified database, outputting them to db_tables.txt in the web server's root directory.

  • Step 2: Extract all data from a specific table and write it to a file.

    SELECT GROUP_CONCAT(CONCAT(column1, ':', column2)) INTO OUTFILE '/var/www/html/dump.txt' 
FROM target_table;

    By modifying column1 and column2 to the desired column names from the table, this query concatenates specific column data, writing the results to dump.txt.

Outcomes

Following these steps leads to a full database dump, giving an attacker complete access to sensitive data stored within the target database, including potentially confidential information.

Tools

  • sqlmap
  • Burp Suite

These tools can facilitate the detection and exploitation of SQL injection vulnerabilities necessary for the DIOS technique within a controlled environment.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.