Stacked Queries in Cloud

Context

The purpose of this document is to guide you through exploiting stacked queries in MariaDB within cloud environments. This exploration focuses on overcoming typical restrictions encountered when running SQL queries in cloud-hosted databases. It is assumed that the reader has a solid understanding of SQL query execution, cloud database services, and MariaDB configuration.

Theory

Cloud Database Security

Cloud database security encompasses the various security measures applied to databases that are hosted in cloud environments. Providers often enforce certain restrictions, especially on SQL features, to mitigate injection attacks. Understanding these measures is crucial when attempting to exploit stacked queries.

Stacked Queries in SQL

Stacked queries refer to a technique allowing the execution of multiple SQL statements within a single query. By inserting multiple commands, an attacker can execute additional actions beyond what the application intends. This capability forms the basis of many SQL injection exploits.

MariaDB Configuration in Cloud

In the context of MariaDB hosted in cloud environments, cloud providers commonly disable multi-statement execution by default. This configuration takes advantage of the trust assumption that ordinary application operations do not require multi-statement execution.

Multi-Statement Disabled

This configuration setting specifically prevents the execution of multiple SQL statements in a single query. A flaw arises when applications fail to verify whether multi-statement execution is necessary, which can potentially be bypassed by an attacker.

PDO Limitation

PHP Data Objects (PDO) often disable multi-statement execution by default. This protocol weakness can be exploited if applications do not properly configure PDO settings, allowing for potential bypasses.

Connection String MultiStatements

The "multiStatements" parameter in a database connection string governs the allowance of multi-statement execution. By manipulating this parameter, attackers can bypass filters if the connection string is poorly configured.

RDS SQLi Limit

Amazon RDS imposes restrictions on certain SQL features to limit the risk of SQL injection attacks. Exploiting these limitations requires a comprehensive understanding of how RDS enforces these security features.

Practice

Bypassing Multi-Statement Restrictions

To bypass multi-statement restrictions, follow these steps:

  • Attempt to execute stacked queries directly to determine if they are enabled by default:

    mysql -h <cloud-db-host> -u <user> -p --execute='SELECT 1; SELECT 2;'

  • Check if additional measures allow altering session settings to enable multi-statement execution:

    ALTER SESSION SET sql_mode='';
    • Verify if changes to the session settings allow stacked queries to run successfully.

Exploiting Connection String Misconfigurations

Exploit connection string misconfigurations using these steps:

  • Identify where in the application the connection strings are defined.

  • Modify the connection string to enable multi-statement execution and test stacked queries:

    mysql -h <cloud-db-host> -u <user> -p --execute='SELECT 1; SELECT 2;' --multiStatements
    • Determine if changes to the connection string allow the execution of stacked queries and potentially bypass restrictions.

Tools

  • mysql
  • phpMyAdmin

By following these guidelines, you can effectively explore and exploit stacked query vulnerabilities in cloud environments hosting MariaDB.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.