The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

ability of any user with the 

FILE_PRIV

permission to read and write to the file

system.

The 

LOAD_FILE

command can be used to retrieve the contents of any file. For

example:

select load_file(‘/etc/passwd’)

The 

SELECT ... INTO OUTFILE

command can be used to pipe the results of

any query into a file. For example

create table test (a varchar(200))

insert into test(a) values (‘+ +’)

select * from test into outfile ‘/etc/hosts.equiv’

In addition to reading and writing key operating system files, this capability

can also be used to perform other attacks:

■■

Because MySQL stores its data in plaintext files, to which the database

must have read access, an attacker with 

FILE_PRIV

permissions can

simply open the relevant file and read arbitrary data from within the

database, bypassing any access controls enforced within the database

itself.

■■

MySQL enables users to create user-defined functions (UDFs), by 

calling out to a compiled library file that contains the function’s 

implementation. This file must be located within the normal path from

which MySQL loads dynamic libraries. An attacker can use the preced-

ing method to create an arbitrary binary file within this path and then

create a UDF that uses it. See Chris Anley’s paper “Hackproofing

MySQL” for more details of this technique.

Download 5,76 Mb.

Do'stlaringiz bilan baham: