Friday, September 16, 2016

MySQL Backdoors in UDFs

Thought this blog by securusglobal about MySQL Backdoor with udf was interesting. In Short, a UDF is a user-defined-function in MySQL. In general you can use it to manipulate column values for example in a select statement without having to put the dirty non-Mysql logic (such as C/C++) inside the actual select statement. Example: select udf_tocelsius(temps.fahrenheit) from temps

But instead of doing some nice like a formula or calculation, as a bad guy you could perhaps do something like

char *cmd;
FILE *fp;
strcat(cmd, args->args[i]);
fp = popen(cmd, "r");

Which is C code that essentially runs systems commands (similar to the system() function) against the operating system, so you could pass in commands that download your malware, execute it, etc.

Please note this is not a vulnerability, this is more of just an example of a backdoor persistence method. Of course a lot of things have to be setup correctly for this to even work, so for example if the attacker didn't have appropriate access or permissions were locked down tight, this might never even work. But interesting though none-the-less.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment