How can gaining access to a database provide access to the underlying OS?
Question
as the title states I don't understand the relation between permission to access a db and the permission to write/read files on the underlying OS.
In one of my latest CTF's I had to obtain access to a database and then read files of the server containing the flag. I know this is only possible if the compromised user has the file privilege, but my question remains the same.
Sqlmap states in its features it can accomplish this:
Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Now my specific questions:
- What is the core feature/problem that allows this OS access?
- Why are the permission connected?
- Are other DBMS also vulnerable to this and is it a general problem (meaning sqlmap just doesn't provide the exploit for other dbms yet)?
In my eyes the permissions should be treated differently and the db user should not have permissions on the OS, except the files with relation to the DBMS.
Thanks in advance, I know the question is not limited to one aspect and contains various fundamental topics. I'm also willing to do more research, but maybe there is an answer that facilitates my learning process.
1 answers
solution1
1 ACCPTED 2020-05-07 11:13:50
I am not sure about the others, but the below is true of MySQL and MariaDB.
You would need an additional exploit for local privilege escalation to gain access to any files the database user has no access to. The file path available for access is in the system variable secure_file_priv . Dumping/loading data from any other location will not be possible.
Additionally, executing commands is not possible without a UDF plugin that would allow you to execute arbitrary commands. Such things exist, but are not part of MySQL / MariaDB - it is something the sysadmin/DBA on the DB server would have to install themselves. Without this, you wouldn't be able to get the list of files.
Then there are the OS level protections:
1) POSIX level privileges This is regular user/group file systems permissions.
2) Secondary hardening, eg SELinux or AppArmor This will prevent the running process from accessing paths, ports and other resources that don't match the context or path defined in the security policy.
In short, you cannot access/retrieve arbitrary files through the database layer unless the server is deliberately (mis)configured in a way that would allow you to do so, and it would take active effort to configure a MySQL or MariaDB server in a way that would leave it open to this.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.