Exploiting MySQL arbitrary file read: a honeypot that kicks

`/etc/shadow` should not be readable to general users, (read: non root) however `/proc/self/environ` is and this is likely to contain useful information (esp if the user has opted to load keys into their $ENV

The Gifts rogue mysql server has been around since 2013, and is disarmed (best I could tell) you need to modify the code to have a functional ; rogue server. _However_ as the server itself does not handle SQL it’s easy to spot. That being said if you were to include the request in https://github.com/DinoTools/dionaea mysql honeypot this would be viable as there is SQL interaction, and thus harder to spot.

I wrote about this issue earlier here: https://www.percona.com/blog/2019/02/06/percona-responds-to-mysql-local-infile-security-issues/ (not attempting to hijack/derail thread, just linking my write up which includes poc code adapted from Gifts, wireshark screenshots discussing the attack flow, and links to pcap which can be inspected).

Leave a Reply