Hacking MySQL

This section covers the following:

  • SQL injection in MySQL
  • Known MySQL bugs
  • Trojanning MySQL
  • Dangerous extensions: MyLUA and MyPHP

SQL Injection in MySQL

SQL injection is probably the most worrying attack on a MySQL system because it's the most probable initial attack vector on an Internet-connected server. Using SQL injection, it is possible to use the database server as a beachhead into the internal network — or at least, the network that the MySQL server is in — and as a platform for launching further attacks.

Frequently, applications inadvertently allow the execution of arbitrary queries in their database backends, by neglecting to vet incoming data. The problem occurs when an application creates a string that holds a SQL query, and includes user-supplied data in that string without applying any input validation.

Imagine a login form where the user supplies a username and password. This data is passed to a database query directly, so if the user inputs the username fred and the password sesame into the form, the SQL query looks like this:

select * from tblUsers where username = 'fred' and password = 'sesame'

In this example, the problems occur when the user specifies a string with a single quote in it. The user can submit a username like this:

fred'#

which will result in the SQL query string

select * from tblUsers where username = 'fred'#' and password = 'sesame'

which of course will log the user on as fred without knowing fred's password, because the database ...

Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.