TiDB Importer uses Go MySQL Driver for connecting to MySQL servers. This driver utilizes Data Source Name (DSN) strings for describing database connections with the following format:
username:password@protocol(address)/dbname?param=value
The driver has a built-in protection against LOCAL INFILE
requests. To access the requested file, set the allowAllFiles parameter to true
in the DSN string when connecting to the MySQL server.
To test the vulnerability, I need to (go) build TiDB importer command first in it.
$ git clone https://github.com/pingcap/tidb
$ cd tidb/cmd/importer
$ go build .
Next, let’s set up the software which we will use as a rogue MySQL server: the Rogue-MySql-Server script by allyshka. It’s a fork of the original rogue server by Gifts with additions to support modern MySQL servers.
$ wget -q https://github.com/allyshka/Rogue-MySql-Server/raw/master/roguemysql.php
Launch the roguemysql.php
script and specify the path to the file you are interested in.
The last step is to specify our server address in the config.toml
file. Fill the required fields and don’t forget to put the ?allowAllFiles=true&
string after the database name.
And finally, execute the importer command with the previous config file, you will get your file’s content
$ ./importer -config config.toml
The TiDB importer has connected to the rogue MySQL server, which has requested the /etc/passwd file to be read, and the TiDB importer has transferred this file’s contents to us!