1. Cyber Defense Application Scenarios
In the realm of Cyber Defense, honeypots are crucial tools used to detect threats. Defenders use honeypots to analyze attack behavior, capture vulnerabilities, and possibly counteract attackers. However, attackers can employ honeypot detection techniques to identify and avoid these traps, reducing the risk of being traced by defenders. The effectiveness of a honeypot environment in deceiving attackers depends partly on the realism of the simulated environment; overly simple environments can be easily detected by attackers. Currently, weak passwords remain a major cause of cybersecurity incidents, often enabling attackers to breach an enterpriseâs internal network from the outside. A MySQL honeypot can simulate a basic MySQL service, potentially tracking attackers who use tools like Navicat to connect to the honeypot server via port 3306. This allows defenders to access local files, including WeChat configuration files and Google history records.
2. Countermeasure Strategy
The MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from the MySQL client, then spoof a malicious server to send file-reading payloads to clients connected to this server.
Load data infile is a highly efficient data import method in MySQL with rapid speed, known as a powerful data import tool in MySQL.
The Load data infile function is disabled by default. Executing LOAD DATA INFILE without enabling this function will result in an error.
Check whether it is enabled:
show global variables like'local_infile';
If it is not enabled, you can enable it using the following command:
set global local_infile=1;Syntax:
load data [low_priority] [local] infile 'file_name.txt' [replace | ignore] into table tbl_name[fields
[terminated byâtâ]
[OPTIONALLY] enclosed by â] [escaped byâ\â ]]
[lines terminated byânâ]
[ignore number lines] [(col_name, )]
The load data infile statement reads data from a text file into a table at high speed.
Before using this command, the mysqld process (service) must be running. For security reasons, when reading text files located on the server, the file must reside in the database directory or be readable by everyone. Also, to use load data infile on server files, you must have the FILE privilege on the server host. If the local keyword is specified, files are read from the client host. If local is not specified, server files are read.
Navicat demonstration:
Create a new table named ceshi in the test database.
Create a 1.txt file in the D drive on the client (WIN10) with the content 1234567890, then read the file content to the server.
load data local infile 'D:/1.txt' into table test.ceshi fields terminated by '\n';
If the secure-file-priv option shows as NULL, it indicates that import/export is disabled. You can modify the MySQL configuration file (my.ini on Windows, my.cnf on Linux) and check for the line: secure_file_priv = If absent, add it manually, leaving the value empty.
SHOW VARIABLES LIKE "secure_file_priv";
4. Wireshark Traffic Analysis
Analyze using Wireshark during the above process.
Use Wireshark to filter port 3306 packet captures.
The first Greeting packet returns server version and other information.
The second packet is the clientâs login request.
Next, the client sends a request.
SET NAMES utf8mb4Starting from MySQL 5.5, 4-byte UTF encoding (utf8mb4) is supported, allowing more character sets and emojis. Utf8mb4 is backward-compatible with utf8, but can represent more characters and is a superset of the utf8 character set. Thus, some new applications, like ISO, set the MySQL database character set to utf8mb4.
After the connection is established, the client initiates a query request to the server.
Then, the server replies with a Response TABULAR, specifying the file to be queried.
Finally, the client sends file content to the server.
From the above process, itâs evident that after the client initiates a query to the server, the server returns a Response TABULAR response packet. If the file path is specified in this packet, the corresponding client file can be read. The server can return a Response TABULAR response packet when responding to any client request, allowing it to send a Response TABULAR packet after a successful client login to read relevant client information.
Response TABULAR response packet analysis:
Packet contents are as follows:
09 00 00 01 fb 44 3a 2f 31 2e 74 78 74Here, 09 indicates the length of the packetâs filename in hexadecimal starting from fb. 00 00 01 represents the packet number, fb is the packet type, and 44 3a 2f 31 2e 74 78 74 denotes the filename. Therefore, the payload can be:
chr(len(filename) + 1) + "\x00\x00\x01\xFB" + filenameâ
If you require further assistance or have additional questions, please donât hesitate to ask.