Database Takeover Attack

Databases management systems (DBMS) store data and interact with the file system and operating system on a server. A database takeover gives the attacker abilities to interact with sensitive data and set up covert channels for exfiltration or additional attacks. Attack tools such as sqlmap help the attacker automate the takeover process, which includes a combination of commands and queries. First, the attacker with stolen administrator credentials establishes an interactive SQL shell with the database, or interacts with the database through SQL injection vulnerabilities on the web server. Next, the attacker submits commands in SQL queries. The type of query depends on the database software and the underlying operating system of the DBMS (xp_cmdshell queries for Microsoft SQL Servers, for example). These queries are submitted over protocols such as MySQL, Oracle TNS, or Microsoft TDS. After the commands run on the server, the attacker collects command output through additional SQL queries (SELECT @ sqlmapoutput for the sqlmap tool, for example).