Full Disclosure mailing list archives

Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit

From: kai () rhynn net
Date: Tue, 04 Dec 2012 07:25:32 +0700

Hi all,

wrote some shitcode for mysql user&hash enumeration when having FILEprivilege. surely you could do it with simple bash one-liner usingmysql+grep+sed, but we're not going the easy way, right?

the first thought was "hey, what about changing root password directlyin file user.MYD?" but then...

file_name cannot be an existing file, which among other thingsprevents files such as /etc/passwd and database tables from beingdestroyed.


anyway we have Nvidia cards and Hashcat.


Cheers,

Kai

Attachment: mysql_file.php
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MySQL (Linux) Database Privilege Elevation Zeroday Exploit king cope (Dec 01)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Michael Wood (Dec 01)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Kurt Seifried (Dec 02)
  - Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Scott (Dec 05)
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit Eren Yağdıran (Dec 04)
- <Possible follow-ups>
- Re: MySQL (Linux) Database Privilege Elevation Zeroday Exploit kai (Dec 05)