Re: PENTEST MySQL on windows
From: Marco Ivaldi (raptor_at_0xdeadbeef.info)
Date: 02/25/05
- Previous message: Chris: "Re: Traceroute"
- Maybe in reply to: Anthony Ruso: "PENTEST MySQL on windows"
- Next in thread: Sels, Roger: "Re: PENTEST MySQL on windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Feb 2005 13:31:56 +0100 (CET) To: pen-test@securityfocus.com
> Doing a pentest on a site hosting a vulnerable verion of MySQL on a
> Windows box. I was able to get full access to the DB and export ALL the
> data. Anyone have any ideas on jumping to the Windows OS with full
> access to Just the DB.
If you are able to access the MySQL database with root/admin privileges,
you should also be able to create a custom UDF (User Defined Function)
enabling system()-like command execution on the underlying OS.
Take a look the following exploit i've published this x-mas for a detailed
privilege escalation procedure (credits for the original code go to
ngssoftware.com):
http://www.0xdeadbeef.info/exploits/raptor_udf.c
I've not tested it on Windows, but i've hard this code was used as a base
for the SpoolCLL worm that targets Windows boxes (although i've not
verified this claim yet):
http://news.zdnet.com/2100-1009_22-5553570.html
You should also read this excellent paper by the guys at ngssoftware.com:
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
Cheers,
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
- Previous message: Chris: "Re: Traceroute"
- Maybe in reply to: Anthony Ruso: "PENTEST MySQL on windows"
- Next in thread: Sels, Roger: "Re: PENTEST MySQL on windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
