Re: PENTEST MySQL on windows

From: Sels, Roger (roger.sels_at_gov-fbi.net)
Date: 02/25/05

  • Next message: Anthony Ruso: "FW: PENTEST MySQL on windows"
    Date: Fri, 25 Feb 2005 09:36:36 +0100 (CET)
    To: "Anthony Ruso" <aruso@lgit.com>
    
    

    > Hi ALL,
    >
    > Doing a pentest on a site hosting a vulnerable verion of MySQL on a
    > Windows box. I was able to get full access to the DB and export ALL the
    > data. Anyone have any ideas on jumping to the Windows OS with full
    > access to Just the DB.
    >
    > Thanks
    >

    Hi Anthony,

    If the MySQL server is vulnerable, you could try using stored procedures &
    extended stored procedures (XP) such as xp_cmdshell , which will allow you
    to execute code.
    XP's are written in high-languages like C and compiled into .DLL's. The
    advantage is that the DLL just needs to be present on the machine to be
    able to exploit it, much like the .dll's needed to exploit some ISAPI IIS
    extensions ;)

    e.g. SQL XP: exec master..xp_cmdshell 'dir' would obtain a directory
    listing of the current working directory of the SQL Server process.

    Check out the most excellent paper "Advanced SQL Injection techniques" by
    Chris Anley. (http://www.nextgenss.com/papers/advanced_sql_injection.pdf )
    Viewable as HTML if you use google, but I guess that's obvious ;)

    Good luck!

    Roger

    -- 
    Under capitalism, man exploits man.
    Under communism, it's just the opposite.
    J.K.Galbraith
    

  • Next message: Anthony Ruso: "FW: PENTEST MySQL on windows"

    Relevant Pages

    • Re: MS SQL 2005 Express and MySQL on Windows
      ... SQL Server 2005 Express may be connected with Ruby on Rails. ... 2005 Express and MySQL databases using Ruby on Windows XP? ...
      (comp.lang.ruby)
    • Re: PENTEST MySQL on windows
      ... > Doing a pentest on a site hosting a vulnerable verion of MySQL on a ... Anyone have any ideas on jumping to the Windows OS with full ... I don't know if you are familiar with this, but MySQL supports a SELECT ... This syntax is pretty limited, and the permission to do this can be ...
      (Pen-Test)
    • Re: OS X "Security" myths
      ... > in MySQL, a serious error was found in PostgreSQL, and a serious error ... > was found in MS SQL, and patches were issued for all of them. ... > count as an advisory for MS SQL, not for Windows. ...
      (comp.sys.mac.advocacy)
    • FW: PENTEST MySQL on windows
      ... table that adds a new mysql functions capable of executing shell ... Subject: PENTEST MySQL on windows ... listing of the current working directory of the SQL Server process. ...
      (Pen-Test)
    • PENTEST MySQL on windows
      ... Doing a pentest on a site hosting a vulnerable verion of MySQL on a ... Anyone have any ideas on jumping to the Windows OS with full ...
      (Pen-Test)