FW: PENTEST MySQL on windows

From: Anthony Ruso (aruso_at_lgit.com)
Date: 02/25/05

  • Next message: Maverick The Techie: "Coldfusion Path Disclosure Vulnerability-Help Required" 
    Date: Fri, 25 Feb 2005 10:01:22 -0500
To: <pen-test@securityfocus.com>

    Hi All,

         Since MySQL does not support xp_cmdshell (not that I know of) I've
    been trying a method using a custom UDF library file uploaded to a
    table that adds a new mysql functions capable of executing shell
    commands on win32. I found some source for the UDF, but am having the
    funest time compiling it. Once I've compiled it I can upload it and then
    using some "select|outfile" type of query to write it to the hard disk
    and call the function.
     
    Please feel free to add to this.

    Anthony Ruso CISSP, CISM

    -----Original Message-----
    From: Sels, Roger [mailto:roger.sels@gov-fbi.net]
    Sent: Friday, February 25, 2005 3:37 AM
    To: Anthony Ruso
    Cc: pen-test@securityfocus.com
    Subject: Re: PENTEST MySQL on windows

    > Hi ALL,
    >
    > Doing a pentest on a site hosting a vulnerable verion of MySQL on a
    > Windows box. I was able to get full access to the DB and export ALL
    > the data. Anyone have any ideas on jumping to the Windows OS with full

    > access to Just the DB.
    >
    > Thanks
    >

    Hi Anthony,

    If the MySQL server is vulnerable, you could try using stored procedures
    & extended stored procedures (XP) such as xp_cmdshell , which will allow
    you to execute code.
    XP's are written in high-languages like C and compiled into .DLL's. The
    advantage is that the DLL just needs to be present on the machine to be
    able to exploit it, much like the .dll's needed to exploit some ISAPI
    IIS extensions ;)

    e.g. SQL XP: exec master..xp_cmdshell 'dir' would obtain a directory
    listing of the current working directory of the SQL Server process.

    Check out the most excellent paper "Advanced SQL Injection techniques"
    by Chris Anley.
    (http://www.nextgenss.com/papers/advanced_sql_injection.pdf ) Viewable
    as HTML if you use google, but I guess that's obvious ;)

    Good luck!

    Roger 

    --
Under capitalism, man exploits man.
Under communism, it's just the opposite.
J.K.Galbraith
  • Next message: Maverick The Techie: "Coldfusion Path Disclosure Vulnerability-Help Required"

    Relevant Pages

    • Re: PENTEST MySQL on windows
      ... > Doing a pentest on a site hosting a vulnerable verion of MySQL on a ... Anyone have any ideas on jumping to the Windows OS with full ... If the MySQL server is vulnerable, you could try using stored procedures & ... listing of the current working directory of the SQL Server process. ...
      (Pen-Test)
    • Re: MS SQL 2005 Express and MySQL on Windows
      ... SQL Server 2005 Express may be connected with Ruby on Rails. ... 2005 Express and MySQL databases using Ruby on Windows XP? ...
      (comp.lang.ruby)
    • Re: OS X "Security" myths
      ... > in MySQL, a serious error was found in PostgreSQL, and a serious error ... > was found in MS SQL, and patches were issued for all of them. ... > count as an advisory for MS SQL, not for Windows. ...
      (comp.sys.mac.advocacy)
    • Re: Oh dear god! Unix Unix Unix! DIE!!!!!!!!!!!
      ... I pretty much gave up on Unix. ... > MySQL and PHP even if you want to run in on Windows. ... > simplest of fucking tasks on your Shitty open source OS and software..... ...
      (comp.sys.mac.advocacy)
    • Re: Problem with Set MyRst = MyDB.OpenRecordset(PString, dbOpenForwardOnly)
      ... but I've already verified that the SQL ... MySQL = MySQL & "FROM tblVehicleJobs INNER JOIN tblAddnlOwnrs ON ... vbNewLine ... MySQL = MySQL & "FROM tblVehicleJobs INNER JOIN tblLienHolders ON ...
      (comp.databases.ms-access)