RE: Injected, whats next

From: Clemens, Dan (Dan.Clemens@healthsouth.com)
Date: Fri Aug 18 2006 - 15:46:14 EDT

• Next message: wsip@unatek.com: "Re: Dates Correction - World Summit on Intrusion Prevention, May 8-9, 2007"
• Previous message: Serg B.: "Re: Injected, whats next"
• In reply to: Jon Hart: "Re: Injected, whats next"
• Next in thread: Serg B.: "Re: Injected, whats next"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First identify what version of MySQL is running. Then identify what user
you are running as on the system.

If your lucky you can simply execute system <your command> and the game
is over.

If its not that easy see about viewing more of the database.

The goal for the client isn't always that you'get root' but to show them
there is a vulnerability, detail what the risk is, and what else could
be leveraged by this hole regardless of how well _you_ can exploit it.

Since you can run select statements see if you can concatenate your
requests to add in other things you may want to do.

-Daniel

-----Original Message-----
From: Jon Hart [mailto:jhart@spoofed.org]
Sent: Thursday, August 17, 2006 12:55 PM
To: DokFLeed
Cc: pen-test@securityfocus.com
Subject: Re: Injected, whats next

On Thu, Aug 17, 2006 at 05:41:06PM +0400, DokFLeed wrote:
> I am testing a web application, I can run UPDATE & SELECT Does anyone

> know a way to upload a file to a server through MySQL !
> does it allow running system commands or a way to dump a file from the

> database to the server?
> its LAMP , Linux, Apache, MySQL, PHP
> any ideas!!

use 'into outfile'. You'll be limited by DB and filesystem permissions,
though.

   select 'foobar' into outfile '/tmp/blahfoo';

-jon

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: wsip@unatek.com: "Re: Dates Correction - World Summit on Intrusion Prevention, May 8-9, 2007"
• Previous message: Serg B.: "Re: Injected, whats next"
• In reply to: Jon Hart: "Re: Injected, whats next"
• Next in thread: Serg B.: "Re: Injected, whats next"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:46 EDT