From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Fri Feb 25 2005 - 07:31:56 EST
> Doing a pentest on a site hosting a vulnerable verion of MySQL on a
> Windows box. I was able to get full access to the DB and export ALL the
> data. Anyone have any ideas on jumping to the Windows OS with full
> access to Just the DB.
If you are able to access the MySQL database with root/admin privileges,
you should also be able to create a custom UDF (User Defined Function)
enabling system()-like command execution on the underlying OS.
Take a look the following exploit i've published this x-mas for a detailed
privilege escalation procedure (credits for the original code go to
ngssoftware.com):
http://www.0xdeadbeef.info/exploits/raptor_udf.c
I've not tested it on Windows, but i've hard this code was used as a base
for the SpoolCLL worm that targets Windows boxes (although i've not
verified this claim yet):
http://news.zdnet.com/2100-1009_22-5553570.html
You should also read this excellent paper by the guys at ngssoftware.com:
http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
Cheers,
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT