From: Marco Ivaldi (raptor0xdeadbeef.info)
Date: Fri Feb 25 2005 - 06:31:56 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Doing a pentest on a site hosting a vulnerable verion of MySQL on a
> Windows box. I was able to get full access to the DB and export ALL the
> data. Anyone have any ideas on jumping to the Windows OS with full
> access to Just the DB.

If you are able to access the MySQL database with root/admin privileges,
you should also be able to create a custom UDF (User Defined Function)
enabling system()-like command execution on the underlying OS.

Take a look the following exploit i've published this x-mas for a detailed
privilege escalation procedure (credits for the original code go to
ngssoftware.com):

http://www.0xdeadbeef.info/exploits/raptor_udf.c

I've not tested it on Windows, but i've hard this code was used as a base
for the SpoolCLL worm that targets Windows boxes (although i've not
verified this claim yet):

http://news.zdnet.com/2100-1009_22-5553570.html

You should also read this excellent paper by the guys at ngssoftware.com:

http://www.ngssoftware.com/papers/HackproofingMySQL.pdf

Cheers,

--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]