Penetration Testing mailing list archives

RE: Injected, whats next

From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Fri, 18 Aug 2006 14:46:14 -0500

First identify what version of MySQL is running. Then identify what user
you are running as on the system.

If your lucky you can simply execute system <your command> and the game
is over.

If its not that easy see about viewing more of the database. 

The goal for the client isn't always that you'get root' but to show them
there is a vulnerability, detail what the risk is, and what else could
be leveraged by this hole regardless of how well _you_ can exploit it.

Since you can run select statements see if you can concatenate your
requests to add in other things you may want to do.

-Daniel 

-----Original Message-----
From: Jon Hart [mailto:jhart () spoofed org] 
Sent: Thursday, August 17, 2006 12:55 PM
To: DokFLeed
Cc: pen-test () securityfocus com
Subject: Re: Injected, whats next

On Thu, Aug 17, 2006 at 05:41:06PM +0400, DokFLeed wrote:

I am testing a web application, I can run  UPDATE & SELECT Does anyone

know a way to upload a file to a server through MySQL !
does it allow running system commands or a way to dump a file from the

database to the server?
its  LAMP , Linux, Apache, MySQL, PHP
any ideas!!


use 'into outfile'.  You'll be limited by DB and filesystem permissions,
though.  

   select 'foobar' into outfile '/tmp/blahfoo';

-jon

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

SQL injection (or not?) rr (Aug 08)
- Re: SQL injection (or not?) Mike Klingler (Aug 08)
- Re: SQL injection (or not?) A. Ramos (Aug 09)
- <Possible follow-ups>
- RE: SQL injection (or not?) Isidro Ramon Labrador Rodriguez (Aug 09)
  - RE: SQL injection (or not?) Tonnerre Lombard (Aug 09)
  - Re: SQL injection (or not?) DokFLeed (Aug 09)
    - Injected, whats next DokFLeed (Aug 17)
    - Re: Injected, whats next Jon Hart (Aug 18)
    - RE: Injected, whats next Clemens, Dan (Aug 18)
    - Re: Injected, whats next Serg B. (Aug 18)
    - Message not available
    - Re: Injected, whats next Serg B. (Aug 18)
    - Re: Injected, whats next Brendan Dolan-Gavitt (Aug 18)
    - Re: Injected, whats next DokFLeed (Aug 18)
- Re: SQL injection (or not?) rr (Aug 10)
- RE: SQL injection (or not?) C, Muruganandam (Aug 14)