Follow us on Twitter!
Ideas are far more powerful than guns.
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 22
Members Online: 0

Registered Members: 82889
Newest Member: Geriztul
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

mysqli + root@localhost

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 22-06-10 19:59
Hey guys, it's been a while Smile

So anyway couple of days ago I ran into something fairly rare (at least from my experience), which is mysql injection where the mysql user is root. This of course allows me the 'fancy' stuff like load_file and into outfile. Version is <5 and I've already tried to brute the table names, however without success (I got some tables from errors etc, but nothing interesting). And unfortunately I found out that by default mysql system user doesn't have any file permissions to the apache folders, thus I cannot create simple php shell or read .htaccess&.htpasswd. I scanned the server, and besides this they seem pretty secure and seem to have pretty strict firewall, so nothing interesting there.

And of course my question is what would be next? I can and have written into /tmp, thus one option would be finding lfi, but I doubt I will. Another thing I was thinking about is to brute all the folders and files publicly accessible on apache and try to find something with messed up permissions, which would in ideal case reveal something world writeable, and go from there. Any other approach or idea how to progress?


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 22-06-10 21:48
clone_4@hotmail.com
Author

RE: mysqli + root@localhost


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-06-10 00:01
Well, I'm not sure if any of these ideas will work, but I'll tell you where I would go from there.

First of all, use something like intellitamper, or code your own script to find all the directories within the site. If you find an admin panel then brute force the rest of the tables from the database. I think rsamurai coded a pretty good fuzzer in python - I have my own coded in php somewhere on my harddrive as well. If there IS an admin panel and you are able to login, cross your fingers that they have a script that lets you upload files.

You mentioned that the mysql user doesn't have permissions to the apache folders...Can you read /etc/passwd?
If you can get a list of the users and services then you have a chance of finding an exploit - at least you'll be able to get the default paths of the programs and possibly find something that may be of use to you.

Just keep playing around and looking for folders/files you have read or write permissions on. Also, try ssh'ing the server as root and using the mysql password. It's a longshot, but you never know.

Edit: I mean rsauron, not rsamurai

Edited by on 24-06-10 00:02
Author

RE: mysqli + root@localhost

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 24-06-10 08:56
xof wrote:
Well, I'm not sure if any of these ideas will work, but I'll tell you where I would go from there.

First of all, use something like intellitamper, or code your own script to find all the directories within the site. If you find an admin panel then brute force the rest of the tables from the database. I think rsamurai coded a pretty good fuzzer in python - I have my own coded in php somewhere on my harddrive as well. If there IS an admin panel and you are able to login, cross your fingers that they have a script that lets you upload files.


Already done that, both with Intellitamper wordlist and my own extended. I do have the admin panel, but it is protected via htaccess, and bruteforcing that would be very lengthy and not very likely to be successful...


You mentioned that the mysql user doesn't have permissions to the apache folders...Can you read /etc/passwd?
If you can get a list of the users and services then you have a chance of finding an exploit - at least you'll be able to get the default paths of the programs and possibly find something that may be of use to you.


Good idea, I will have a look into that!


Just keep playing around and looking for folders/files you have read or write permissions on. Also, try ssh'ing the server as root and using the mysql password. It's a longshot, but you never know.

Edit: I mean rsauron, not rsamurai


Yeah, unfortunately that didn't work either, I think they have ip white-list on ssh access...

Thanks for the reply though.


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com