MySQL exploits for takeover

[SQLmapTester]

[stormwin]

I already wrote mail to Miroslav about that 2 days ago. And the answer is:

Thank you for links. Skimmed through those. Will have it on my mind.

Kind regards, Miroslav Stampar

[bdamele]

http://1337day.com/exploit/19853 is a rudimentary version of what sqlmap has with regards to UDF injection since Sept 2009 (http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database). This technique is leveraged with --os-pwn and on Linux it does work only if the MySQL instance run as root because MySQL shared objects defining UDFs need to be in /usr/lib/mysql and this path is writable only by root. Nevertheless, on Windows it does work as MySQL runs as Local System hence the path for shared objects is writable. The attached "0day" exploit is limited in functionality compared to the built-in in-memory execution of Metasploit alphanumeric-encoded payload that sqlmap has already.

I see the value of implementing http://1337day.com/exploit/19859 and eventually http://1337day.com/exploit/19852 within sqlmap.

The rest of PoC will eventually make their way as buffer overflow exploits in Metasploit, although not exploitable via SQL injection, but direct connection to the DBMS (corresponding -d switch in sqlmap).

[bdamele]

Port of http://1337day.com/exploit/19859 to Metasploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mysql/mysql_mof.rb

This can be ported to sqlmap, useful for OS takeover functionality when current user has FILE privilege (only), sweet so that it also works via SQLi too.