#1
  1. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,285
    Rep Power
    13

    Question Arbitrary shell commands via MySQL?


    Is it possible for someone that knows the MYSQL password of a server to run arbitrary code on a linux server?

    Okey he uses the password and he gain access to the databases, then what? MySQL is a database server how can he run run arbitrary shell commands by using MySQL?

    If yes, can you give an example please?

    I ask because in accidentaly posted my mysql passowrd of my server and someone have manages to upload a file in my '~/www/
    What is now proved was once only imagined!
  2. #2
  3. Jealous Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,302
    Rep Power
    9400
    It is not. Are you using that password anywhere else? Perhaps posting the password just brought attention to your server and someone found a vulnerability?
  4. #3
  5. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,285
    Rep Power
    13
    Yes i have posted a myslq passowrd and perhaps the atatcker used the same password for login too.

    Some other guy told me that arbitrary shell comamnds can be run via mysql server.
    What is now proved was once only imagined!
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    MySQL can write files, and this can be used to create scripts (on a poorly configured server). Tools like sqlmap are actually made for gaining shell access through MySQL.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. Jealous Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,302
    Rep Power
    9400

    Exploits aside,


    http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857

    For example if
    1. Your user has FILE permission
    2. The database runs on the same server as your web host
    3. You have a SQL injection exploit or the database allows remote access
    then yes they can create and execute files. #2 isn't a requirement either but it's trickier without.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    158
    Rep Power
    11
    For example if
    1. Your user has FILE permission
    2. The database runs on the same server as your web host
    3. You have a SQL injection exploit or the database allows remote access
    then yes they can create and execute files. #2 isn't a requirement either but it's trickier without.
    1. Most non-DBA's often create superusers to use in their websites (so MySQL never complains that you don't have the rights to do something)
    2. Most VPSses do that (why get two servers if one will do)
    3. I think you know how bad some people are at writing safe code :-)

    And if the poor soul who setup MySQL is running it under root, well...

    So yes, it's much more likely to be a serious threat than you might think when looking at the prerequisites.

    Comments on this post

    • requinix agrees : way too many people use root as their normal database user

IMN logo majestic logo threadwatch logo seochat tools logo