Free Web Developer Tools
Advanced Search

Thread: Arbitrary shell commands via MySQL?

    October 2nd, 2013, 08:36 AM
    #1
  1. Nik's Avatar
    Nik
    Contributing User
    Devshed Beginner (1000 - 1499 posts)
    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,402
    Rep Power
    0

    Question Arbitrary shell commands via MySQL?

    Is it possible for someone that knows the MYSQL password of a server to run arbitrary code on a linux server?

    Okey he uses the password and he gain access to the databases, then what? MySQL is a database server how can he run run arbitrary shell commands by using MySQL?

    If yes, can you give an example please?

    I ask because in accidentaly posted my mysql passowrd of my server and someone have manages to upload a file in my '~/www/
    2. October 2nd, 2013, 12:59 PM
    #2
  2. requinix's Avatar
    requinix
    Impoverished Moderator
    Devshed Supreme Being (6500+ posts)
    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,700
    Rep Power
    9646
    It is not. Are you using that password anywhere else? Perhaps posting the password just brought attention to your server and someone found a vulnerability?
    Site rules and FAQ | Project Suggestions | mod_rewrite guide | PHP New User Guide and FAQ - PHP Stickies | Regex Resources
    3. October 2nd, 2013, 01:09 PM
    #3
  3. Nik's Avatar
    Nik
    Contributing User
    Devshed Beginner (1000 - 1499 posts)
    Join Date
    Jun 2003
    Location
    Thessaloniki
    Posts
    1,402
    Rep Power
    0
    Yes i have posted a myslq passowrd and perhaps the atatcker used the same password for login too.

    Some other guy told me that arbitrary shell comamnds can be run via mysql server.
    4. October 2nd, 2013, 01:13 PM
    #4
  4. Jacques1's Avatar
    Jacques1
    --
    Devshed Expert (3500 - 3999 posts)
    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    Hi,

    MySQL can write files, and this can be used to create scripts (on a poorly configured server). Tools like sqlmap are actually made for gaining shell access through MySQL.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
    5. October 2nd, 2013, 02:01 PM
    #5
  5. requinix's Avatar
    requinix
    Impoverished Moderator
    Devshed Supreme Being (6500+ posts)
    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,700
    Rep Power
    9646

    Exploits aside,

    http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857

    For example if
    1. Your user has FILE permission
    2. The database runs on the same server as your web host
    3. You have a SQL injection exploit or the database allows remote access
    then yes they can create and execute files. #2 isn't a requirement either but it's trickier without.
    Site rules and FAQ | Project Suggestions | mod_rewrite guide | PHP New User Guide and FAQ - PHP Stickies | Regex Resources
    6. October 2nd, 2013, 02:30 PM
    #6
  6. No Profile Picture
    Vinny42
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Join Date
    Oct 2013
    Posts
    158
    Rep Power
    14
    For example if
    1. Your user has FILE permission
    2. The database runs on the same server as your web host
    3. You have a SQL injection exploit or the database allows remote access
    then yes they can create and execute files. #2 isn't a requirement either but it's trickier without.
    1. Most non-DBA's often create superusers to use in their websites (so MySQL never complains that you don't have the rights to do something)
    2. Most VPSses do that (why get two servers if one will do)
    3. I think you know how bad some people are at writing safe code :-)

    And if the poor soul who setup MySQL is running it under root, well...

    So yes, it's much more likely to be a serious threat than you might think when looking at the prerequisites.

    Comments on this post

    • requinix agrees : way too many people use root as their normal database user
« Previous Thread | Next Thread »
IMN logo majestic logo threadwatch logo seochat tools logo