mysqli + root@localhost

Hey guys, it's been a while :)

So anyway couple of days ago I ran into something fairly rare (at least from my experience), which is mysql injection where the mysql user is root. This of course allows me the 'fancy' stuff like load_file and into outfile. Version is <5 and I've already tried to brute the table names, however without success (I got some tables from errors etc, but nothing interesting). And unfortunately I found out that by default mysql system user doesn't have any file permissions to the apache folders, thus I cannot create simple php shell or read .htaccess&.htpasswd. I scanned the server, and besides this they seem pretty secure and seem to have pretty strict firewall, so nothing interesting there.

And of course my question is what would be next? I can and have written into /tmp, thus one option would be finding lfi, but I doubt I will. Another thing I was thinking about is to brute all the folders and files publicly accessible on apache and try to find something with messed up permissions, which would in ideal case reveal something world writeable, and go from there. Any other approach or idea how to progress?

Well, I'm not sure if any of these ideas will work, but I'll tell you where I would go from there.

First of all, use something like intellitamper, or code your own script to find all the directories within the site. If you find an admin panel then brute force the rest of the tables from the database. I think rsamurai coded a pretty good fuzzer in python - I have my own coded in php somewhere on my harddrive as well. If there IS an admin panel and you are able to login, cross your fingers that they have a script that lets you upload files.

You mentioned that the mysql user doesn't have permissions to the apache folders…Can you read /etc/passwd? If you can get a list of the users and services then you have a chance of finding an exploit - at least you'll be able to get the default paths of the programs and possibly find something that may be of use to you.

Just keep playing around and looking for folders/files you have read or write permissions on. Also, try ssh'ing the server as root and using the mysql password. It's a longshot, but you never know.

Edit: I mean rsauron, not rsamurai

xof wrote: Well, I'm not sure if any of these ideas will work, but I'll tell you where I would go from there.

First of all, use something like intellitamper, or code your own script to find all the directories within the site. If you find an admin panel then brute force the rest of the tables from the database. I think rsamurai coded a pretty good fuzzer in python - I have my own coded in php somewhere on my harddrive as well. If there IS an admin panel and you are able to login, cross your fingers that they have a script that lets you upload files.

Already done that, both with Intellitamper wordlist and my own extended. I do have the admin panel, but it is protected via htaccess, and bruteforcing that would be very lengthy and not very likely to be successful…

You mentioned that the mysql user doesn't have permissions to the apache folders…Can you read /etc/passwd? If you can get a list of the users and services then you have a chance of finding an exploit - at least you'll be able to get the default paths of the programs and possibly find something that may be of use to you.

Good idea, I will have a look into that!

Just keep playing around and looking for folders/files you have read or write permissions on. Also, try ssh'ing the server as root and using the mysql password. It's a longshot, but you never know.

Edit: I mean rsauron, not rsamurai

Yeah, unfortunately that didn't work either, I think they have ip white-list on ssh access…

Thanks for the reply though.