Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!eweka.nl!lightspeed.eweka.nl!194.109.133.81.MISMATCH!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python-python-list@m.gmane.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.009
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'insert': 0.05; 'subject:password': 0.05; '(using': 0.07; 'subject:code': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'belongs': 0.16; 'investigate': 0.16; 'message-id:@4ax.com': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'subject:run': 0.16; 'wed,': 0.18; "skip:' 30": 0.19; 'select': 0.22; 'shell': 0.22; 'url:home': 0.24; 'options': 0.25; 'header:X -Complaints-To:1': 0.27; 'statement': 0.30; 'lines': 0.31; 'table,': 0.31; 'run': 0.32; 'table': 0.34; 'subject:the': 0.34; 'could': 0.34; 'but': 0.35; 'charset:us-ascii': 0.36; 'subject:?': 0.36; 'received:76': 0.38; 'system,': 0.38; 'server': 0.38; 'to:addr:python-list': 0.38; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'how': 0.40; 'read': 0.60; 'subject:Can': 0.60; 'full': 0.61; 'new': 0.61; 'finally': 0.65; 'temporary': 0.65; 'gain': 0.79; 'subject:know': 0.84; 'examine': 0.93; '2013': 0.98
X-Injected-Via-Gmane: http://gmane.org/
To: python-list@python.org
From: Dennis Lee Bieber <wlfraed@ix.netcom.com>
Subject: Re: Can arbitrary code run in a server if someone's know just the MySQL password?
Date: Wed, 02 Oct 2013 20:02:37 -0400
Organization: IISS Elusive Unicorn
References: <l2h31g$q96$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Gmane-NNTP-Posting-Host: adsl-76-249-20-155.dsl.klmzmi.sbcglobal.net
X-Newsreader: Forte Agent 6.00/32.1186
X-No-Archive: YES
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.662.1380758566.18130.python-list@python.org>
Lines: 29
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1380758566 news.xs4all.nl 15895 [2001:888:2000:d::a6]:51744
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:55392

On Wed, 02 Oct 2013 15:20:00 +0300, ????? <nikos.gr33k@gmail.com> declaimed
the following:

>
>Okey he uses the password and he gain access to the databases, then 
>what? MySQL is a database server how can he run run arbitrary shell 
>commands by using MySQL?
>

	Well, #1, if your account/password is the database administrator, then
they can create a new database user with full privileges -- so if you
change your password but don't examine the authorization system they could
still get into the database.

	#2 -- the SELECT statement has options for "INTO OUTFILE 'filename'"
and "INTO DUMPFILE 'filename'".

	The result: If someone can create a temporary table, they can then
populate the table with lines of HTML (using INSERT statements), and
finally they can SELECT lines FROM temp_table INTO OUTFILE
'/any/thing/the/server/can/access.html'


	It's your server system, YOU need to learn how to investigate the
security system, read logs, etc. -- NONE of which belongs in this group.
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/