Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #55318 > unrolled thread

Can arbitrary code run in a server if someone's know just the MySQL password?

Back to article view | Back to comp.lang.python

Contents

  Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 15:20 +0300
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? Antoon Pardon <antoon.pardon@rece.vub.ac.be> - 2013-10-02 14:37 +0200
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? feedthetroll@gmx.de - 2013-10-02 05:38 -0700
      Re: Killing threads with TB (was: Can arbitrary code run in a server if someone's know just the MySQL password?) Tim Chase <python.list@tim.thechases.com> - 2013-10-02 08:21 -0500
      Re: Killing threads with TB Terry Reedy <tjreedy@udel.edu> - 2013-10-02 18:34 -0400
      Re: Killing threads with TB Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-10-02 23:48 +0100
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 13:25 +0000
      Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 16:41 +0300
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 09:58 -0400
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 17:46 +0300
            Re: Can arbitrary code run in a server if someone's know just the MySQL password? ishish <ishish@domhain.de> - 2013-10-02 15:55 +0100
            Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 11:15 -0400
            Re: Can arbitrary code run in a server if someone's know just the MySQL password? Denis McMahon <denismfmcmahon@gmail.com> - 2013-10-02 16:02 +0000
            Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ethan Furman <ethan@stoneleaf.us> - 2013-10-02 09:59 -0700
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Alister <alister.ware@ntlworld.com> - 2013-10-02 14:34 +0000
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ravi Sahni <ganeshsahni07@gmail.com> - 2013-10-02 20:43 +0530
            Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Ακεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 20:06 +0300
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 17:39 +0000
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Αλεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 21:02 +0300
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-10-02 20:02 -0400
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? Tony the Tiger <tony@tiger.invalid> - 2013-10-04 15:19 -0500

Page 1 of 2  [1] 2  Next page →

#55318 — Can arbitrary code run in a server if someone's know just the MySQL password?

Tim delaney said:

"Because there's no chance with the brilliance you display that there 
could be any possibility of login details being kept in plaintext in 
your database.

And of course your database is so well locked down that no attacker with 
a login to it could then execute arbitrary code on your system.

And there's also zero chance that your personal account login details 
are also available in plaintext somewhere that you're unaware of."
==========

Is it possible for someone that knows the MYSQL password of a server to 
run arbitrary code on a linux server?

Okey he uses the password and he gain access to the databases, then 
what? MySQL is a database server how can he run run arbitrary shell 
commands by using MySQL?

If yes, can you give an example please?

Also, is there a chance for my account's password to be retrieved on 
some why due to MySQL access or perhaps by utilizing my own python code?

I'm just trying to figure out how the upload of that .html file happened 
to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer 
too.

Please, serious replies only, i won't answer to ironic comments or jokes.

[toc] | [next] | [standalone]

#55320

Op 02-10-13 14:20, Νίκος schreef:
> Tim delaney said:
> 
> "Because there's no chance with the brilliance you display that there
> could be any possibility of login details being kept in plaintext in
> your database.
> 
> And of course your database is so well locked down that no attacker with
> a login to it could then execute arbitrary code on your system.
> 
> And there's also zero chance that your personal account login details
> are also available in plaintext somewhere that you're unaware of."
> ==========
> 
> Is it possible for someone that knows the MYSQL password of a server to
> run arbitrary code on a linux server?
> 
> Okey he uses the password and he gain access to the databases, then
> what? MySQL is a database server how can he run run arbitrary shell
> commands by using MySQL?
> 
> If yes, can you give an example please?
> 
> Also, is there a chance for my account's password to be retrieved on
> some why due to MySQL access or perhaps by utilizing my own python code?
> 
> I'm just trying to figure out how the upload of that .html file happened
> to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
> too.
> 
> Please, serious replies only, i won't answer to ironic comments or jokes.

You are not asking a python question. This is a python list. Not a
Nikos advise board. Find a list where your question is more appropiate.

-- 
Antoon Pardon

[toc] | [prev] | [next] | [standalone]

#55321

Am Mittwoch, 2. Oktober 2013 14:20:00 UTC+2 schrieb Ferrous Cranus:
> ...
> Is it possible for someone that knows the MYSQL password of a server to 
> run arbitrary code on a linux server?
> ...
> If yes, can you give an example please?
http://lmgtfy.com/?q=mysql+shell+escape

> Please, serious replies only, i won't answer to ironic comments or jokes.
Please only questions about python. This not a mysql or security list.

PLONK!

(Hey Thunderbird has a very useful new feature. Ignore thread.)

[toc] | [prev] | [next] | [standalone]

#55330 — Re: Killing threads with TB (was: Can arbitrary code run in a server if someone's know just the MySQL password?)

On 2013-10-02 05:38, feedthetroll@gmx.de wrote:
> (Hey Thunderbird has a very useful new feature. Ignore thread.)

Unfortunately, as of when I last tested it, it only works in the
newsgroup part of TB, not the mail portion of TB.

Sadly, Claws-Mail (my current mailer) doesn't have a native
kill-thread functionality, but it does support external message
filters, so I threw together a kill-thread filter in Python (bringing
this back on-topic) which duplicates the TB functionality that I
missed.

-tkc

[toc] | [prev] | [next] | [standalone]

#55387 — Re: Killing threads with TB

On 10/2/2013 9:21 AM, Tim Chase wrote:
> On 2013-10-02 05:38, feedthetroll@gmx.de wrote:
>> (Hey Thunderbird has a very useful new feature. Ignore thread.)
>
> Unfortunately, as of when I last tested it, it only works in the
> newsgroup part of TB, not the mail portion of TB.

One can read python-list as news.gmane.org newsgroup 
gmane.comp.python.general.

-- 
Terry Jan Reedy

[toc] | [prev] | [next] | [standalone]

#55388 — Re: Killing threads with TB

On 02/10/2013 23:34, Terry Reedy wrote:
> On 10/2/2013 9:21 AM, Tim Chase wrote:
>> On 2013-10-02 05:38, feedthetroll@gmx.de wrote:
>>> (Hey Thunderbird has a very useful new feature. Ignore thread.)
>>
>> Unfortunately, as of when I last tested it, it only works in the
>> newsgroup part of TB, not the mail portion of TB.
>
> One can read python-list as news.gmane.org newsgroup
> gmane.comp.python.general.
>

You can also read hundreds of other Python lists at gmane.comp.python.

-- 
Roses are red,
Violets are blue,
Most poems rhyme,
But this one doesn't.

Mark Lawrence

[toc] | [prev] | [next] | [standalone]

#55331

On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:

> Is it possible for someone that knows the MYSQL password of a server to
> run arbitrary code on a linux server?

Yes, it is possible.

> Okey he uses the password and he gain access to the databases, then
> what? MySQL is a database server how can he run run arbitrary shell
> commands by using MySQL?
> 
> If yes, can you give an example please?

Google for "run arbitrary shell commands MySQL". If you don't understand 
them, go find a beginner's forum where you can learn about MySQL, this is 
not it.

https://duckduckgo.com/html/?q=run+arbitrary+shell+commands+MySQL
https://www.google.com.au/search?q=run+arbitrary+shell+commands


-- 
Steven

[toc] | [prev] | [next] | [standalone]

#55337

Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>
>> Is it possible for someone that knows the MYSQL password of a server to
>> run arbitrary code on a linux server?
>
> Yes, it is possible.

Is that what might have happened and someone managed to upload the .html 
file in '~/home/nikos/www/' ?

Can you think of any other way?

[toc] | [prev] | [next] | [standalone]

#55341

On 10/2/13 9:41 AM, Νίκος wrote:
> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>
>>> Is it possible for someone that knows the MYSQL password of a server to
>>> run arbitrary code on a linux server?
>>
>> Yes, it is possible.
>
> Is that what might have happened and someone managed to upload the 
> .html file in '~/home/nikos/www/' ?
>
> Can you think of any other way?
>

As others have said in this thread, this is not a Python topic. Find 
another forum for this question.  Do not ask it here again.

You've said that you can improve.  Show us by not asking non-Python 
questions here.

--Ned.

[toc] | [prev] | [next] | [standalone]

#55348

Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγραψε:
> On 10/2/13 9:41 AM, Νίκος wrote:
>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>
>>>> Is it possible for someone that knows the MYSQL password of a server to
>>>> run arbitrary code on a linux server?
>>>
>>> Yes, it is possible.
>>
>> Is that what might have happened and someone managed to upload the
>> .html file in '~/home/nikos/www/' ?
>>
>> Can you think of any other way?
>>
>
> As others have said in this thread, this is not a Python topic. Find
> another forum for this question.  Do not ask it here again.
>
> You've said that you can improve.  Show us by not asking non-Python
> questions here.
>
> --Ned.
But i need to know what happened and how this .html file got uploaded.
This is not a python question, but this happened from this pythons NG.
And perhaps my python code was being utilized fo this upload to happen.

I must know.

-- 
*What is now proved was once only imagined!*

[toc] | [prev] | [next] | [standalone]

#55349

Am 02.10.2013 15:46, schrieb Νίκος:
> But i need to know what happened and how this .html file got 
> uploaded.
> This is not a python question, but this happened from this pythons 
> NG. ... ...

Who says that??

[toc] | [prev] | [next] | [standalone]

#55350

On 10/2/13 10:46 AM, Νίκος wrote:
> Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγραψε:
>> On 10/2/13 9:41 AM, Νίκος wrote:
>>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>>
>>>>> Is it possible for someone that knows the MYSQL password of a 
>>>>> server to
>>>>> run arbitrary code on a linux server?
>>>>
>>>> Yes, it is possible.
>>>
>>> Is that what might have happened and someone managed to upload the
>>> .html file in '~/home/nikos/www/' ?
>>>
>>> Can you think of any other way?
>>>
>>
>> As others have said in this thread, this is not a Python topic. Find
>> another forum for this question.  Do not ask it here again.
>>
>> You've said that you can improve.  Show us by not asking non-Python
>> questions here.
>>
>> --Ned.
> But i need to know what happened and how this .html file got uploaded.
> This is not a python question, but this happened from this pythons NG.
> And perhaps my python code was being utilized fo this upload to happen.
>
> I must know.
>

This is not a topic for Python-List.  We don't have answers for you, and 
you won't get answers to this question here.  If you persist in asking 
about it here, don't be surprised when people get angry with you.  This 
is anti-social behavior.

I know you are upset about your server being compromised.  I'm sorry 
about that, but it isn't on-topic here.  There are other places you can 
get help with your question.

--Ned.

[toc] | [prev] | [next] | [standalone]

#55355

On Wed, 02 Oct 2013 17:46:08 +0300, Νίκος wrote:

> But i need to know what happened and how this .html file got uploaded.

The html file started out in an editor on on another machine, and was 
created by someone typing at the keyboard. It was then saved to hard disk 
as a file. The other machine then read the file into memory, and then 
sent it as a byte stream to the tcp/ip stack, where it was broken down 
down into packets which travelled across the tcp/ip network onto your 
server. Your server then re-assembled the packets into a byte stream 
which filled a block of memory, and then wrote the contents of that block 
of memory to disc as a file.

(This explanation may contain some assumptions.)

-- 
Denis McMahon, denismfmcmahon@gmail.com

[toc] | [prev] | [next] | [standalone]

#55370

On 10/02/2013 07:46 AM, Νίκος wrote:
> Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγραψε:
>>
>> As others have said in this thread, this is not a Python topic. Find
>> another forum for this question.  Do not ask it here again.
>>
>> You've said that you can improve.  Show us by not asking non-Python
>> questions here.
>
> I must know.

*plonk*

[toc] | [prev] | [next] | [standalone]

#55346

On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:

> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>
>>> Is it possible for someone that knows the MYSQL password of a server
>>> to run arbitrary code on a linux server?
>>
>> Yes, it is possible.
> 
> Is that what might have happened and someone managed to upload the .html
> file in '~/home/nikos/www/' ?
> 
> Can you think of any other way?


There are many other ways (i am not a hacker so i would not know whre to 
start)
Against my better judgement I am going to give some advise (more to 
protect your customers than you)

1) tie down access to your server, nothing should be accessable from the 
internet unless absolutly necessary.
certainly your database should not be accessible and this should be 
blocked in multiple ways (protection in depth)

you should close down any un-necessary services.
shut your firewall to all trafffix except http & https (ports 80 ,443) 
unless absolutely necessary.
set your database accounts to only allow log in from localhost & and any 
explicit IP addresses that must have access 

& please google for further advise on server security & post questions in 
a suitable forum (not here)

as many have said, security is not our area of expertise & this is the 
wrong place to ask.

when correctly secured knowing your username & password should not be 
enough to allow access to your server.


-- 
I'm not under the alkafluence of inkahol
that some thinkle peep I am.
It's just the drunker I sit here the longer I get.

[toc] | [prev] | [next] | [standalone]

#55358

On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware@ntlworld.com> wrote:
> On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:
>
>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>
>>>> Is it possible for someone that knows the MYSQL password of a server
>>>> to run arbitrary code on a linux server?
>>>
>>> Yes, it is possible.
>>
>> Is that what might have happened and someone managed to upload the .html
>> file in '~/home/nikos/www/' ?
>>
>> Can you think of any other way?
>
>
> There are many other ways (i am not a hacker so i would not know whre to
> start)
> Against my better judgement I am going to give some advise (more to
> protect your customers than you)
>
> 1) tie down access to your server, nothing should be accessable from the
> internet unless absolutly necessary.
> certainly your database should not be accessible and this should be
> blocked in multiple ways (protection in depth)
>
> you should close down any un-necessary services.
> shut your firewall to all trafffix except http & https (ports 80 ,443)
> unless absolutely necessary.
> set your database accounts to only allow log in from localhost & and any
> explicit IP addresses that must have access
>
> & please google for further advise on server security & post questions in
> a suitable forum (not here)
>
> as many have said, security is not our area of expertise & this is the
> wrong place to ask.
>
> when correctly secured knowing your username & password should not be
> enough to allow access to your server.


Thank you Alister for ansering the needs of needy persons.
I am also needy. Please be kind to me as well:

There is poverty and injustice in the world. Why?? I NEED to know
People suffer and die. How come? I MUST know
And there are morons... Why?? PLEASE TELL

-- 
Ravi

[toc] | [prev] | [next] | [standalone]

#55362

Στις 2/10/2013 6:13 μμ, ο/η Ravi Sahni έγραψε:
> On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware@ntlworld.com> wrote:
>> On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:
>>
>>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>>
>>>>> Is it possible for someone that knows the MYSQL password of a server
>>>>> to run arbitrary code on a linux server?
>>>>
>>>> Yes, it is possible.
>>>
>>> Is that what might have happened and someone managed to upload the .html
>>> file in '~/home/nikos/www/' ?
>>>
>>> Can you think of any other way?
>>
>>
>> There are many other ways (i am not a hacker so i would not know whre to
>> start)
>> Against my better judgement I am going to give some advise (more to
>> protect your customers than you)
>>
>> 1) tie down access to your server, nothing should be accessable from the
>> internet unless absolutly necessary.
>> certainly your database should not be accessible and this should be
>> blocked in multiple ways (protection in depth)
>>
>> you should close down any un-necessary services.
>> shut your firewall to all trafffix except http & https (ports 80 ,443)
>> unless absolutely necessary.
>> set your database accounts to only allow log in from localhost & and any
>> explicit IP addresses that must have access
>>
>> & please google for further advise on server security & post questions in
>> a suitable forum (not here)
>>
>> as many have said, security is not our area of expertise & this is the
>> wrong place to ask.
>>
>> when correctly secured knowing your username & password should not be
>> enough to allow access to your server.
>
>
> Thank you Alister for ansering the needs of needy persons.
> I am also needy. Please be kind to me as well:
>
> There is poverty and injustice in the world. Why?? I NEED to know
> People suffer and die. How come? I MUST know
> And there are morons... Why?? PLEASE TELL

You are failing trying to mimic me. I have a reason when i ask because i 
did explanation for some matter.
As for morons, yes they are lots of them in this world, including you 
trying to make fun out of this by impersonating me.

You fail also as acting as a newbie, while you are a regular here.


-- 
What is now proved was at first only imagined! & WebHost
<http://superhost.gr>

[toc] | [prev] | [next] | [standalone]

#55368

On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:

> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>
>>> Is it possible for someone that knows the MYSQL password of a server
>>> to run arbitrary code on a linux server?
>>
>> Yes, it is possible.
> 
> Is that what might have happened and someone managed to upload the .html
> file in '~/home/nikos/www/' ?

How the hell should I know? I am not a MySQL expert, and this is not a 
MySQL forum.

Nikos, you embarrass me. I have gone out on a limb for you, and this is 
how you thank me? You said you were improving, and yet here you go 
completely ignoring the links I sent you, and continuing to ask off-topic 
questions here.

Thanks for kicking me in the guts. I will remember this next time you ask 
a question.


-- 
Steven

[toc] | [prev] | [next] | [standalone]

#55371

Στις 2/10/2013 8:39 μμ, ο/η Steven D'Aprano έγραψε:
> On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:
>
>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>
>>>> Is it possible for someone that knows the MYSQL password of a server
>>>> to run arbitrary code on a linux server?
>>>
>>> Yes, it is possible.
>>
>> Is that what might have happened and someone managed to upload the .html
>> file in '~/home/nikos/www/' ?
>
> How the hell should I know? I am not a MySQL expert, and this is not a
> MySQL forum.
>
> Nikos, you embarrass me. I have gone out on a limb for you, and this is
> how you thank me? You said you were improving, and yet here you go
> completely ignoring the links I sent you, and continuing to ask off-topic
> questions here.
>
> Thanks for kicking me in the guts. I will remember this next time you ask
> a question.
>
>
I just asked your opinion at this.
But i okey i will stop since this is not going us anywhere.

Neither will i replay to any more insulting comments.

-- 
What is now proved was at first only imagined! & WebHost
<http://superhost.gr>

[toc] | [prev] | [next] | [standalone]

#55392

On Wed, 02 Oct 2013 15:20:00 +0300, ????? <nikos.gr33k@gmail.com> declaimed
the following:

>
>Okey he uses the password and he gain access to the databases, then 
>what? MySQL is a database server how can he run run arbitrary shell 
>commands by using MySQL?
>

	Well, #1, if your account/password is the database administrator, then
they can create a new database user with full privileges -- so if you
change your password but don't examine the authorization system they could
still get into the database.

	#2 -- the SELECT statement has options for "INTO OUTFILE 'filename'"
and "INTO DUMPFILE 'filename'".

	The result: If someone can create a temporary table, they can then
populate the table with lines of HTML (using INSERT statements), and
finally they can SELECT lines FROM temp_table INTO OUTFILE
'/any/thing/the/server/can/access.html'


	It's your server system, YOU need to learn how to investigate the
security system, read logs, etc. -- NONE of which belongs in this group.
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.lang.python

csiph-web