CVE-2016-6662 #2168

unionor opened this Issue Sep 14, 2016 · 10 comments


None yet

6 participants

unionor commented Sep 14, 2016 edited

any plans to use CVE-2016-6662 and CVE-2016-6663 for privilege escalation


@stamparm This is good :) ...


Me to interested in this. Hope this is possible 👍


I would love to see this! Please consider adding it.


@all what would be the (expected) workflow?


@unionor I've seen the PoC :). Have you read it and understood it? That injected config file has to be loaded in the first place.

I am repeating the question. What should be the workflow in automated tool as sqlmap?

@unionor unionor closed this Sep 15, 2016
unionor commented Sep 15, 2016 edited

@stamparm you decide now :).


@unionor why closing it down? now i look like a**hole, while i wanted a constructive discussion. i am just asking what would be the "usable" workflow here (if possible)


Well... to the config file to be loaded what do we probably need? Just a service restart?
Maybe if we can upload a shell we can force the server to restart then the config file will be loaded...


force service to crash and restart using other exploit... but maybe it will be complicated and not-so-easy to implement.. different versions, different databases, don't have many public exploits for service crash

@unionor unionor reopened this Sep 16, 2016

What if sqlmap help us to do everything and then tell user that he need to find a way to restart the service if he wants this to work.
That would be helpful enough... The main objective of the sqlmap is to automate SQLi not exploit a server... And for the SQLi part of the job the only thing it can do is to inject the config file. The 2nd part is out of bounds for SQLi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment