It was unintended? We got the same payload :)
#hitcon GoGo PowerSQL unintended RCE solution:
1. Pollute environment variable
2. libmysqlclient will load plugin from LIBMYSQL_PLUGINS
3. But it will append annoying .so
4. Bypass by sending 512 bytes ./././ ...
5. Load the malicious plugin from /proc/self/fd/0
6. Profit 
-
-
-
According to https://github.com/orangetw/My-CTF-Web-Challenges/#gogo-powersql … I think it's unintended? Because we didn't use the BSS buffer overflow vulnerability.
Kraj razgovora
Novi razgovor -
-
-
aww man, i had a similar idea but i didn't know it'd work
-
We stuck for the appending ".so" part for a few hours. until we checked MySQL source...... https://github.com/mysql/mysql-server/blob/77306a41670543e103f94fa0db77a71d2b9f88b2/sql-common/client_plugin.cc#L435 …
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.