[Canvas] How do you solve a problem like MySQL?

Alex McGeorge alexm at immunityinc.com
Fri Jun 15 09:49:03 EDT 2012


Hello List,

It's been a while! Today we're here to talk about everyone's favorite
database, MySQL. That project has had a history of issues with
authentication and to be fair most databases have gone through these
issues in the past as well. The key part of that is of course "gone
through", not "recurring critical vulnerabilities." As a result we are
pleased to offer mysql_login_remote as a new CANVAS module that exploits
this vulnerability and will deliver you a newly improved SQL Node that
allows you to submit queries.

With a little bit of ingenuity and Python you can start combing your
enterprise for MySQL servers and executing some standard queries when
you get a successful shell startup. That would make for a pretty great
report I think! We did a quick video about running the module and I
included some tips about using the module in the real world. You can
check it out: http://partners.immunityinc.com/movies/CVE-2012-2122.mov

Cheers,
-AlexM

P.S. The answer to the subject question is of course: own it.

-- 
Alex McGeorge
Immunity Inc.
1130 Washington Avenue 8th Floor
Miami Beach, Florida 33139
P: 786.220.0600



More information about the Canvas mailing list