Can arbitrary code run in a server if someone's know just the MySQLpassword?

Discussion in 'Python' started by Îίκος, Oct 2, 2013.

  1. Tim delaney said:

    "Because there's no chance with the brilliance you display that there
    could be any possibility of login details being kept in plaintext in
    your database.

    And of course your database is so well locked down that no attacker with
    a login to it could then execute arbitrary code on your system.

    And there's also zero chance that your personal account login details
    are also available in plaintext somewhere that you're unaware of."
    ==========

    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?

    Okey he uses the password and he gain access to the databases, then
    what? MySQL is a database server how can he run run arbitrary shell
    commands by using MySQL?

    If yes, can you give an example please?

    Also, is there a chance for my account's password to be retrieved on
    some why due to MySQL access or perhaps by utilizing my own python code?

    I'm just trying to figure out how the upload of that .html file happened
    to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
    too.

    Please, serious replies only, i won't answer to ironic comments or jokes.
    Îίκος, Oct 2, 2013
    #1
    1. Advertising

  2. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Op 02-10-13 14:20, Îίκος schreef:
    > Tim delaney said:
    >
    > "Because there's no chance with the brilliance you display that there
    > could be any possibility of login details being kept in plaintext in
    > your database.
    >
    > And of course your database is so well locked down that no attacker with
    > a login to it could then execute arbitrary code on your system.
    >
    > And there's also zero chance that your personal account login details
    > are also available in plaintext somewhere that you're unaware of."
    > ==========
    >
    > Is it possible for someone that knows the MYSQL password of a server to
    > run arbitrary code on a linux server?
    >
    > Okey he uses the password and he gain access to the databases, then
    > what? MySQL is a database server how can he run run arbitrary shell
    > commands by using MySQL?
    >
    > If yes, can you give an example please?
    >
    > Also, is there a chance for my account's password to be retrieved on
    > some why due to MySQL access or perhaps by utilizing my own python code?
    >
    > I'm just trying to figure out how the upload of that .html file happened
    > to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
    > too.
    >
    > Please, serious replies only, i won't answer to ironic comments or jokes.


    You are not asking a python question. This is a python list. Not a
    Nikos advise board. Find a list where your question is more appropiate.

    --
    Antoon Pardon
    Antoon Pardon, Oct 2, 2013
    #2
    1. Advertising

  3. Îίκος

    Guest

    Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Am Mittwoch, 2. Oktober 2013 14:20:00 UTC+2 schrieb Ferrous Cranus:
    > ...
    > Is it possible for someone that knows the MYSQL password of a server to
    > run arbitrary code on a linux server?
    > ...
    > If yes, can you give an example please?

    http://lmgtfy.com/?q=mysql shell escape

    > Please, serious replies only, i won't answer to ironic comments or jokes.

    Please only questions about python. This not a mysql or security list.

    PLONK!

    (Hey Thunderbird has a very useful new feature. Ignore thread.)
    , Oct 2, 2013
    #3
  4. Îίκος

    Tim Chase Guest

    Re: Killing threads with TB (was: Can arbitrary code run in aserver if someone's know just the MySQL password?)

    On 2013-10-02 05:38, wrote:
    > (Hey Thunderbird has a very useful new feature. Ignore thread.)


    Unfortunately, as of when I last tested it, it only works in the
    newsgroup part of TB, not the mail portion of TB.

    Sadly, Claws-Mail (my current mailer) doesn't have a native
    kill-thread functionality, but it does support external message
    filters, so I threw together a kill-thread filter in Python (bringing
    this back on-topic) which duplicates the TB functionality that I
    missed.

    -tkc
    Tim Chase, Oct 2, 2013
    #4
  5. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:

    > Is it possible for someone that knows the MYSQL password of a server to
    > run arbitrary code on a linux server?


    Yes, it is possible.

    > Okey he uses the password and he gain access to the databases, then
    > what? MySQL is a database server how can he run run arbitrary shell
    > commands by using MySQL?
    >
    > If yes, can you give an example please?


    Google for "run arbitrary shell commands MySQL". If you don't understand
    them, go find a beginner's forum where you can learn about MySQL, this is
    not it.

    https://duckduckgo.com/html/?q=run arbitrary shell commands MySQL
    https://www.google.com.au/search?q=run arbitrary shell commands


    --
    Steven
    Steven D'Aprano, Oct 2, 2013
    #5
  6. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    > On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >
    >> Is it possible for someone that knows the MYSQL password of a server to
    >> run arbitrary code on a linux server?

    >
    > Yes, it is possible.


    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?

    Can you think of any other way?
    Îίκος, Oct 2, 2013
    #6
  7. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:
    > On 10/2/13 9:41 AM, Îίκος wrote:
    >> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    >>> On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >>>
    >>>> Is it possible for someone that knows the MYSQL password of a server to
    >>>> run arbitrary code on a linux server?
    >>>
    >>> Yes, it is possible.

    >>
    >> Is that what might have happened and someone managed to upload the
    >> .html file in '~/home/nikos/www/' ?
    >>
    >> Can you think of any other way?
    >>

    >
    > As others have said in this thread, this is not a Python topic. Find
    > another forum for this question. Do not ask it here again.
    >
    > You've said that you can improve. Show us by not asking non-Python
    > questions here.
    >
    > --Ned.

    But i need to know what happened and how this .html file got uploaded.
    This is not a python question, but this happened from this pythons NG.
    And perhaps my python code was being utilized fo this upload to happen.

    I must know.

    --
    *What is now proved was once only imagined!*
    Îίκος, Oct 2, 2013
    #7
  8. Îίκος

    ishish Guest

    Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Am 02.10.2013 15:46, schrieb Îίκος:
    > But i need to know what happened and how this .html file got
    > uploaded.
    > This is not a python question, but this happened from this pythons
    > NG. ... ...


    Who says that??
    ishish, Oct 2, 2013
    #8
  9. Îίκος

    Ravi Sahni Guest

    Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On Wed, Oct 2, 2013 at 8:04 PM, Alister <> wrote:
    > On Wed, 02 Oct 2013 16:41:40 +0300, Íßêïò wrote:
    >
    >> Óôéò 2/10/2013 4:25 ìì, ï/ç Steven D'Aprano Ýãñáøå:
    >>> On Wed, 02 Oct 2013 15:20:00 +0300, Íßêïò wrote:
    >>>
    >>>> Is it possible for someone that knows the MYSQL password of a server
    >>>> to run arbitrary code on a linux server?
    >>>
    >>> Yes, it is possible.

    >>
    >> Is that what might have happened and someone managed to upload the .html
    >> file in '~/home/nikos/www/' ?
    >>
    >> Can you think of any other way?

    >
    >
    > There are many other ways (i am not a hacker so i would not know whre to
    > start)
    > Against my better judgement I am going to give some advise (more to
    > protect your customers than you)
    >
    > 1) tie down access to your server, nothing should be accessable from the
    > internet unless absolutly necessary.
    > certainly your database should not be accessible and this should be
    > blocked in multiple ways (protection in depth)
    >
    > you should close down any un-necessary services.
    > shut your firewall to all trafffix except http & https (ports 80 ,443)
    > unless absolutely necessary.
    > set your database accounts to only allow log in from localhost & and any
    > explicit IP addresses that must have access
    >
    > & please google for further advise on server security & post questions in
    > a suitable forum (not here)
    >
    > as many have said, security is not our area of expertise & this is the
    > wrong place to ask.
    >
    > when correctly secured knowing your username & password should not be
    > enough to allow access to your server.



    Thank you Alister for ansering the needs of needy persons.
    I am also needy. Please be kind to me as well:

    There is poverty and injustice in the world. Why?? I NEED to know
    People suffer and die. How come? I MUST know
    And there are morons... Why?? PLEASE TELL

    --
    Ravi
    Ravi Sahni, Oct 2, 2013
    #9
  10. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On 10/2/13 10:46 AM, Îίκος wrote:
    > Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:
    >> On 10/2/13 9:41 AM, Îίκος wrote:
    >>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    >>>> On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >>>>
    >>>>> Is it possible for someone that knows the MYSQL password of a
    >>>>> server to
    >>>>> run arbitrary code on a linux server?
    >>>>
    >>>> Yes, it is possible.
    >>>
    >>> Is that what might have happened and someone managed to upload the
    >>> .html file in '~/home/nikos/www/' ?
    >>>
    >>> Can you think of any other way?
    >>>

    >>
    >> As others have said in this thread, this is not a Python topic. Find
    >> another forum for this question. Do not ask it here again.
    >>
    >> You've said that you can improve. Show us by not asking non-Python
    >> questions here.
    >>
    >> --Ned.

    > But i need to know what happened and how this .html file got uploaded.
    > This is not a python question, but this happened from this pythons NG.
    > And perhaps my python code was being utilized fo this upload to happen.
    >
    > I must know.
    >


    This is not a topic for Python-List. We don't have answers for you, and
    you won't get answers to this question here. If you persist in asking
    about it here, don't be surprised when people get angry with you. This
    is anti-social behavior.

    I know you are upset about your server being compromised. I'm sorry
    about that, but it isn't on-topic here. There are other places you can
    get help with your question.

    --Ned.
    Ned Batchelder, Oct 2, 2013
    #10
  11. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On Wed, 02 Oct 2013 17:46:08 +0300, Îίκος wrote:

    > But i need to know what happened and how this .html file got uploaded.


    The html file started out in an editor on on another machine, and was
    created by someone typing at the keyboard. It was then saved to hard disk
    as a file. The other machine then read the file into memory, and then
    sent it as a byte stream to the tcp/ip stack, where it was broken down
    down into packets which travelled across the tcp/ip network onto your
    server. Your server then re-assembled the packets into a byte stream
    which filled a block of memory, and then wrote the contents of that block
    of memory to disc as a file.

    (This explanation may contain some assumptions.)

    --
    Denis McMahon,
    Denis McMahon, Oct 2, 2013
    #11
  12. Îίκος

    Ethan Furman Guest

    Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On 10/02/2013 07:46 AM, Îίκος wrote:
    > Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:
    >>
    >> As others have said in this thread, this is not a Python topic. Find
    >> another forum for this question. Do not ask it here again.
    >>
    >> You've said that you can improve. Show us by not asking non-Python
    >> questions here.

    >
    > I must know.


    *plonk*
    Ethan Furman, Oct 2, 2013
    #12
  13. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Στις 2/10/2013 6:13 μμ, ο/η Ravi Sahni έγÏαψε:
    > On Wed, Oct 2, 2013 at 8:04 PM, Alister <> wrote:
    >> On Wed, 02 Oct 2013 16:41:40 +0300, Îίκος wrote:
    >>
    >>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    >>>> On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >>>>
    >>>>> Is it possible for someone that knows the MYSQL password of a server
    >>>>> to run arbitrary code on a linux server?
    >>>>
    >>>> Yes, it is possible.
    >>>
    >>> Is that what might have happened and someone managed to upload the .html
    >>> file in '~/home/nikos/www/' ?
    >>>
    >>> Can you think of any other way?

    >>
    >>
    >> There are many other ways (i am not a hacker so i would not know whre to
    >> start)
    >> Against my better judgement I am going to give some advise (more to
    >> protect your customers than you)
    >>
    >> 1) tie down access to your server, nothing should be accessable from the
    >> internet unless absolutly necessary.
    >> certainly your database should not be accessible and this should be
    >> blocked in multiple ways (protection in depth)
    >>
    >> you should close down any un-necessary services.
    >> shut your firewall to all trafffix except http & https (ports 80 ,443)
    >> unless absolutely necessary.
    >> set your database accounts to only allow log in from localhost & and any
    >> explicit IP addresses that must have access
    >>
    >> & please google for further advise on server security & post questions in
    >> a suitable forum (not here)
    >>
    >> as many have said, security is not our area of expertise & this is the
    >> wrong place to ask.
    >>
    >> when correctly secured knowing your username & password should not be
    >> enough to allow access to your server.

    >
    >
    > Thank you Alister for ansering the needs of needy persons.
    > I am also needy. Please be kind to me as well:
    >
    > There is poverty and injustice in the world. Why?? I NEED to know
    > People suffer and die. How come? I MUST know
    > And there are morons... Why?? PLEASE TELL


    You are failing trying to mimic me. I have a reason when i ask because i
    did explanation for some matter.
    As for morons, yes they are lots of them in this world, including you
    trying to make fun out of this by impersonating me.

    You fail also as acting as a newbie, while you are a regular here.


    --
    What is now proved was at first only imagined! & WebHost
    <http://superhost.gr>
    Îίκος Ακεξόπουλος, Oct 2, 2013
    #13
  14. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On Wed, 02 Oct 2013 16:41:40 +0300, Îίκος wrote:

    > Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    >> On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >>
    >>> Is it possible for someone that knows the MYSQL password of a server
    >>> to run arbitrary code on a linux server?

    >>
    >> Yes, it is possible.

    >
    > Is that what might have happened and someone managed to upload the .html
    > file in '~/home/nikos/www/' ?


    How the hell should I know? I am not a MySQL expert, and this is not a
    MySQL forum.

    Nikos, you embarrass me. I have gone out on a limb for you, and this is
    how you thank me? You said you were improving, and yet here you go
    completely ignoring the links I sent you, and continuing to ask off-topic
    questions here.

    Thanks for kicking me in the guts. I will remember this next time you ask
    a question.


    --
    Steven
    Steven D'Aprano, Oct 2, 2013
    #14
  15. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    Στις 2/10/2013 8:39 μμ, ο/η Steven D'Aprano έγÏαψε:
    > On Wed, 02 Oct 2013 16:41:40 +0300, Îίκος wrote:
    >
    >> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:
    >>> On Wed, 02 Oct 2013 15:20:00 +0300, Îίκος wrote:
    >>>
    >>>> Is it possible for someone that knows the MYSQL password of a server
    >>>> to run arbitrary code on a linux server?
    >>>
    >>> Yes, it is possible.

    >>
    >> Is that what might have happened and someone managed to upload the .html
    >> file in '~/home/nikos/www/' ?

    >
    > How the hell should I know? I am not a MySQL expert, and this is not a
    > MySQL forum.
    >
    > Nikos, you embarrass me. I have gone out on a limb for you, and this is
    > how you thank me? You said you were improving, and yet here you go
    > completely ignoring the links I sent you, and continuing to ask off-topic
    > questions here.
    >
    > Thanks for kicking me in the guts. I will remember this next time you ask
    > a question.
    >
    >

    I just asked your opinion at this.
    But i okey i will stop since this is not going us anywhere.

    Neither will i replay to any more insulting comments.

    --
    What is now proved was at first only imagined! & WebHost
    <http://superhost.gr>
    Îίκος Αλεξόπουλος, Oct 2, 2013
    #15
  16. Îίκος

    Terry Reedy Guest

    Re: Killing threads with TB

    On 10/2/2013 9:21 AM, Tim Chase wrote:
    > On 2013-10-02 05:38, wrote:
    >> (Hey Thunderbird has a very useful new feature. Ignore thread.)

    >
    > Unfortunately, as of when I last tested it, it only works in the
    > newsgroup part of TB, not the mail portion of TB.


    One can read python-list as news.gmane.org newsgroup
    gmane.comp.python.general.

    --
    Terry Jan Reedy
    Terry Reedy, Oct 2, 2013
    #16
  17. Re: Killing threads with TB

    On 02/10/2013 23:34, Terry Reedy wrote:
    > On 10/2/2013 9:21 AM, Tim Chase wrote:
    >> On 2013-10-02 05:38, wrote:
    >>> (Hey Thunderbird has a very useful new feature. Ignore thread.)

    >>
    >> Unfortunately, as of when I last tested it, it only works in the
    >> newsgroup part of TB, not the mail portion of TB.

    >
    > One can read python-list as news.gmane.org newsgroup
    > gmane.comp.python.general.
    >


    You can also read hundreds of other Python lists at gmane.comp.python.

    --
    Roses are red,
    Violets are blue,
    Most poems rhyme,
    But this one doesn't.

    Mark Lawrence
    Mark Lawrence, Oct 2, 2013
    #17
  18. Re: Can arbitrary code run in a server if someone's know just theMySQL password?

    On Wed, 02 Oct 2013 15:20:00 +0300, ????? <> declaimed
    the following:

    >
    >Okey he uses the password and he gain access to the databases, then
    >what? MySQL is a database server how can he run run arbitrary shell
    >commands by using MySQL?
    >


    Well, #1, if your account/password is the database administrator, then
    they can create a new database user with full privileges -- so if you
    change your password but don't examine the authorization system they could
    still get into the database.

    #2 -- the SELECT statement has options for "INTO OUTFILE 'filename'"
    and "INTO DUMPFILE 'filename'".

    The result: If someone can create a temporary table, they can then
    populate the table with lines of HTML (using INSERT statements), and
    finally they can SELECT lines FROM temp_table INTO OUTFILE
    '/any/thing/the/server/can/access.html'


    It's your server system, YOU need to learn how to investigate the
    security system, read logs, etc. -- NONE of which belongs in this group.
    --
    Wulfraed Dennis Lee Bieber AF6VN
    HTTP://wlfraed.home.netcom.com/
    Dennis Lee Bieber, Oct 3, 2013
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Honestmath
    Replies:
    5
    Views:
    549
    Honestmath
    Dec 13, 2004
  2. Êé´ôÅí
    Replies:
    7
    Views:
    372
    James Kanze
    Oct 19, 2008
  3. Kelly Jones
    Replies:
    5
    Views:
    101
    M. Edward (Ed) Borasky
    Apr 7, 2008
  4. Simon Egginton

    LOOK! i just want to know does anyone know...

    Simon Egginton, Jul 26, 2004, in forum: Javascript
    Replies:
    3
    Views:
    167
    Dr John Stockton
    Jul 26, 2004
  5. Andries

    I know, I know, I don't know

    Andries, Apr 23, 2004, in forum: Perl Misc
    Replies:
    3
    Views:
    221
    Gregory Toomey
    Apr 23, 2004
Loading...

Share This Page