Can arbitrary code run in a server if someone's know just the MySQLpassword?

[Îίκος]

Tim delaney said:

"Because there's no chance with the brilliance you display that there
could be any possibility of login details being kept in plaintext in
your database.

And of course your database is so well locked down that no attacker with
a login to it could then execute arbitrary code on your system.

And there's also zero chance that your personal account login details
are also available in plaintext somewhere that you're unaware of."
==========

Is it possible for someone that knows the MYSQL password of a server to
run arbitrary code on a linux server?

Okey he uses the password and he gain access to the databases, then
what? MySQL is a database server how can he run run arbitrary shell
commands by using MySQL?

If yes, can you give an example please?

Also, is there a chance for my account's password to be retrieved on
some why due to MySQL access or perhaps by utilizing my own python code?

I'm just trying to figure out how the upload of that .html file happened
to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
too.

Please, serious replies only, i won't answer to ironic comments or jokes.

 

[Antoon Pardon]

Op 02-10-13 14:20, Îίκος schreef:

Tim delaney said:

"Because there's no chance with the brilliance you display that there
could be any possibility of login details being kept in plaintext in
your database.

And of course your database is so well locked down that no attacker with
a login to it could then execute arbitrary code on your system.

And there's also zero chance that your personal account login details
are also available in plaintext somewhere that you're unaware of."
==========

Is it possible for someone that knows the MYSQL password of a server to
run arbitrary code on a linux server?

Okey he uses the password and he gain access to the databases, then
what? MySQL is a database server how can he run run arbitrary shell
commands by using MySQL?

If yes, can you give an example please?

Also, is there a chance for my account's password to be retrieved on
some why due to MySQL access or perhaps by utilizing my own python code?

I'm just trying to figure out how the upload of that .html file happened
to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
too.

Please, serious replies only, i won't answer to ironic comments or jokes.

You are not asking a python question. This is a python list. Not a
Nikos advise board. Find a list where your question is more appropiate.

 

[feedthetroll]

Am Mittwoch, 2. Oktober 2013 14:20:00 UTC+2 schrieb Ferrous Cranus:

...
Is it possible for someone that knows the MYSQL password of a server to
run arbitrary code on a linux server?
...
If yes, can you give an example please? http://lmgtfy.com/?q=mysql+shell+escape

Please, serious replies only, i won't answer to ironic comments or jokes.

Please only questions about python. This not a mysql or security list.

PLONK!

(Hey Thunderbird has a very useful new feature. Ignore thread.)

 

[Tim Chase]

(Hey Thunderbird has a very useful new feature. Ignore thread.)

Unfortunately, as of when I last tested it, it only works in the
newsgroup part of TB, not the mail portion of TB.

Sadly, Claws-Mail (my current mailer) doesn't have a native
kill-thread functionality, but it does support external message
filters, so I threw together a kill-thread filter in Python (bringing
this back on-topic) which duplicates the TB functionality that I
missed.

-tkc

 

[Steven D'Aprano]

Is it possible for someone that knows the MYSQL password of a server to
run arbitrary code on a linux server?

Yes, it is possible.

Okey he uses the password and he gain access to the databases, then
what? MySQL is a database server how can he run run arbitrary shell
commands by using MySQL?

If yes, can you give an example please?

Google for "run arbitrary shell commands MySQL". If you don't understand
them, go find a beginner's forum where you can learn about MySQL, this is
not it.

https://duckduckgo.com/html/?q=run+arbitrary+shell+commands+MySQL
https://www.google.com.au/search?q=run+arbitrary+shell+commands

 

[Îίκος]

Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:

Yes, it is possible.

Is that what might have happened and someone managed to upload the .html
file in '~/home/nikos/www/' ?

Can you think of any other way?

 

[Îίκος]

Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:

As others have said in this thread, this is not a Python topic. Find
another forum for this question. Do not ask it here again.

You've said that you can improve. Show us by not asking non-Python
questions here.

--Ned.

But i need to know what happened and how this .html file got uploaded.
This is not a python question, but this happened from this pythons NG.
And perhaps my python code was being utilized fo this upload to happen.

I must know.

 

[ishish]

Am 02.10.2013 15:46, schrieb Îίκος:

But i need to know what happened and how this .html file got
uploaded.
This is not a python question, but this happened from this pythons
NG. ... ...

Who says that??

 

[Ravi Sahni]

There are many other ways (i am not a hacker so i would not know whre to
start)
Against my better judgement I am going to give some advise (more to
protect your customers than you)

1) tie down access to your server, nothing should be accessable from the
internet unless absolutly necessary.
certainly your database should not be accessible and this should be
blocked in multiple ways (protection in depth)

you should close down any un-necessary services.
shut your firewall to all trafffix except http & https (ports 80 ,443)
unless absolutely necessary.
set your database accounts to only allow log in from localhost & and any
explicit IP addresses that must have access

& please google for further advise on server security & post questions in
a suitable forum (not here)

as many have said, security is not our area of expertise & this is the
wrong place to ask.

when correctly secured knowing your username & password should not be
enough to allow access to your server.

Thank you Alister for ansering the needs of needy persons.
I am also needy. Please be kind to me as well:

There is poverty and injustice in the world. Why?? I NEED to know
People suffer and die. How come? I MUST know
And there are morons... Why?? PLEASE TELL

 

[Ned Batchelder]

Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:
But i need to know what happened and how this .html file got uploaded.
This is not a python question, but this happened from this pythons NG.
And perhaps my python code was being utilized fo this upload to happen.

I must know.

This is not a topic for Python-List. We don't have answers for you, and
you won't get answers to this question here. If you persist in asking
about it here, don't be surprised when people get angry with you. This
is anti-social behavior.

I know you are upset about your server being compromised. I'm sorry
about that, but it isn't on-topic here. There are other places you can
get help with your question.

--Ned.

 

[Denis McMahon]

But i need to know what happened and how this .html file got uploaded.

The html file started out in an editor on on another machine, and was
created by someone typing at the keyboard. It was then saved to hard disk
as a file. The other machine then read the file into memory, and then
sent it as a byte stream to the tcp/ip stack, where it was broken down
down into packets which travelled across the tcp/ip network onto your
server. Your server then re-assembled the packets into a byte stream
which filled a block of memory, and then wrote the contents of that block
of memory to disc as a file.

(This explanation may contain some assumptions.)

 

[Ethan Furman]

Στις 2/10/2013 4:58 μμ, ο/η Ned Batchelder έγÏαψε:

I must know.

*plonk*

 

[Îίκος Ακεξόπουλος]

Στις 2/10/2013 6:13 μμ, ο/η Ravi Sahni έγÏαψε:

Thank you Alister for ansering the needs of needy persons.
I am also needy. Please be kind to me as well:

There is poverty and injustice in the world. Why?? I NEED to know
People suffer and die. How come? I MUST know
And there are morons... Why?? PLEASE TELL

You are failing trying to mimic me. I have a reason when i ask because i
did explanation for some matter.
As for morons, yes they are lots of them in this world, including you
trying to make fun out of this by impersonating me.

You fail also as acting as a newbie, while you are a regular here.

 

[Steven D'Aprano]

Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγÏαψε:

Is that what might have happened and someone managed to upload the .html
file in '~/home/nikos/www/' ?

How the hell should I know? I am not a MySQL expert, and this is not a
MySQL forum.

Nikos, you embarrass me. I have gone out on a limb for you, and this is
how you thank me? You said you were improving, and yet here you go
completely ignoring the links I sent you, and continuing to ask off-topic
questions here.

Thanks for kicking me in the guts. I will remember this next time you ask
a question.

 

[Îίκος Αλεξόπουλος]

Στις 2/10/2013 8:39 μμ, ο/η Steven D'Aprano έγÏαψε:

How the hell should I know? I am not a MySQL expert, and this is not a
MySQL forum.

Nikos, you embarrass me. I have gone out on a limb for you, and this is
how you thank me? You said you were improving, and yet here you go
completely ignoring the links I sent you, and continuing to ask off-topic
questions here.

Thanks for kicking me in the guts. I will remember this next time you ask
a question.

I just asked your opinion at this.
But i okey i will stop since this is not going us anywhere.

Neither will i replay to any more insulting comments.

 

[Terry Reedy]

Unfortunately, as of when I last tested it, it only works in the
newsgroup part of TB, not the mail portion of TB.

One can read python-list as news.gmane.org newsgroup
gmane.comp.python.general.

 

[Mark Lawrence]

One can read python-list as news.gmane.org newsgroup
gmane.comp.python.general.

You can also read hundreds of other Python lists at gmane.comp.python.

--
Roses are red,
Violets are blue,
Most poems rhyme,
But this one doesn't.

Mark Lawrence

 

[Dennis Lee Bieber]

Okey he uses the password and he gain access to the databases, then
what? MySQL is a database server how can he run run arbitrary shell
commands by using MySQL?

Well, #1, if your account/password is the database administrator, then
they can create a new database user with full privileges -- so if you
change your password but don't examine the authorization system they could
still get into the database.

#2 -- the SELECT statement has options for "INTO OUTFILE 'filename'"
and "INTO DUMPFILE 'filename'".

The result: If someone can create a temporary table, they can then
populate the table with lines of HTML (using INSERT statements), and
finally they can SELECT lines FROM temp_table INTO OUTFILE
'/any/thing/the/server/can/access.html'


It's your server system, YOU need to learn how to investigate the
security system, read logs, etc. -- NONE of which belongs in this group.