FAQ
Tim delaney said:


"Because there's no chance with the brilliance you display that there
could be any possibility of login details being kept in plaintext in
your database.


And of course your database is so well locked down that no attacker with
a login to it could then execute arbitrary code on your system.


And there's also zero chance that your personal account login details
are also available in plaintext somewhere that you're unaware of."
==========


Is it possible for someone that knows the MYSQL password of a server to
run arbitrary code on a linux server?


Okey he uses the password and he gain access to the databases, then
what? MySQL is a database server how can he run run arbitrary shell
commands by using MySQL?


If yes, can you give an example please?


Also, is there a chance for my account's password to be retrieved on
some why due to MySQL access or perhaps by utilizing my own python code?


I'm just trying to figure out how the upload of that .html file happened
to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
too.


Please, serious replies only, i won't answer to ironic comments or jokes.

Search Discussions

  • Antoon Pardon at Oct 2, 2013 at 12:37 pm

    Op 02-10-13 14:20, ????? schreef:
    Tim delaney said:

    "Because there's no chance with the brilliance you display that there
    could be any possibility of login details being kept in plaintext in
    your database.

    And of course your database is so well locked down that no attacker with
    a login to it could then execute arbitrary code on your system.

    And there's also zero chance that your personal account login details
    are also available in plaintext somewhere that you're unaware of."
    ==========

    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?

    Okey he uses the password and he gain access to the databases, then
    what? MySQL is a database server how can he run run arbitrary shell
    commands by using MySQL?

    If yes, can you give an example please?

    Also, is there a chance for my account's password to be retrieved on
    some why due to MySQL access or perhaps by utilizing my own python code?

    I'm just trying to figure out how the upload of that .html file happened
    to '/home/nikos/public_html'. I need a theory and Zero Piraeus to answer
    too.

    Please, serious replies only, i won't answer to ironic comments or jokes.

    You are not asking a python question. This is a python list. Not a
    Nikos advise board. Find a list where your question is more appropiate.


    --
    Antoon Pardon
  • Feedthetroll at Oct 2, 2013 at 12:38 pm

    Am Mittwoch, 2. Oktober 2013 14:20:00 UTC+2 schrieb Ferrous Cranus:
    ...
    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?
    ...
    If yes, can you give an example please?
    http://lmgtfy.com/?q=mysql+shell+escape

    Please, serious replies only, i won't answer to ironic comments or jokes.
    Please only questions about python. This not a mysql or security list.


    PLONK!


    (Hey Thunderbird has a very useful new feature. Ignore thread.)
  • Tim Chase at Oct 2, 2013 at 1:21 pm

    On 2013-10-02 05:38, feedthetroll at gmx.de wrote:
    (Hey Thunderbird has a very useful new feature. Ignore thread.)

    Unfortunately, as of when I last tested it, it only works in the
    newsgroup part of TB, not the mail portion of TB.


    Sadly, Claws-Mail (my current mailer) doesn't have a native
    kill-thread functionality, but it does support external message
    filters, so I threw together a kill-thread filter in Python (bringing
    this back on-topic) which duplicates the TB functionality that I
    missed.


    -tkc
  • Terry Reedy at Oct 2, 2013 at 10:34 pm

    On 10/2/2013 9:21 AM, Tim Chase wrote:
    On 2013-10-02 05:38, feedthetroll at gmx.de wrote:
    (Hey Thunderbird has a very useful new feature. Ignore thread.)
    Unfortunately, as of when I last tested it, it only works in the
    newsgroup part of TB, not the mail portion of TB.

    One can read python-list as news.gmane.org newsgroup
    gmane.comp.python.general.


    --
    Terry Jan Reedy
  • Mark Lawrence at Oct 2, 2013 at 10:48 pm

    On 02/10/2013 23:34, Terry Reedy wrote:
    On 10/2/2013 9:21 AM, Tim Chase wrote:
    On 2013-10-02 05:38, feedthetroll at gmx.de wrote:
    (Hey Thunderbird has a very useful new feature. Ignore thread.)
    Unfortunately, as of when I last tested it, it only works in the
    newsgroup part of TB, not the mail portion of TB.
    One can read python-list as news.gmane.org newsgroup
    gmane.comp.python.general.

    You can also read hundreds of other Python lists at gmane.comp.python.


    --
    Roses are red,
    Violets are blue,
    Most poems rhyme,
    But this one doesn't.


    Mark Lawrence
  • Steven D'Aprano at Oct 2, 2013 at 1:25 pm

    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:


    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?

    Yes, it is possible.

    Okey he uses the password and he gain access to the databases, then
    what? MySQL is a database server how can he run run arbitrary shell
    commands by using MySQL?

    If yes, can you give an example please?

    Google for "run arbitrary shell commands MySQL". If you don't understand
    them, go find a beginner's forum where you can learn about MySQL, this is
    not it.


    https://duckduckgo.com/html/?q=run+arbitrary+shell+commands+MySQL
    https://www.google.com.au/search?q=run+arbitrary+shell+commands




    --
    Steven
  • Νίκος at Oct 2, 2013 at 1:41 pm

    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?
    Yes, it is possible.

    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?


    Can you think of any other way?
  • Ned Batchelder at Oct 2, 2013 at 1:58 pm

    On 10/2/13 9:41 AM, ????? wrote:
    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the
    .html file in '~/home/nikos/www/' ?

    Can you think of any other way?

    As others have said in this thread, this is not a Python topic. Find
    another forum for this question. Do not ask it here again.


    You've said that you can improve. Show us by not asking non-Python
    questions here.


    --Ned.
  • Alister at Oct 2, 2013 at 2:34 pm

    On Wed, 02 Oct 2013 16:41:40 +0300, ????? wrote:


    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server
    to run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?

    Can you think of any other way?



    There are many other ways (i am not a hacker so i would not know whre to
    start)
    Against my better judgement I am going to give some advise (more to
    protect your customers than you)


    1) tie down access to your server, nothing should be accessable from the
    internet unless absolutly necessary.
    certainly your database should not be accessible and this should be
    blocked in multiple ways (protection in depth)


    you should close down any un-necessary services.
    shut your firewall to all trafffix except http & https (ports 80 ,443)
    unless absolutely necessary.
    set your database accounts to only allow log in from localhost & and any
    explicit IP addresses that must have access


    & please google for further advise on server security & post questions in
    a suitable forum (not here)


    as many have said, security is not our area of expertise & this is the
    wrong place to ask.


    when correctly secured knowing your username & password should not be
    enough to allow access to your server.




    --
    I'm not under the alkafluence of inkahol
    that some thinkle peep I am.
    It's just the drunker I sit here the longer I get.
  • Ravi Sahni at Oct 2, 2013 at 3:13 pm

    On Wed, Oct 2, 2013 at 8:04 PM, Alister wrote:
    On Wed, 02 Oct 2013 16:41:40 +0300, ????? wrote:

    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server
    to run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?

    Can you think of any other way?

    There are many other ways (i am not a hacker so i would not know whre to
    start)
    Against my better judgement I am going to give some advise (more to
    protect your customers than you)

    1) tie down access to your server, nothing should be accessable from the
    internet unless absolutly necessary.
    certainly your database should not be accessible and this should be
    blocked in multiple ways (protection in depth)

    you should close down any un-necessary services.
    shut your firewall to all trafffix except http & https (ports 80 ,443)
    unless absolutely necessary.
    set your database accounts to only allow log in from localhost & and any
    explicit IP addresses that must have access

    & please google for further advise on server security & post questions in
    a suitable forum (not here)

    as many have said, security is not our area of expertise & this is the
    wrong place to ask.

    when correctly secured knowing your username & password should not be
    enough to allow access to your server.



    Thank you Alister for ansering the needs of needy persons.
    I am also needy. Please be kind to me as well:


    There is poverty and injustice in the world. Why?? I NEED to know
    People suffer and die. How come? I MUST know
    And there are morons... Why?? PLEASE TELL


    --
    Ravi
  • Νίκος Ακεξόπουλος at Oct 2, 2013 at 5:06 pm

    ???? 2/10/2013 6:13 ??, ?/? Ravi Sahni ??????:
    On Wed, Oct 2, 2013 at 8:04 PM, Alister wrote:
    On Wed, 02 Oct 2013 16:41:40 +0300, ????? wrote:

    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server
    to run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?

    Can you think of any other way?

    There are many other ways (i am not a hacker so i would not know whre to
    start)
    Against my better judgement I am going to give some advise (more to
    protect your customers than you)

    1) tie down access to your server, nothing should be accessable from the
    internet unless absolutly necessary.
    certainly your database should not be accessible and this should be
    blocked in multiple ways (protection in depth)

    you should close down any un-necessary services.
    shut your firewall to all trafffix except http & https (ports 80 ,443)
    unless absolutely necessary.
    set your database accounts to only allow log in from localhost & and any
    explicit IP addresses that must have access

    & please google for further advise on server security & post questions in
    a suitable forum (not here)

    as many have said, security is not our area of expertise & this is the
    wrong place to ask.

    when correctly secured knowing your username & password should not be
    enough to allow access to your server.

    Thank you Alister for ansering the needs of needy persons.
    I am also needy. Please be kind to me as well:

    There is poverty and injustice in the world. Why?? I NEED to know
    People suffer and die. How come? I MUST know
    And there are morons... Why?? PLEASE TELL

    You are failing trying to mimic me. I have a reason when i ask because i
    did explanation for some matter.
    As for morons, yes they are lots of them in this world, including you
    trying to make fun out of this by impersonating me.


    You fail also as acting as a newbie, while you are a regular here.




    --
    What is now proved was at first only imagined! & WebHost
    <http://superhost.gr>
  • Νίκος at Oct 2, 2013 at 2:46 pm

    ???? 2/10/2013 4:58 ??, ?/? Ned Batchelder ??????:
    On 10/2/13 9:41 AM, ????? wrote:
    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server to
    run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the
    .html file in '~/home/nikos/www/' ?

    Can you think of any other way?
    As others have said in this thread, this is not a Python topic. Find
    another forum for this question. Do not ask it here again.

    You've said that you can improve. Show us by not asking non-Python
    questions here.

    --Ned.
    But i need to know what happened and how this .html file got uploaded.
    This is not a python question, but this happened from this pythons NG.
    And perhaps my python code was being utilized fo this upload to happen.


    I must know.


    --
    *What is now proved was once only imagined!*
  • Ishish at Oct 2, 2013 at 2:55 pm

    Am 02.10.2013 15:46, schrieb ?????:
    But i need to know what happened and how this .html file got
    uploaded.
    This is not a python question, but this happened from this pythons
    NG. ... ...

    Who says that??
  • Ned Batchelder at Oct 2, 2013 at 3:15 pm

    On 10/2/13 10:46 AM, ????? wrote:
    ???? 2/10/2013 4:58 ??, ?/? Ned Batchelder ??????:
    On 10/2/13 9:41 AM, ????? wrote:
    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a
    server to
    run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the
    .html file in '~/home/nikos/www/' ?

    Can you think of any other way?
    As others have said in this thread, this is not a Python topic. Find
    another forum for this question. Do not ask it here again.

    You've said that you can improve. Show us by not asking non-Python
    questions here.

    --Ned.
    But i need to know what happened and how this .html file got uploaded.
    This is not a python question, but this happened from this pythons NG.
    And perhaps my python code was being utilized fo this upload to happen.

    I must know.

    This is not a topic for Python-List. We don't have answers for you, and
    you won't get answers to this question here. If you persist in asking
    about it here, don't be surprised when people get angry with you. This
    is anti-social behavior.


    I know you are upset about your server being compromised. I'm sorry
    about that, but it isn't on-topic here. There are other places you can
    get help with your question.


    --Ned.
  • Denis McMahon at Oct 2, 2013 at 4:02 pm

    On Wed, 02 Oct 2013 17:46:08 +0300, ????? wrote:


    But i need to know what happened and how this .html file got uploaded.

    The html file started out in an editor on on another machine, and was
    created by someone typing at the keyboard. It was then saved to hard disk
    as a file. The other machine then read the file into memory, and then
    sent it as a byte stream to the tcp/ip stack, where it was broken down
    down into packets which travelled across the tcp/ip network onto your
    server. Your server then re-assembled the packets into a byte stream
    which filled a block of memory, and then wrote the contents of that block
    of memory to disc as a file.


    (This explanation may contain some assumptions.)


    --
    Denis McMahon, denismfmcmahon at gmail.com
  • Ethan Furman at Oct 2, 2013 at 4:59 pm

    On 10/02/2013 07:46 AM, ????? wrote:
    ???? 2/10/2013 4:58 ??, ?/? Ned Batchelder ??????:
    As others have said in this thread, this is not a Python topic. Find
    another forum for this question. Do not ask it here again.

    You've said that you can improve. Show us by not asking non-Python
    questions here.
    I must know.

    *plonk*
  • Steven D'Aprano at Oct 2, 2013 at 5:39 pm

    On Wed, 02 Oct 2013 16:41:40 +0300, ????? wrote:


    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server
    to run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?

    How the hell should I know? I am not a MySQL expert, and this is not a
    MySQL forum.


    Nikos, you embarrass me. I have gone out on a limb for you, and this is
    how you thank me? You said you were improving, and yet here you go
    completely ignoring the links I sent you, and continuing to ask off-topic
    questions here.


    Thanks for kicking me in the guts. I will remember this next time you ask
    a question.




    --
    Steven
  • Νίκος Αλεξόπουλος at Oct 2, 2013 at 6:02 pm

    ???? 2/10/2013 8:39 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 16:41:40 +0300, ????? wrote:

    ???? 2/10/2013 4:25 ??, ?/? Steven D'Aprano ??????:
    On Wed, 02 Oct 2013 15:20:00 +0300, ????? wrote:

    Is it possible for someone that knows the MYSQL password of a server
    to run arbitrary code on a linux server?
    Yes, it is possible.
    Is that what might have happened and someone managed to upload the .html
    file in '~/home/nikos/www/' ?
    How the hell should I know? I am not a MySQL expert, and this is not a
    MySQL forum.

    Nikos, you embarrass me. I have gone out on a limb for you, and this is
    how you thank me? You said you were improving, and yet here you go
    completely ignoring the links I sent you, and continuing to ask off-topic
    questions here.

    Thanks for kicking me in the guts. I will remember this next time you ask
    a question.
    I just asked your opinion at this.
    But i okey i will stop since this is not going us anywhere.


    Neither will i replay to any more insulting comments.


    --
    What is now proved was at first only imagined! & WebHost
    <http://superhost.gr>

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedOct 2, '13 at 12:20p
activeOct 2, '13 at 10:48p
posts19
users13
websitepython.org

People

Translate

site design / logo © 2022 Grokbase