www.milw0rm.com--Rooting SQL Server via SQL Injection??

[seneye]

I just watch the video for that...

http://www.milw0rm.com/#

Is it showing how to get into someone else computers if they have a website?

I get that.. what he did was something like this... He made a Username and pass or something and just logged in using Remote Desktop...

So If i am right? He is now into the other person computers.. where he can do what ever he wanted? can the other person see if your doing something on their monitor?

[Losing_grip]

I guess you watch too much matrix buddy , its not easy as clicking button and then "Access Granted" window will pop up... yeah u can see what their doing and whatsoever file there... steal etc using some rats...


Google more

[bubzuru]

I just watch the video for that...

http://www.milw0rm.com/#

Is it showing how to get into someone else computers if they have a website?

I get that.. what he did was something like this... He made a Username and pass or something and just logged in using Remote Desktop...

So If i am right? He is now into the other person computers.. where he can do what ever he wanted? can the other person see if your doing something on their monitor?

this is a sql injection exploit it just adds an admin user
to the box if its running on widows then you can login through remote desktop and no i dont think they can see what your doing i think it lock's them out

well thats what i normally does with remote desktop

and actual its 4 clicks then "access granted" but i dont think
you will find any exploitable boxes they will all be patched

[Lyecdevf]

Is it showing how to get into someone else computers if they have a website?

I guess if they are running there own web server and are not hosting it some where else. In that case if you can get root on the website you can continue escalating your privelages until you get admin or root on the webserver. From there you could hack into other computer on the network. You would have to deal with hardware firewalls, software firewalls, IDS,...and so on.

[bad_brain]

the default setting for MySQL servers is to bind to localhost (127.0.0.1), so you can't connect to it from the outside anyway (port 3306 shows up as open, but there is no use for a potential attacker because MySQL only accepts connections from 127.0.0.1).
so the opportunities to "root" a MySQL server should be really rare and only possible because of catastrophic misconfiguration. if the server admin is halfway skilled he will also take actions to block sql injection attempts...