security - Is it possbile to write files with MySQL via SQL injection? -


Little story short, we found files promoting drugs on our servers that we did not put there. There are very old applications in Windows Server and run MySQL 5.1.11.

Beyond other security loopholes, can SQL injection files be used to write to the server file system? I'm sure some of these older applications are weak for SQL injection attacks. I do not think this is possible, but I think remember reading somewhere that MySQL can access "command line" and write files through it, although I can not find a source for that information Then, my mind can play tricks on me. If it is possible, is there a setting that can disable it?

In addition, I am not looking for an answer that says that SQL injection gets rid of the vulnerability. Although it is necessary to be done clearly; I'm looking for a quick short-term fix which will prevent the bad files from reappearing, while SQL injection vulnerabilities are being fixed. It is a long time to decide all the old apps

Thank you.

This is possible, especially with the appropriate careless configuration.

For example,

but it is also more likely to have a different security problem. I seriously consider taking software offline very quickly, especially if there is any confidential or personal information in the database


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -