Merge pull request #481 from ertaku12/master

Added a privilege escalation vulnerability for MySQL 4.x/5.x versions.

linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh

@@ -102,4 +102,41 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
   else echo_no
   fi
   echo ""
-fi
+fi
+
+### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
+
+# Find the mysqld process
+process_info=$(ps aux | grep '[m]ysqld' | head -n1)
+
+if [ -z "$process_info" ]; then
+  echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
+  exit 1
+fi
+
+# Extract the process user
+user=$(echo "$process_info" | awk '{print $1}')
+
+# Get the MySQL version string
+version_output=$(mysqld --version 2>&1)
+
+# Extract the version number (expects format like X.Y.Z)
+version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+if [ -z "$version" ]; then
+  echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
+  exit 1
+fi
+
+# Extract the major version number (X from X.Y.Z)
+major_version=$(echo "$version" | cut -d. -f1)
+
+# Check if MySQL is running as root and if the version is either 4.x or 5.x
+if [ "$user" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
+  echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
+  echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
+  echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
+else
+  echo "MySQL is running as user '$user' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
+fi
+### ------------------------------------------------------------------------------------------------------------------------------------------------ ###