[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 17:03:27 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 10:32 am, Alice Wonder wrote:
>> On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote:
<SNIP>
>>>>> Ok, do you have a link or two to info about that?
>>>>
>>>> Mark, you seemed to snip away the link to presentation on youtube :
>>>>
>>>> https://www.youtube.com/watch?v=1PoFIohBSM4
<MVNCH>
Ok, now I *really* dislike videos. Since I'm not at home, and not putting
the video on a 42" TV, I *CANNOT* read most of what they're typing, and
the system responses not at all.

However, if, just before the video goes from the lead page announcing
"postgresql" to the video of them typing, for about a 3 sec pause, you
freeze the video, it says "this is from
<http://sql-info.de/mysql/gotchas.html>

Great, so here's the text. And I start reading....
Excerpt:
he MySQL database server is being continually improved. Some gotchas
described here are no longer relevant for the latest versions; in these
cases the version numbers affected are noted at the top of each section.
As a rule gotchas have been tested against the most recent stable versions
from the 3.23.x, 4.0.x and 4.1.x series.
--- end excerpt ---

It says, at the bottom, that it was last updated in 2014.

When did mysql 5.0 come out - five years ago? more? Oh, sorry, I google
mysql 5.0 release, and I find release notes for 5.0.24... from TEN YEARS
AGO.

I don't really feel like testing out some of the site's gotcha in the
mysql we have running here... but everything here is from the std. base
repo, and for CentOS 6, is 5.1.73-5.

     mark

So, I don't have a lot of confidence in the gotchas, until I test it, or
find someone who's tested them in the last 10 years against the main
branch.

     mark