CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/multi/mysql/mysql_udf_payload.md
Views: 1904
Vulnerable Application
This vulnerability exploits mysql by adding a .so or .dll file which has a system call in it to the plugins folder. The Windows dll files are provided by @stamparm of the sqlmap project and are located here. As noted in #9677 these are 'de-cloaked' versions, which may attract AV attention.
The file is then loaded by mysql, and arbitrary commands can be run. There are several caveats for this to function however, including:
secure_file_priv
, a mysql setting, must be changed from the default to allow writing to mysql's plugins folderon Ubuntu, apparmor needs a bunch of exceptions added, or to be disabled. Equivalents on other linux systems most likely need the same
the mysql folder must be writable
Linux (Ubuntu 16.04 x64) Configuration
In this configuration, we'll run mysql as root so we have a priv escalate.
Edit
/lib/systemd/system/mysql.service
and setUser=root
Edit
/etc/mysql/mysql.conf.d/mysqld.cnf
. After the[mysqld]
section, changeuser=mysql
touser=root
Edit
/etc/mysql/mysql.conf.d/mysqld.cnf
. After the[mysqld]
section, addsecure_file_priv=""
Disable app-armor for mysql:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Restart mysql service:
sudo systemctl restart mysql.service
If you need to make the root user accessible remotely
or
Windows (Server 2012 x64) Configuration
One good reference for these instructions is PR #5334
Download and install mysql installer
Install dependencies including, at the time of writing, Visual C++ 2013 Redistributable Package.
Edit
C:\ProgramData\MySQL\MySQL Server\MySQL Server *\my.ini
and change the value ofsecure-file-priv=
to""
Make the
C:\Program Files\MySQL\MySQL Server *\lib\plugin
folder permissions writable by the MySQL (service) user.
If you need to make the root user accessible remotely
or
Verification Steps
Install MySQL and make it vulnerable as described above
Start msfconsole
Do:
use exploit/multi/mysql/mysql_udf_payload
Do:
set rhost [ip]
Do:
set srvhost [ip]
Make sure target and payload are correct
Set mysql login information
Do:
exploit
You should get a shell.
Options
FORCE_UDF_UPLOAD
This option will force the uploading of a UDF dll/so file even if one exists which has a system call already
Scenarios
Ubuntu 16.04 with MySQL 5.7.20
In this case, the service has been configured as noted in the first section of this document, a remotely accessible MySQL running as root.
Windows Server 2012 with MySQL 5.7.20
...snip...