Shulou(Shulou.com)06/01 Report--

This article mainly talks about "Mysql CVE-2016-6662 vulnerability Analysis". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "Mysql CVE-2016-6662 vulnerability Analysis"!

Vulnerability description:

The vulnerability allows an attacker to inject malicious configuration into the mysql configuration file my.cnf, resulting in the ability to load arbitrary extension libraries. Getshell can be done when there are malicious instructions in the extension library.

Note:

The following experiments enable SELinux throughout the whole process

This vulnerability is also available when SELinux is enabled.

The experimental system is Centos7.

Scope of vulnerabilities:

Mysql # "

After the write is successful, view the file permissions:

Check the content and find that the new way to write a file through general_log will first write banner information, and then write a specific log.

Because the my.cnf file does not start with []. Mysql will report an error when it is read. Also unable to succeed in getshell:

(4) attack conditions

During the test, it is found that general_log will append files that already exist.

And the configuration in my.cnf. Incorrect configuration mysql will ignore the configuration. However, the configuration file must start with [].

Get the attack conditions:

When mysql has a my.cnf file that has been created, you can append the configuration to the file through general_log.

We created a / usr/loca/mysql/my.cnf. Simply write a configuration:

[mysqld] secure_file_priv = NULL

Ownership of the new my.cnf to mysql:

Chown mysql:mysql my.cnf

Restart mysql. Then we do the same as (3) above: modify the general_log path; enable general_log; to write malicious configuration items:

Check the configuration file. Since the configuration file has been written before, my.cnf now starts with []:

Try to restart mysql:

Successful getshell:

(5) / etc/my.cnf

In practice, it is possible that the configuration item for mysql is a default / etc/my.cnf. Can we append it to / etc/my.cnf via general_log?

The answer is: it depends.

The default permission for / etc/my.cnf is r rx r

If general_log is set in this case, an error will be reported:

If you want to write mysql, you need to have write permission

In reality, it is also common for administrators to mismatch permissions.

Change the / etc/my.cnf permission to rw r r:

Chmod 644 / etc/my.cnf

Attempt to write:

Successfully written:

Getshell is naturally successful after restart:

Non-root permissions-configure the mysql environment using exp

According to the Internet, there is no need for a root user, just a user with select,insert,create,file authority.

Let's create a user and its corresponding database:

Connect to mysql and execute the following statement:

Create database cvetest;grant file on *. * to 'cveuser'@'%' identified by' 123456 grant select,insert,create on cvetest.* to 'cveuser'@'%';flush privileges

Set the / etc/my.cnf permission to 600and the user is mysql:

Chmod 600 / etc/my.cnfchown mysql:mysql / etc/my.cnf configuration exp

First, we need to download the attack script written by the boss: a python file and a c file:

0ldSQL_MySQL_RCE_exploit.py:

Http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py

Mysql_hookandroot_lib.c:

Http://legalhackers.com/exploits/mysql_hookandroot_lib.c

Mysql-connector is not installed in the default kali, and this library is used in the script written by God.

If it is not installed, an error will be reported:

ImportError: No module named mysql.connector

We need to install it manually:

Python-m pip install mysql-connector

Since some of the configurations in the python script do not match our experimental environment, we also need to modify them manually:

(1) python-set the trigger trigger directory to the data directory of the experimental target machine

First of all, you need to know where the data directory of the target is. Connect to the mysql of the target machine and enter the command:

Show variables like "data%"

The value of datadir here is the data directory path of the mysql service.

Modify the python script:

(2) python-modify the export path of malicious so files

Although the script says that / tmp restart will lose files, / var/lib/mysql mysql also has permission to write

But in fact, an error may be reported when using it, and there is no permission to write.

Personally, I think it's best to change the path back to / tmp.

(3) C-repair rebound shell port

Edit the c file and note that it needs to be placed in the same directory as the python file.

Modify the configuration:

ATTACKERS_IP is set to attack machine ip

SHELL_PORT is set to the port where the attack plane receives the bouncing shell

INJECTED_CONF is set to the my.cnf path we used to attack

Run exp

Run exp directly:

Pyhton 0ldSQL_MySQL_RCE_exploit.py-dbuser cveuser-dbpass 123456-dbhost 10.11.123.249-dbname cvetest-mycnf / etc/my.cnf

Mysql trigger

Let's take a look at how this exp enables non-root users to modify the general_log configuration:

Locate the key SQL statement:

Extract it separately and format it to view:

This is a trigger.

But this is not performed directly, but is written to the file through the dumpfile statement of mysql:

Why use triggers? Why write it to a file and not execute it directly?

With these questions in mind, let's practice:

Non-root users cannot set global general_log directly

Let's start with one small detail:

The difference between select user () and select current_user ():

The user queried by select current_user () is the real user format that exists in the database.

Try to set up general_log:

No permissions.

Trigger-execute SQL statements with the privileges of others

The format description of the trigger on the official website:

The link to the official website is here:

Https://dev.mysql.com/doc/refman/5.7/en/create-trigger.html

Basically, the trigger of mysql can execute the SQL statement of the trigger as another user by setting the DEFINER parameter.

Statement:

Create definer='root'@'localhost' trigger test1 specifies that the user 'root'@'localhost' executes the trigger test1after INSERT trigger executes on test1.t1 after the INSERT statement is executed Which table to set the trigger for each ROW fixed format BEGIN fixed format Indicates that the SQL statement to be executed by the trigger starts select "1" into outfile "/ tmp/1234567.txt" The END fixed format of the SQL statement to be executed by the trigger, indicating the end of the SQL statement to be executed by the trigger

However, not any user can use the root user identity to execute.

To execute a trigger as root, the creator must have super permission:

Note:

Delimiter | indicates that the delimiter of each statement in Mysql is temporarily set to |, and the mysql statement delimiter is; by default. However, because the sql statement needs to be written in the trigger, there are; in the sql statement. Causes the sql statement to end prematurely. So you need to temporarily modify the delimiter.

Is this the end of it? We have another plan.

When we refer to the great god's script, we find that it writes the trigger to a file, which is also the path we need to modify when we use exp:

After mysql creates the trigger, will it be saved as a file?

Start the experiment and find out.

We use the root user directly to create the trigger:

Statement:

Just like the one above.

Create definer='root'@'localhost' trigger test1after INSERTon test1.t1for each ROWBEGINselect "1" into outfile "/ tmp/1234567.txt"; end |

Created successfully:

Let's take a look at the database file directory of mysql:

If you don't know where the database file directory is, type in the mysql terminal:

Show variables like "datadir%"

By default, the database folder name is the same as the database name under the database file directory. We find the directory of our test1 database and enter

Note: the database folders here are all writable for mysql users

It is found that there are really two more TRN files, and the useful file is the TRN file corresponding to the Datasheet name:

View the content:

In other words, the trigger file for mysql is stored in the database folder under the database file directory. The file name corresponds to the table name.

Exp principle

According to the above experiment, we can sort out the principle and process of exp:

(1) first connect to mysql. You don't need a root user to connect to the account, as long as you can select,insert,create,file

(2) write the malicious so library to the folder. You'd better write it here in the / tmp directory. You can also try to write to the mysql database directory

(3) create a new table to prepare for the following trigger

(4) write the configuration of the trigger to the trigger file, and the configuration of the trigger is to append the my.cnf file through general_log.

(5) operate on the table to execute the trigger

At this point, I believe you have a deeper understanding of "Mysql CVE-2016-6662 vulnerability Analysis". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.