MySQL Privilege Escalation Notes

Determining MySQL runtime privileges

Check the current account of the system, if there is a mysql such user, it means that the system may be downgraded.

Mysql Password Query

Some common system configuration files

LUNIX/UNIX:

MOF

Utilization conditions:

1. windows 03 and below

2. mysql boot identity has permission to read and write to the c:/windows/system32/wbem/mof directory

3. secure-file-priv parameter is empty

then

Upload the MOF file to a directory with read/write permissions

Import the file to c:/windows/system32/wbme/mof/

Exploit:

⚠️WARNING

After our successful exploitation, even if the account is deleted, mof will rebuild the original account within five seconds. Just use the following command to delete the account:

UDF

Utilization conditions

1) Mysql version greater than 5.1 udf.dll file must be placed in the lib\plugin folder under MYSQL installation directory.

2) Mysql version is less than version 5.1. udf.dll file is placed under c:\windows\system32 in Windows 2003 and c:\winnt\system32 in windows 2000.

3) The account of the mysql database has the insert and delete permissions to mysql to create and discard functions, generally the root account is preferred, and other accounts with the permissions that the `root account has can also be used.

4. the permission to write udf.dll to the appropriate directory.

STEP:

  1. Check the secure_file_priv

- When the value of secure_file_priv is NULL, it means that mysqld is restricted from importing|exporting and cannot be privileged.

When the value of secure_file_priv is /tmp/, it means that mysqld import/export is restricted to the /tmp/ directory and cannot be privileged.

When the value of secure_file_priv has no specific value, it means that the import/export of mysqld is not restricted, so you can withdraw privileges.

2. Check Plugin

No privileges when the plugin value is empty

When the plugin value is mysql_native_password, it can be privileged through the account connection

3. View system architecture

4. Check the plugin directory

The current mysql user needs to have write access to this directory

5. Write the dll file to the plugin directory, and create the function

Error: Can’t create/write to file ….. When MySQL is larger than 5.1, there is no lib/plugin directory by default. And into dumpfile can’t create a folder when writing to a file.

6. Execute system commands

#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest