Testy penetracyjne baz danych i eskalacja uprawnień z użyciem funkcji użytkownika (film, 45 minut)

Welcome back. Today, we will be talking about database exploitation. So, basically guys, we have multiple types of databases from MySQL, MariaDB, and also we have Oracle databases. In this video, we're going to talk about MySQL and Maria database. So, you know, basically Maria database is an extension of MySQL, so it's not considered a separate kind of database, right? But basically, the exploitation and testing of both databases differ in various levels. So, in this lesson, we're going to talk about the exploitation of these two databases with simple examples, and we're going to demonstrate some advanced knowledge later down the road. So, for this lesson, I'm going to use Metasploitable. So, I'm going to connect to the database. My database exists at the address 192.168.94.134. I connect. Okay, now this scenario that we are laying down in this video, guys, assuming that we have the username and password of the database. So, this level we are at right now is an advanced level during the penetration testing. So, assuming that we did the enumeration, you did the analysis, you did the reconnaissance, and you have gained some kind of limited shell access, or you have gained, in some way, you have found the database credentials. So, now we're going to explain how we can convert the limited access we have on the database into a root shell. So, basically here, whenever we are on a MySQL database, guys, or MariaDB, we want to know what are the variables of this database. So, we can do that using show variables. Why? Because variables here show and display great details about the software of the database and the current settings. So, for example, I can go up, I can see the rise, I can see the rise variables and their corresponding values. Now, what's important for me here is, if we go down, if we scroll down, we want to see the directory file. So, here the directory file where the database lies, actually. So, this is the directory file of the MySQL database in the host we are testing. Now, we can also view other variables. If we scroll down, okay, so we can see here the version, right, so 5.0.51a. That's the version of the database. Now, you're going to say, oh, I have root access to the database. Why would I care about the version of the database anyway? Now, basically, guys, the version of the database may reveal exploits or other techniques or vulnerabilities that you can harness in order to convert your access to database into a root shell on your side, right? So, we don't need, technically, you can do privileged escalation on this database. So, basically, the next step, we can go to here and clear the screen using search exploit, and we type the, let's type MySQL first. Now, here, as you can see, you can see great details here and so much info. Now, what I need here, guys, that's the version. The version is 5.0.51a. So, here is we have one. This is the remote denial of service. We don't want this. So, basically, as you can see, 5.0 onward, all the way here, we can see the current vulnerabilities we can use against this database or we can exploit, right? Okay, great. Now, suppose that you haven't found the version or a vulnerable version of the database you are enumerating. So, what you're going to do here? Basically, guys, you can use vulnerabilities, right, like you can use some of these exploits and apply the concept of it on this database, right? I'm going to explain that later in the video. Now, we're going to continue on the enumeration. Now, second, we go back, and here, most importantly, guys, we want to know if there is a plugin directory in the database. Why? If I scroll up, I cannot see variable for plugin directory. So, without scrolling, you can do select plugin directory. It's saying there is no variable called plugin directory, which means that the current database doesn't use plugins. And the use of plugins in databases have introduced many vulnerabilities, among them the use of system function to execute comments. So, basically, execute comments can be done through plugin directory, and it's a functionality used by system administrators. But since we don't have it here, we cannot look for an exploit to use this plugin directory. But in this video, guys, I'm going to explain to you how to use that, right, in order to gain access to any database you want. Okay. So, databases, so we have, you know, Metasploit, MySQL, plugin, and the rest. Now, if you have the root credentials of database, I don't think you are interested in enumerating and displaying the values of the tables, right? We got the root password. What do you want else? What we want else is we want to convert the access we have from MySQL into root shell. Okay. So, we're assuming now that among these exploits, we haven't found exploits we are looking for, right? All right. Now, if we go down and search again for search exploit UDF. Okay. So, UDF, as you can see, I'm going to tell you what is UDF. So, we have one for common execution. These are defined. I have other two vulnerabilities for this. And we have one for PostgreSQL. There is no, doesn't appear to be an existence for MariaDB, for the user-defined function. Now, what does user-defined function do, guys? User-defined function allows system administrators to transfer shared object files into database in order to execute comments. So, if we can create a user-defined function and transfer a shellcode of our own after we compile it into a shared object, we're going to try, we may gain root access or we may convert our, we may execute system commands on database to have root access since we have root-level privilege here on the database. So, we can do whatever we want. To demonstrate the concept of user-defined function and how we can use this to execute any data, to exploit any database, guys, at least you try it. We can, I'm going to demonstrate this exploit. I'm going to open the file and explain it. All right. So, let me check. Okay. So, as you can see here, guys, if we go to Firefox, or let me tell you something. We don't need Firefox. Okay. As you can see, you can find this exploit on exploit database website. It started MySQL user-defined and its objective is to create a system function to do local privilege escalation, right? Okay. Now, let's explain this exploit in order to understand the concept. So, basically, we will start with this. So, as you can see, the first thing we notice, guys, is a shellcode. We have two shellcodes defined online, as you can see, 40 and 41. Now, these shellcodes are kind of payload, right? It could be a payload created with MSF Venom, or it could be a hexadecimal representation of a payload. It's hexadecimal representation, actually. This is hex variable, hex value, right? So, this is hexadecimal representation of some payload, right? And this payload must be in the shared object format. I'm going to tell you about this later. Okay. Now, we go down. We're going to define username and password. And we go down. Okay. In this line. So, in this line, guys, as you can see, we have kind of SQL query here. It starts from here. That's query the plug-in directory variable, which we couldn't find on Metasploitable database. But this plug-in directory holds all the plug-ins and holds all the shared objects through which we can execute our shellcode. That's why it's important to enumerate the variables on your database and look for the plug-in directory. Once you find it, then you can go further with your exploitation using the user-defined function method. Let's go back. All right. Now, if we go down. Okay, here. OS system. So, in line 92, as you can see, the code here used dump file, the function dump file or the query dump file. So, the code here dumps the shellcode binary content into a file. So, the shellcode binary content is this one, right? You're going to create it on your own, right? It's going to dump the shellcode content into what? Tell me. Into an output file. So, the output file is this one, which exists in the plug-in directory. So, basically, we are transferring the shellcode we have created into the plug-in directory. Okay, we go down, scroll down. Okay, on this line, OS system as well. So, here it creates a function named this one. So, this query creates a function called system execution. Leveraging the uploaded binary file, right? So, basically, here we are executing a system function, and the script checks if the function was successfully created on line 104. So, it checks if the function we created here has successfully been created, right? Okay. Next, after we create the function, we need to execute it, right? So, we go down to the line where the function is executed. Okay, line 113. This one? Alright, so here is the line where the function is executed. And, as you can see, they define root root as the owner, and that's why this exploit, or these kind of exploits, require you to have the root password of the database. Which means that you are way further on your, you know, penetration testing, let me say, journey, right, or plan. Okay. So, essentially, guys, this is what the exploit does. So, first thing, we need the plugin directory to be set, right? Second, let me go back. We need to, technically, guys, this exploit is ready to use. You can use it on your, if you are inside the system, or if you are inside the machine, you can use it, actually. So, here, if you're going to use this payload on its own, let's go to desktop, and exit that. Okay. So, here, we're going to say, sudo python2. This exploit will not work on the Metasploitable database. Why? Because there isn't a plugin directory at all. I know we can create it, but if you don't see it, I don't recommend you to create a plugin directory for a database which doesn't have a set directory. Why? Because in production system, you would mess things up, actually. So, if you're doing penetration testing for your clients, and you haven't found a plugin directory, don't try to smarten your ass up and create a plugin directory to prove that you can exploit the database, all right? Don't try it. Just leave it as its own. Now, here, in Metasploitable, guys, without plugin directory, this exploit will not work, because there is no plugin directory, as I told you guys. But, for demonstration purposes, you know the idea now. Okay. Let's see what will happen. So, username, root. I'm not sure of this. Okay. Cool. So, it's asking for the username, which is root, and the password is blank. But, for some reason, it is giving out syntax error. Okay. Okay. U root. You see, I don't know why. Okay. So, the password for Metasploitable root is blank. So, it's saying it can't connect. Why? Because I'm executing the exploit, guys, from my machine. This exploit needs to be executed from the box you are testing, assuming you have limited shell access, right? Okay. Let's go back and explain to you how to create. Let's go back to the exploit, actually. sudo nano 4.6. Okay. So, let's say, guys, that you have found a plugin directory, right? And you want to apply the defined function vulnerability, or exploit, sorry, on this machine, right? But how do you get the shellcode? Now, the shellcode here is the hexadecimal representation of a shared object. All right? Now, how do we go about creating this shared object? So, basically, guys, if we go to Firefox, and we go to, and then we type GitHub. What was the name of the product? Link MySQL. Ah, we do have library. So, we need to import the library first. So, we have here multiple files, among which is the shared object. That's the file you need to import. Okay? Okay. Let's now clone this into our system and see how this works. Let's go back. We'll keep this here, and we go back to this layer. Okay. Git clone. Git clone. Sorry. Okay. Let's go to the directory. Okay. So, now we have the C file, and we have the shared object file. All right? Okay. Let's first understand how we can use these files. So, we have shared object file, and we have C file. All right? Basically, guys, in order to use this effectively and create an exploit out of it, we need to understand and know what is the database we are exploiting. So, in case it is MySQL, or in case it's MySQL, you can leave this as it is. Right? But in case it's Maria database, you need to do some modifications. Let's first explain the C file and how this works. Nano. Okay. Let's go down. Okay. Let's go down. I think this line. We need to find the system execution function. Okay. Here it is. Oh, no. Not this one. Okay. This one. So, here, as you can see, according to this code, guys, the function exported by the shared library after compilation is named this one, system execution. Right? So, technically, this C, C++ file, actually, guys, it's kind of, you know, shows a fairly standard UDF library that allows for execution of system commands through C, C++ system function. So, from this section, we understand that this C file allows us to execute system commands, right, through the user-defined function, and that's how we can use this and import it into the plugin directory of any database to execute system commands. Okay. Let's go down. Okay. Now, there is something missing here you need to add, actually. Here, after this finishes, we need to declare or put return in order to execute the system command. So, system, and we put the arguments, args, zero, and we close this. Save the file. Okay. We're ready. Okay. We're ready. Now, the next thing, guys, we need to compile this. And, in order to compile this, guys, we need to use the uninstall.sh file and the makefile. All right? But, before compiling this, we need to take a look at the makefile first. Why? Because, as I told you, guys, this is a general exploit. It works on MySQL, but it may not work on other versions. So, we need to make the difference between them. Makefile. All right. So, I understand from here that user include MySQL. Okay. From this line, we can conclude that this shared object is for MySQL. Okay? Now, how can we make it for, let's say, Maria database, which is used widely, actually? What we can do, we can copy that. And, copy that. And, paste it here. And, do our modification. So, instead of that, we can do here user. Okay. This one, we shouldn't have removed it. MySQL. Okay. Shared library. Okay. I think this one also works on Maria database. What do you think? Well, I think we need to, actually, we need to modify a bit. So, here, we modify MySQL. And, put Maria DB server. Okay. Let me remove the rest here. I don't need it. Okay. Okay. Now, from here onward, we can type user include Maria DB. Another one. User include Maria DB server private. Okay. And, now, put shared with the name of define UTF. All right. And, you are done for the install, actually. You can use the dismake file. Now, if you want to use it for compiling a shared object for MySQL, you're going to remove this line and leave this. If this is for Maria database, remove this line and keep this one. Right? Okay. Let's exit. Now, the next thing, we can type make. We can type make. Yeah, I know. Because I'm not executing on the testing machine. It's going to give error. Now, all of this needs to be done, or all of this needs to be done after you uninstall the dependencies, actually. The dependencies is we need to sudo apt install default and install library MySQL. And, okay. Let's uninstall it first. All right. That's a clear make. There are some warnings. I think sudo nano. Did you give permission to this file? Hmm. Also need to uninstall the crypt edge. All right. Okay. Now, since the target is MySQL, now this works for MySQL. And, if your target is MySQL, you don't need to type make. Right? You just use it as it is. But, if your target is Maria database, okay, you need to modify the C file, as I told you how, and then make the file. And, when you make the file, it's going to give you a new shared object library, which you're going to use to import in the plugin directory of the database. Now, here, but for some reason, I cannot execute it. Here's the crypt edge on the header. How do we go about this header? Let's Google it. So, the header file, we don't have it. So, we can install the headers, which we have already installed. Or, I have an idea. I think we need to type sudo apt update before we attempt the installation. We need to type sudo apt update before we attempt the installation. Okay, let's try installing the others again. Let's go back. It's saying, okay, let's try this without the default term. Make. How about this? Hmm, I think we forgot something guys. Now technically we didn't initiate the install actually. This one. I keep getting errors saying leave my secret client development software installed and I have it. Okay, I think there is a different version for this. Sudo. Come on. So what do we do if we don't have it and it can't be installed for some reason? Let's go with this. Optikit install mypythonpip and optikit install mypythonpip. All right. Okay. Okay. So if we try these. So it's saying I have broken packages. So I'm not going to waste your time guys. I think it needs some fix on my side for the packages. But let's not deviate the video. I mean go back to the topic. So after you modify this DC file according to the database you want to target and you make the file. You're going to have a result of shared object file. Now the next thing we need to do guys is to convert this shared object that we're going to import into the library. We're going to import the plugin director of the database into a hex file. So we do that. Use xxd. And the file is this one. Let's copy it. I'm tired of copying and pasting. Okay. And then. Okay. We continue to xxd command. And we output this to the same one but with hex. So. All right. Is there anything else we need to do here? Okay. So here we need to output this on different lines. Okay. Now let's list the contents and cat this. All of this. So basically we need to import all of this. This is too much. That's a clear. Okay. So here you copy the content of this. All of it. And you end this. And the next thing, guys, we need to do is to start exploitation. So we go back and we connect to the database. Okay. Next thing we need to do, guys, is to set the variable. So first let's open a new terminal and go back to the code. So we go back here. We use the same method of this exploit. So we need the shell code actually here. This shell code, we will import it into the database and define it as a variable. So here we set. We go back to the database. And we set a variable called shell. Equal 0x. And we put the exploit and enter. I forgot the. Okay. So note here we added 0x to the beginning of the shell code. And as you can see, we didn't type double quotes or single quotes. This is necessary. Actually, why? Because we are using or we are testing Maria database. It's necessary for Maria database to read the text as binary. Okay. Every time I look, but this is not Maria database. It's not going to work. I'm showing you only the required steps. Okay. Now the next thing, guys, we need to do here to import the shell code into the plugin directory. So we do that by using select binary and the variable is shell into dump file. And here is the plugin directory. How do you get the plugin directory? You use select plugin directory. It's saying there is no plugin directory because there is not actually. So we go back here to the import command. Select binary shell into dump file. And here we put the path of the plugin directory. In case it is whatever, we put here the path. So typically it is var lib MySQL plugin. Right. And here we put the name of the shared object. Let's say it is UDF. Right. Now after we execute this, after we execute this command, guys, the shell content of the shell variable will be imported into the shared object in the plugin directory. And from now, from this point onward, we're going to be able to execute system commands. Now let's suppose that we have imported the shell code into the shared object of the plugin directory. What comes next, guys, is the execution or the obtaining of root shell from this MySQL database. Right. Okay. So on a separate command here, we start a listener. Let's say it's Python for simplicity. Python 3. Okay. So now I have a listener. And from here, I'm going to use what we have built on in this explanation, okay, to obtain root shell. Right. Now if this command has succeeded, right, the next thing is to use the system execution function to execute commands. How? So let's say it's execution. And here we put the command you want or the CMT you want to execute to test out. So basically in my case, I have a listener here. Right. So I'm going to try wget and put the address of the machine, our machine, typically. And we enter. I know because there is no plugin directory, as I told you. So here we'll connect back to the server we have. Right. So this one is going to wget. It's going to connect to our server and retrieve whatever file in the homepage or in the index. Now let's say that we want to execute a system or a payload that will connect back to our machine and give us the root shell. So how do we do that? We use first metasploit. So we go back, generate the payload. And from here, we type sudo msfnlp-linux-reverse-tcp-lhost. And port. And then we put the file format. Okay. Then we have the exploit, guys. Right. We take this file. We put it in the web server directory of our attacking machine. In this case, it is in var.html. Okay. And then all we have to do is to go back here, use wget. But instead of this, we put the file. And once we get the shell or we download the shell here, we're going to be able to execute it. So here, instead of this command, we're going to type select system execution. And instead of wget, we're going to say here, chmod, give it permissions, and like this. And this one will execute the shell that we have generated with Metasploit. And assuming that we have a listener set up with Metaprinter, right, then we will be able to execute this. How to execute it? Just the same command here. We put this. And after we execute this, we're going to get root shell on Metaprinter. I'm sorry, guys. I couldn't replicate the, you know, the production or the production, actually, the testing environment. I couldn't replicate the testing environment exactly how I wanted, but I tried to explain the idea to you guys as much as I could because it's very important to understand the concept of user-defined function in exploiting databases. All right. Now, if you have any questions about this concept, you can send me a message on LinkedIn, or you can put your comment in the comment box, and I will be answering you as soon as possible. Thank you so much, and hope you enjoyed this.

Menu

Testy penetracyjne baz danych i eskalacja uprawnień z użyciem funkcji użytkownika (film, 45 minut)

Toggle timeline summary

Transcription